XML-RPC
WordPressXML-RPC is a remote procedure call protocol that lets applications communicate with WordPress over HTTP by sending XML-encoded requests and receiving XML responses. In WordPress, it enables remote publishing and management features such as posting from external apps, pingbacks, and some integrations. Because it is an exposed endpoint, it can affect security, performance, and compatibility on certain hosting setups.
How It Works
In WordPress, XML-RPC is implemented through the xmlrpc.php file, which acts as an endpoint that accepts HTTP requests. A client (such as a mobile app, desktop editor, or another service) sends an XML document describing a method call (for example, creating a post, uploading media, or listing comments). WordPress authenticates the request, runs the corresponding function, and returns an XML response with the result or an error.
Because XML-RPC is designed for remote access, it is often targeted for abuse. Attackers may attempt credential stuffing or brute-force logins through repeated XML-RPC calls, and the protocol can allow batching of multiple authentication attempts in a single request. Hosts and site owners commonly mitigate this with web application firewalls (WAF rules), rate limiting, bot protection, or by disabling XML-RPC when it is not needed. Some server configurations also restrict access to xmlrpc.php at the web server level (Apache or Nginx) to reduce load and exposure.
Why It Matters for Web Hosting
XML-RPC influences which WordPress hosting plan and security features you may need. If your workflow relies on remote publishing or integrations that call xmlrpc.php, you must ensure the host does not block it by default and that any WAF rules can be tuned without breaking functionality. If you do not use it, choosing a host that supports easy endpoint blocking, rate limiting, and detailed access logs can improve security and reduce resource spikes from automated traffic.
Common Use Cases
- Publishing or editing posts from WordPress mobile apps or desktop clients
- Remote content management by third-party tools that integrate with WordPress
- Pingbacks and trackbacks (legacy link notification features)
- Automated workflows that create posts, upload media, or moderate comments
- Compatibility with older services that predate the WordPress REST API
XML-RPC vs WordPress REST API
XML-RPC and the WordPress REST API both enable remote interaction, but they differ in design and hosting implications. The REST API uses JSON over HTTP with modern endpoints and is widely used by themes, plugins, and headless setups. XML-RPC uses XML method calls through a single endpoint (xmlrpc.php) and is more commonly associated with legacy clients and certain features like pingbacks. From a hosting perspective, REST API traffic is typically easier to monitor and control per endpoint, while XML-RPC often benefits from stricter rate limiting and targeted firewall rules due to its history of brute-force and amplification-style abuse.