Disable XML-RPC Without Plugin to protect your WordPress site from unwanted requests and brute force attacks. Here’s how to disable it manually using your child theme.
Step 1: Add the XML-RPC Disable Code
Add this code to your child theme’s functions.php:
add_filter(‘xmlrpc_enabled’, ‘__return_false’);
How It Works
This simple filter disables the XML-RPC API so bots and hackers can’t abuse it for brute force or spam attacks.
Why Disable XML-RPC Without Plugin?
If you don’t use remote publishing or the WordPress mobile app, XML-RPC is unnecessary bloat and a possible security hole. Disabling it reduces attack vectors.
Common Mistake
Disabling XML-RPC may break Jetpack or other remote services that rely on it. Double-check if you need them before adding this tweak.
Pro Tip
Always add this tweak to your child theme’s functions.php to make sure it stays safe after theme updates.
Related Snippet
If you liked this, check out my guide on disabling emojis without a plugin in WordPress.