Fixing XML-RPC Disabled Errors After WordPress 3.8.2 Update


Several Desktop blog-editing applications use XML-RPC to allow you to manage your WordPress blog. The one I use is MarsEdit.

XML-RPC functionality has been turned on by default since WordPress 3.5 so after updating to WordPress 3.8.2 I was not expecting MarsEdit to report that XML-RPC services are disabled on this site.

The WordPress 3.8.2 update release notes stated that the wp-includes/class-wp-xmlrpc-server.php file had been revised. So the culprit did appear to be the latest WordPress update. However, the developer of MarsEdit alluded to a plugin possibly causing the issue.

At first, I couldn’t think which of the plugins I use could potentially cause this error but after disabling all of this site’s plugins MarsEdit no longer threw the XML-RPC error. After enabling the plugins one-by-one the real culprit turned-out to be the 5.0.2 update to the Wordfence Security plugin that was released at roughly the same time as the WordPress 3.8.2 update.

The Wordfence Security plugin v5.0.2 has a new option under Wordfence > Options > Other Options named Disable XML-RPC for DDoS protection which is checked by default. Unchecking this option allows MarsEdit — and other applications relying on the XML-RPC interface — to communicate with WordPress once more.

Hat tip: Kelson for pointing out the Disable XML-RPC for DDoS protection option in Wordfence 5.0.2.

UPDATE 11th April 2014: Wordfence Security 5.0.3 has been released which no longer includes the option to disable XML-RPC.

About the author

A native Brit exiled in Japan, Steve spends too much of his time struggling with the Japanese language, dreaming of fish & chips and writing the occasional blog post he hopes others will find helpful.

2 responses


  • Hi Steve,

    Sorry about this, we’ve pulled this feature because it caused a lot of problems. We’ve also posted a blog entry here:


    Mark Maunder – Wordfence founder.


Recent Comments

Recent Posts