XML-RPC Exposure Checker

Last updated:

Check whether xmlrpc.php is exposed on your WordPress site. We test if the endpoint responds, lists methods, or allows pingback, then rate the risk and tell you how to lock it down.

Enter a WordPress site URL:

How the Checker Works

  1. Probe xmlrpc.php, a harmless request is sent to the endpoint.
  2. Read the response, status codes and method lists are parsed.
  3. Check pingback, the tool notes whether pingback is enabled.
  4. Rate the risk, you get a clear verdict and a fix.

Why It Matters

  • Brute-force amplification, system.multicall lets attackers try many logins at once.
  • Pingback abuse, the endpoint can be used for reflected attacks.
  • Smaller attack surface, disabling unused endpoints is good hygiene.
  • Server load, blocking abuse reduces wasted resources.

Next steps

XML-RPC Exposure Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

WordPress Login Page Exposure Checker Tool Online

WP Login Exposure Checker

 WordPress Version Exposure Checker Tool Online

WordPress Version Checker

 Security Headers Checker Tool Online

Security Headers Checker

 WordPress vs Astro: Which Is Better for Business in 2026?

WordPress vs Astro: Which Is Better for Business in 2026?

 Recommended PHP Version for WordPress in 2026

Recommended PHP Version for WordPress in 2026

 Technical SEO Audit: What to Check and How to Fix It

Technical SEO Audit: What to Check and How to Fix It

XML-RPC Exposure Checker: FAQ

What does the XML-RPC exposure checker do?
It requests xmlrpc.php on your WordPress site and reports whether the endpoint exists, whether it responds to method calls, whether it lists available methods, and whether pingback is enabled, then rates the risk.
What is xmlrpc.php and why does it matter?
xmlrpc.php is a legacy WordPress endpoint that allows remote publishing and communication. It is widely abused for brute-force amplification through system.multicall and for pingback-based denial-of-service and port-scanning attacks.
Should I disable XML-RPC?
Most modern sites do not need it. If you do not use the WordPress mobile app, Jetpack features that require it, or remote publishing tools, disabling xmlrpc.php removes a common attack surface with no downside.
How do I disable XML-RPC safely?
You can block it at the server level, use a security plugin that disables it, or add a filter that returns false for xmlrpc_enabled. Blocking at the server with a deny rule is the most robust because it stops requests before WordPress loads.
What is the pingback risk?
The pingback method can be tricked into making your server send requests to arbitrary targets, which enables reflected denial-of-service and internal port scanning. Disabling pingback or xmlrpc.php closes this hole.
Does a 405 or 403 response mean I am safe?
A 403 or blocked response usually means the endpoint is protected, which is good. A 405 means the endpoint exists but rejects the request method. The tool interprets these codes for you and explains what they mean.
Is the check safe?
Yes. It sends a harmless probe to xmlrpc.php and reads the response. It never attempts a brute-force or pingback attack and stores nothing.
Is this XML-RPC checker free?
Yes. It is free, requires no signup, and works on any public WordPress site.

Want a Hardened, Fast WordPress Site?

We secure, speed up, and maintain WordPress sites so they stay safe and rank well.

Talk to Web Aloha