Since WordPress 3.5 xmlrpc is enabled by default without the possibility to disable it from the admin dashboard.

Recently there was a post published in Sucuri’s Blog about Brute Force Amplification Attacks Against WordPress XMLRPC, recommending to turn off the XMLRPC in our WordPress installations.

You are able to turn off the XMLRPC via a filter hook

add_filter('xmlrpc_enabled', '__return_false');

But I would say the best way to do this is blocking the requests from the .htaccess file before the actual requests get to WordPress.
In order to let plugins that use xmlrpc ( if you have any installed ) continue to do so you may deny all access except the IP you need it to access.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from ( hosting IP )
</Files>
How to disable XMLRPC in WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *