Getting an “XML-RPC services are disabled on this site” error from your WordPress app? I was too. Here’s how to fix it.
Easy fix: update Wordfence to 5.0.3+
This is not a WordPress error, believe it or not. It’s a Wordfence problem. And the fix is simple: update Wordfence to version 5.0.3+. Based on an active discussion in the Wordfence support forum, the developers behind the security system announced they had updated the plugin and removed the feature.
If you don’t have 5.0.3+, you may have an optional setting to disable XML-RPC. Go to your Wordfence Options page and scroll to the bottom under Other Options. Look for a setting called “Disable XML-RPC for DDoS protection.” Unchecking that setting will allow your iOS or Android (or other) WordPress publishing app to function again.
This XML-RPC disabled services hiccup appears to have broken any app or third-party connection to self-hosted WordPress sites running Wordfence 5.0.2. By the sounds of the support forum complaints, that sounds like it’s mostly their iOS and Android apps, but complaints about Windows Live Writer and others have also appeared.
XML-RPC services are disabled on this site. What happened?
Wordfence updated their plugin recently, related to a DDoS security concern. Part of the fix disabled XML-RPC access in an attempt to protect WordPress websites from pingback-targeted attacks. However, it didn’t really work out that way.
WordPress lead developer Andrew Nacin explained in the support thread:
The changelog says “Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack.” The problem is this “attack” affects pingbacks. But the fix actually disables everything in XML-RPC except pingbacks, thus breaking mobile apps and anything else relying on XML-RPC, but allowing pingbacks through.
Several threads have popped up complaining about the issue and several others have published thoughts on the matter. And as of yesterday, Wordfence had realized their over-reach and corrected it. Kudos to them for attempting the strongest possible security and for their quick mea culpa response in correcting this problem.