Many WordPress security experts insist upon disabling the WordPress XML-RPC file. Why?
Safety Concerns
The WordPress XML-RPC facilitates use of your website from outside of the WordPress Dashboard (or, the admin area).
For one reason or another, you may want to intereact with your site from other locations. For example, submitting a post from email or from a third-party application, would have required hooking to the XML-RPC file.
Given its direct access to the back end of your site, the XML-RPC file can introduce security risks.
Enter The REST API
An application programming interface (API) is basically an interface that allows two applications or devices to speak to each other. APIs facilitate the sharing of data, the manipulation of data objects, and much more.
The WordPress REST API provides users and developers with a set of methods and tools for interacting with WordPress outside of the conventional administrative Dashboard.
The REST API works mainly by making use of HTTP requests, or, in other words, URLs. With the right URL query information can be requested or manipulated via data objects.
Some Use Cases For The WordPress REST API
There are virtually an unlimited set of use cases for which the REST API is invaluable.
But just to give a basic example, let’s say you don’t like writing blog posts in the WordPress admin area. Maybe you have a slow Internet connection, or you just prefer writing in a different tool.
With the WordPress REST API, you can get your local post inserted into your WordPress site’s database without ever having to log into the back end of the site.
With the availability of the REST API, the viability of the XML-RPC file has been called into question, and will eventually be removed from WordPress.
How To Disable XML-RPC
There are many different ways to disable the XML-RPC file.
The easiest was is probably through a plugin. Most security plugins will automatically disable or change permissions (another effective way of nullifying a file) on the XML-RPC.
One thought on “Is the WordPress XML-RPC file safe, or should I block it?”