Question
How to disable XML-RPC for a WordPress instance hosted in Plesk?
Answer
Using a WordPress Security feature
This security measure turns off XML-RPC pingbacks for the whole website and also disables pingbacks for previously created posts with pingbacks enabled:
- Log into Plesk
- Navigate to WordPress > example.com > Security:
- Select Website URL and click Secure:
- Select Turn off pingbacks:
Using a WordPress plugin
- Log into Plesk
- Navigate to WordPress > example.com > Plugins and click Install:
- Search for a plugin to disable XML-RPC in the search-field, with for example search-string xmlrpc:
- Click Install to install a suitable plugin
For domains with disabled proxy mode or PHP-FPM served by nginx
-
Add the following additional nginx directives in Domains > example.com > Apache & nginx Settings:
location = /xmlrpc.php {
deny all;
}
if (!-e $request_filename) {
set $test P;
}
if ($uri !~ ^/(plesk-stat|webstat|webstat-ssl|ftpstat|anon_ftpstat|awstats-icon|external-nginx-static-location)) {
set $test “${test}C”;
}
if ($test = PC) {
rewrite ^/(.*)$ /index.php?$1;
}These directives will block requests to WordPress XML-RPC and process WordPress permalinks correctly.
For domains with enabled proxy mode and PHP served by Apache
-
Add the following additional nginx directives in Domains > example.com > Apache & nginx Settings:
location /xmlrpc.php {
deny all;
}This directive will block requests to WordPress XML-RPC.
To disallow access to XML-RPC functionality:
Warning: not confirmed solution for apache-only:
Note: Disable all XML-RPC functionality can cause security issues and is not recommended.
-
Navigate to Domains > example.com > File Manager and open the file .htaccess file in the root directory of the WordPress installation
-
Add the following code at the top of the file:
<files xmlrpc.php>
Order allow,deny
Deny from all
</files>