Check whether /xmlrpc.php responds publicly from the outside.
Check XML-RPC Exposure in WordPress Before Launch
Check whether xmlrpc.php is publicly reachable on your WordPress site before delivery. Exposed XML-RPC endpoints can increase brute-force, pingback and automated abuse risk when they are left enabled without a clear reason.
PreFlight checks the public XML-RPC endpoint and helps you decide whether it is blocked, restricted, or intentionally available as part of a real technical requirement.
Why it matters
XML-RPC was originally created to let external tools communicate with WordPress, but many modern sites no longer need it for day-to-day publishing. If xmlrpc.php is still publicly accessible before launch, it should be reviewed as part of the site’s security baseline.
The risk is not that every XML-RPC endpoint is automatically dangerous. The risk is leaving it exposed by default without knowing whether the site actually needs it. For many client websites, blocking or restricting XML-RPC is the safer delivery standard unless a specific integration depends on it.
What to review
Before handing over a WordPress site, review these XML-RPC points:
Confirm whether the project uses XML-RPC for a real integration, app, publishing workflow or external service.
If XML-RPC is not needed, restrict or block access before delivery.
If XML-RPC must stay available, document why it is required and make sure the decision is intentional.
Do not assume XML-RPC is safe just because HTTPS, caching or a security plugin is active.
How to check XML-RPC in WordPress
The quickest manual check is to open the site’s public XML-RPC endpoint in the browser by adding /xmlrpc.php after the domain. If the endpoint responds, it is reachable from the outside and should be reviewed.
A reachable endpoint does not always mean the site is vulnerable, but it does mean the decision should be deliberate. PreFlight automates this check and includes it in the wider WordPress pre-launch review, so you can catch the issue before sending the site to a client.
How PreFlight checks this check
PreFlight requests the public xmlrpc.php endpoint and checks whether it is reachable, restricted, or blocked from the outside. The goal is to make XML-RPC exposure visible during the pre-launch review, instead of discovering it after the site has already been delivered.
This check does not force every site to disable XML-RPC. It shows whether the endpoint is exposed and helps you decide whether that exposure matches the site’s real technical needs as part of its security and launch readiness.
PASS / WARN / FAIL
XML-RPC is blocked or restricted publicly, or it remains available for a documented and intentional technical reason.
The XML-RPC endpoint is reachable and may be valid for the project, but it should be reviewed before delivery because many WordPress sites leave it enabled by default.
XML-RPC is publicly accessible with no clear technical reason, creating avoidable exposure before launch or client handoff.
Common mistakes
Leaving xmlrpc.php reachable because “it has always been there”.
Blocking brute-force attempts on wp-login.php but forgetting XML-RPC as another authentication entry point.
Assuming HTTPS solves XML-RPC exposure.
Disabling XML-RPC without checking whether an app, Jetpack-style workflow or external service still depends on it.
Treating XML-RPC as a harmless legacy file instead of an active public endpoint.
FAQ
Should XML-RPC always be blocked in WordPress?
Not always. Some sites still need XML-RPC for specific integrations, mobile apps or remote publishing workflows. But if there is no clear dependency, restricting or blocking XML-RPC is usually the safer default before launch.
Why does exposed XML-RPC matter before client delivery?
Because it is easy to overlook. A site can look finished, use HTTPS and still expose xmlrpc.php publicly. Pre-launch review is the right moment to decide whether that endpoint should remain available.
Is XML-RPC the same as the WordPress REST API?
No. XML-RPC is an older remote communication mechanism. The WordPress REST API is different and is more commonly used by modern WordPress features and integrations.
Check XML-RPC before delivering a WordPress site
Run a free PreFlight analysis and confirm whether XML-RPC is blocked, restricted, or intentionally available before launch.