Skip to main content

WordPress and XML-RPC

Guide to managing the WordPress XML-RPC interface at Seravo. Learn why the REST API is the preferred alternative, how to check XML-RPC status via CLI, and how to enable or disable it to enhance your site's security.

Updated over a week ago

While the WordPress REST API is the modern standard for remote site management, the legacy XML-RPC interface is still used by some older integrations. For security reasons, XML-RPC is disabled by default in Seravo’s environment, but it can be enabled on a per-site basis if necessary. This guide covers how to manage the interface and why we recommend migrating to the REST API.

What Is XML-RPC?

XML-RPC is a legacy protocol that allowed external applications (such as the WordPress mobile app or Jetpack) to communicate with your site using XML data structures. Requests are typically sent to example.com/xmlrpc.php.

Why We Recommend Migrating to the REST API

We strongly advise using the modern WordPress REST API instead of XML-RPC for several key reasons:

  • Enhanced Security: XML-RPC is a frequent target for brute-force attacks, as it allows hundreds of password attempts within a single request. The REST API is built to be more secure and easier to monitor.

  • Performance: The REST API uses JSON, which is significantly lighter and faster to process than bulky XML structures.

  • Caching: Unlike XML-RPC, which exclusively uses POST requests, the REST API utilizes GET requests that can be stored in the HTTP cache for better performance.

Managing XML-RPC at Seravo

At Seravo, you can manage the XML-RPC interface directly from the command line using the srv tool. This is the most effective way to improve security, as it blocks requests at the server level.

Available Commands:

  • Check status: srv feature xml-rpc --status

  • Disable: srv feature xml-rpc --disable

  • Enable: srv feature xml-rpc --enable

  • More info: srv feature xml-rpc --help

Note on latency: When you change the XML-RPC setting, the change does not take effect immediately because the Nginx configuration must be reloaded. The setting is updated automatically in the background, but please note that there may be a delay before the change becomes active.

Note: If you need the change to take effect immediately (e.g., for troubleshooting), please contact our customer support.

How to Test if XML-RPC Is Active

You can verify the status of the interface using a curl command. Simply checking if the file exists is not enough; you must test whether the server accepts POST requests. Run the following command in your terminal:

curl -X POST https://example.com/xmlrpc.php \
    -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName><params></params></methodCall>'

Interpreting the Results:

  • Active: You will receive an XML list of supported methods.

  • Disabled: You will receive a 403 Forbidden response or an error message. If you have just run the disable command and still see an XML response, please wait a moment for the server settings to refresh.

Troubleshooting

403 Forbidden

The request was blocked by the Web Application Firewall (WAF) or a manual block set via Seravo’s srv tool.

Integration Issues

Certain services, such as Jetpack, require XML-RPC to function. If your Jetpack connection drops, ensure that XML-RPC is not fully blocked.

Sluggishness

XML-based requests are resource-intensive. If your integration feels slow, consider switching to the REST API.

Recommendation

If you are building a new integration, always use the WordPress REST API. It is a more secure, faster, and better-supported alternative.

Need Help?

Contact our customer support by sending a message to [email protected].

Related Articles
Headless WordPress
Logs Available for the Site
List of Commands and Tools
Using the WordPress REST API
Importing Content into WordPress
Did this answer your question?