The WordPress System Lockdown feature's purpose is to lockdown certain core WordPress system features.


Recommendation: This depends on your usage and needs for certain WordPress functions and features.

The WordPress System Lockdown options explanations

Option: Disable XML-RPC

This option's purpose is to protect you against any possible XML-RPC brute force login attacks.


In this blog post here we explain

  • what XML-RPC system is
  • what it lets you do
  • why you might want to disable it and how


Important: If this option is disabled, you should be aware of the certain implications.


If you want to completely turn off the whole XML-RPC system, click the slider.

How to check and confirm XML-RPC functionality is disabled?

There is a very simple website provided to help you confirm that your XML-RPC is disabled.

  1. Go to: http://xmlrpc.eritreo.it/
  2. Enter your WordPress site URL in the ‘Address’ field
  3. Click the ‘Check’ button.

You should receive a response page detailing how your XML-RPC server isn’t available.


To learn more about the XML-RPC system, read the blog article here.

Option: Disable Anonymous Rest API

This option helps you to disable anonymous access to the REST API.


In most cases, REST APIs should be accessed only by authorized parties (users or apps). You can choose to completely disable anonymous access to the REST API.


Important: Enabling this option may break plugins that use the REST API for your site visitors.

Learn more about the WordPress REST API here.