{keyword}/xmlrpc.php?rsd Apr 2026

Many site owners disable this because the xmlrpc.php file is a frequent target for and DDoS pingback attacks .

The URL structure {keyword}/xmlrpc.php?rsd refers to the endpoint of a WordPress site. RSD is a protocol that allows external software—like mobile apps or desktop blogging clients—to "discover" the available APIs (such as XML-RPC) and services supported by your website. {keyword}/xmlrpc.php?rsd

If you want to completely block access at the server level (returning a 403 Forbidden error), add this to your .htaccess file: order deny,allow deny from all Use code with caution. 3. Piece to Verify Functionality Many site owners disable this because the xmlrpc

To stop the ?rsd link from appearing in your site's header, use this piece of code: remove_action('wp_head', 'rsd_link'); Use code with caution. 2. Piece to Block Access (via .htaccess) If you want to completely block access at

If you need it to work (e.g., for the Jetpack plugin or the WordPress mobile app) and are seeing errors like "XML-RPC server accepts POST requests only," this is actually a normal response to a GET request in your browser. To verify if it is truly active and reachable, you can use the XML-RPC Validator .

Adding this snippet to your theme’s functions.php file will turn off the XML-RPC interface. add_filter( 'xmlrpc_enabled', '__return_false' ); Use code with caution.

xmlrpc.php in WordPress: What Is It and How To Disable It - Elementor