Rename the XML-RPC and Pingback URLs

There are two problems with how XML-RPC is implemented in wordpress

  1. Every spammer and hacker know that the XML-RPC handler is accessible in {site address}/xmlrpc.php
  2. Functionality types which are not related to each other use the same XML-RPC “endpoint” (fancy technical way to say URL which is used more by computers then humans) because they are based on the protocol. This leads to remote publishing (for example publishing from the mobile apps) to use the same endpoint as pingbacks, and since pingbacks have to publicly announce their endpoint, people can easily get the one that is being used for publishing.

This plugin does something very simple. Instead of using the default endpoint, it lets you define a new one, one that you decide on. Actually it is two endpoints, one for XML-RPC based publishing and another for pingback so it will not be possible to know the possibly hidden XML-RPC one from the publicly available pingback one.

This is a great way to avoid brute force attacks. If you keep your XML-RPC endpoint secret, no one will know where to attack. You still can use the protocol as always, but you will most likely need to manually enter it in your app, as part of the features of the plugin is to disable the automatic discovery of it via the RSD protocol (not much point in having a secret if you leave a way for anyone to find it out 😉).

The benefit of moving the pingback endpoint is less clear at this point in time. On the one hand it is still discover-able, but spammers have proven to be lazy and will probably keep trying to send pingbacks to xmlrpc.php.

So what is left in the xmlrpc.php endpoint? Unfortunately it seems that plugins like Jetpack (at least in version 3.7) assume the endpoint is xmlrpc.php and there is no way to convince them otherwise. To keep this kind of plugins operational you can setup the plugin to handle all the core publishing methods only on your endpoint while still handling plugins on xmlrpc.php.
Does this nullifies the benefits of moving the endpoint? it depends. Plugins like Jetpack use a better security model then the wordpress core in regard to how user authentication is handle in XML-RPC, and is less likely to be “broken into” and it is relatively safe to leave it to handle the brute force attacks. Other plugins? It depends on the quality of the coding.


After installation and activation the plugin will automatically select a new endpoint for XML-RPC and another one for pingbacks, and it will not be possible to do anything via the xmlrpc.php endpoint .

You can change the endpoints and activate the support for methods defined in plugins in the “Settings” >> “Manage Endpoints” page in the dashboard.

Deactivating the plugin and reactivating it will keep the same settings as in deactivation time.




Not compatible with multisite/network. Managing endpoints for several sites from a central location probably requires a more sophisticated approach, but if you are interested in a solution like this please drop us a note.

Supported wordpress versions – 4.3 and above.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment policy

We are not going to share your e-mail with anyone else, but we might send you answers to your questions directly to your email.