Part of the series: WordPress Pre-Launch Technical Checks
When reviewing a WordPress site before launch, one detail that often shows up in security checklists is XML-RPC.
Some developers disable it by default. Others leave it as it is. And in many cases, nobody actually checks whether the project needs it.
Before delivering a site, itβs worth taking a minute to understand what XML-RPC does and whether keeping it exposed makes sense for that specific setup.
What XML-RPC is
XML-RPC is a built-in WordPress protocol that allows external systems to interact with the site.
It was originally used for things like:
- remote publishing tools
- mobile WordPress apps
- certain integrations and services
In many modern setups, it is no longer needed, but it is still enabled by default.
Why it comes up during reviews
The issue is not XML-RPC itself. The question is whether it is exposed without being used.
If nothing in the project depends on it, leaving it active is just one more technical detail that nobody made a conscious decision about.
That is why it often appears in pre-launch checklists.
What usually happens in real projects
No one checked it
In many cases, XML-RPC is simply left as-is because the site works and there was no reason to touch it during development.
Old configurations still in place
Some setups come from older workflows where XML-RPC was more relevant. Those configurations often remain even when they are no longer needed.
Plugins already modified it
Security plugins sometimes disable or restrict XML-RPC automatically. This can happen without anyone explicitly deciding it.
Understanding what the final setup actually does is part of a clean delivery.
A quick check before launch
At this stage, the goal is simple: confirm whether XML-RPC is accessible and whether the project depends on it.
If it is not needed, it usually makes sense to restrict or disable it. If it is needed, then at least it is a deliberate choice.
Why this belongs in a launch process
XML-RPC is one of those details that rarely causes visible issues, which is why it is easy to ignore.
But it is still part of the technical surface of the site, so it makes sense to review it before considering the project finished.
Where PreFlight fits in
PreFlight focuses on reviewing these kinds of technical details before a WordPress site is delivered.
If you want to check XML-RPC exposure specifically, you can see the check here: https://preflightstandard.com/checks/xml-rpc-exposure/
And if you want to run a broader technical review before publishing or handing over a site: https://preflightstandard.com/
Final thought
Not every technical detail will break a site.
But taking a moment to review things like XML-RPC helps ensure that what goes live is intentional, not just inherited from default settings.
Top comments (0)