XML-RPC on WordPress is actually an API or “application program interface“. It gives developers who make mobile apps, desktop apps and other services the ability to talk to your WordPress site. The XML-RPC API that WordPress provides gives developers a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface. These include:
• Publish a post
• Edit a post
• Delete a post.
• Upload a new file (e.g. an image for a post)
• Get a list of comments
• Edit comments
XML-RPC is also so far is the best option to communicate outside WordPress instance like to Blogger or any other applications.
However now with WP API these tasks can be accomplished which is a Rest-Ful API with more flexibility, better security and all-round happiness to the table.
Points where XML-RPC falls short
The two biggest assets of the API is its extendibility and its security. XML-RPC authenticates with basic authentication. It sends the username and password with each request which is a big no-no in security circles.
The WordPress API can use Oauth which never sends your username and password, it uses tokens for authentication, making it a lot more secure.
In addition, the functions and methods don’t have to be hard-coded into the specific implementation. You can (already) add your own endpoints to create anything you want, you aren’t restricted to just adding posts, etc.
While you can extend XML-RPC as well, the process is not documented well and is not as powerful as its API counterpart.
JSON vs XML is another argument where the XML-RPC may fall short. The API uses JSON to send and receive data which is favoured by developers due to its ease of use in both server and client side languages. XML can get a little tricky, requiring PHP classes to read properly.
Should you disable it?
If you disable the XML-RPC service on WordPress, you lose the ability for any application to use this API to talk to WordPress.
Let’s use an example to illustrate: You have an app on your iPhone that lets you moderate WordPress comments. Someone advises you to disable XML-RPC. Your iPhone app suddenly stops working because it can no longer communicate with your website using the API you just disabled.
Jetpack is one of the most popular plugins for WordPress and relies heavily on XML-RPC to provide its features. It is developed by Automattic, makers of WordPress. If you visit the “Known Issues” page for Jetpack, you’ll notice they discuss how certain security plugins can impact Jetpack features if you use them to disable XML-RPC.
The following two kinds of attacks on XML-RPC have received press coverage during the past 2 years.
• DDoS via XML-RPC pingbacks. This is actually not a very effective form of DDoS and anti-spam plugins like Akismet have gotten good at spotting this kind of abuse.
• Brute force attacks via XML-RPC. These are completely ineffective if you’re using Wordfence because they simply block the attacker after they reach the login attempt limit.
If you still want to disable XML-RPC, there are several plugins to choose from in the official WordPress repository. The best way to do it by our managed WordPress WP Canvas it comes with an one click option to disable XML-RPC and the breeze is this that you can instantly revert it whenever you want with just one click.
You will lose any XML-RPC API functionality that your applications rely on.
We hope this has been helpful and cleared up some confusion on XML-RPC in WordPress. As always we very much welcome your comments below.