Why XML-RPC is disabled

May 9, 2026 • Security

XML-RPC is an older WordPress feature that can be abused by attackers. On many modern WordPress sites it is not needed.

What XML-RPC does

XML-RPC allows external applications to communicate with WordPress. Historically, it was used for remote publishing and some integrations.

Why it can be risky

Attackers can abuse it for repeated login attempts.

It can be used in amplification attacks.

It increases the public attack surface of a WordPress site.

Many normal business websites do not need it.

Why Host Luma blocks or restricts it

Restricting XML-RPC reduces unnecessary risk and helps protect WordPress login systems from abuse.

Will disabling XML-RPC break my website?

Most standard WordPress websites will work normally without XML-RPC. However, some apps or integrations may rely on it.

What to do if you need XML-RPC

Contact Host Luma support and explain which app or integration requires XML-RPC. Support can review whether a safer exception is possible.

Important notes

Do not enable XML-RPC just because a random plugin recommends it. Check whether it is genuinely required.

Need help?

If you are unsure about any step, contact Host Luma support before making changes. We can help check the correct settings and guide you through the process.