Can I make XMLRPC requests to my website?

Chris Wright
Published: 3 November 2023Last updated: 8 November 2023

XMLRPC is a key attack target and denial of service vector against any WordPress site, so we filter traffic towards it as part of our Web Application Firewall.

Known "trusted" applications and networks are permitted access, but unknown sources and especially any web browser-based requests to xmlrpc.php are blocked for security reasons. 

This won't prevent any of the below applications from working correctly, but does mean you won't be able to visit /xmlrpc.php on your WordPress website. It's not anything to worry about.

By default, the following are allowed to access xmlrpc.php files on sites hosted by 20i:

  • All connections from the Automattic ( network which includes JetPack
  • WordPress Android/iPhone Apps
  • BlogStomps
  • Blogo
  • Zapier
  • Open Live Writer
  • Ulysses

If there is another application you'd like to add to this whitelist, we'll be happy to review on a case-by-case basis. Please reach out to our support team.