Enabling XML-RPC access to your WordPress.org blog

Many on-line guides (like this one) says to simply go to Settings > Writing and under Remote Publishing to check the XML-RPC protocol checkbox, in order to enable XML-RPC access to your blog.

After that you should be able to access http://yourblog.com/xmlrpc.php without any problems. When you try to do this via browser, you will most likely see “XML-RPC server accepts POST requests only” message. But, that is still a good news, which clearly confirms that XML-RPC access to your blog is enabled. Otherwise (i.e. without correct enable of XML-RPC) you would hit 403 Forbidden error instead.

If this isn’t working or if you need more fine-grained control over XML-RPC access to your blog then you may find some ideas worth to consider in this short article.

Manage XML-RPC plugin

In my case it turned out (I still don’t know, why?) that I don’t have it, neither the “Remote Publishing” section, nor the mentioned checkbox. My whole “Writing” group has only three options: “Formatting”, “Default Post Category” and “Default Post Format”.

Some other guide suggested me to install appropriate plugin instead.

It turned out to be a good idea. The plugin itself didn’t resolve my problem (I was still hitting 403 even after white-listing my IP address in this plugin’s configuration section). But it allowed me to have more fine-grained control over XML-RPC access, i.e. it allowed me to remove pingback-related stuff from my blogs. And it is considered a security leak and DDOS-attacks base.


Finally, some other guide has correctly suggested that this may be a .httaccess-related issue.

I have reviewed .htaccess file for my blog network on my FTP address only to find this:

<Files "xmlrpc.php">
   Order deny,allow
   Deny from all

at the end of file.

Removing this part, saving file and re-uploading it back to FTP server finally resolved the issue.

What about ISP?

It may turn out that your hosting provider is blocking access to xmlrpc.php file for security reasons.

This is stupid, because there are many articles in the Internet that clearly confirms that blocking access to this file is as secure as selling you car no prevent burglar from stealing it. And that this is not the point at all — because you actually want to have your blog secure with XML-RPC enabled.

But, the truth is that some (many?) ISPs are blocking access to xmlrpc.php file and you are forced into doing some weird things to workaround this problem.

Note that linked solution is based on Rename XMLRPC plugin which hasn’t been updated for past 3+ years. So, consider yourself really, really lucky, if above mentioned simple tweak to .htaccess file does resolve your issue and you don’t have to fight with your ISP.

Leave a Reply