A clear, practical guide to DirectAdmin XMLRPC, what it is, how to enable it, secure it, or disable it safely. Includes commands, configs, and real steps admins use daily. Our DirectAdmin Live Support Team is always here to help you.
If you manage WordPress sites on DirectAdmin, you’ve probably seen the term DirectAdmin XMLRPC pop up while fixing login issues, mobile app sync errors, or sudden traffic spikes. Yet most explanations online feel messy or half-baked. So today, let’s walk through what XML-RPC actually does, when you need it, and how to enable, secure, or fully disable it on a DirectAdmin server without breaking your site.
And yes, this guide keeps things real, uses clear steps, and includes every command you shouldn’t miss.
Overview
What XML-RPC Really Does
Before touching settings, it helps to know why XML-RPC exists in the first place. On WordPress, it’s an API that lets external tools talk to your site. For instance:
- Publishing posts
- Editing or deleting posts
- Uploading files
- Pulling comments or updating them
Apps like Jetpack, Zapier, mobile WordPress apps, and some SEO tools still rely on it. This is why DirectAdmin XMLRPC isn’t always something you can block blindly. But once enabled, it often becomes a target for brute-force bots, making security a priority.
How to Enable IMAP & XMLRPC on DirectAdmin
If you actually need XML-RPC, here’s the correct method to install and enable it:
1. Open the file:
/usr/local/directadmin/custombuild/php_extensions.conf2. Update these lines:
imap=yes
xmlrpc=yes3. Then run:
/usr/local/directadmin/custombuild/build php_imap
/usr/local/directadmin/custombuild/build php_xmlrpcOnce done, DirectAdmin XMLRPC will be active on your server.
How to Block XML-RPC Attacks in Apache
Since XML-RPC is a common attack entry, you can lock it down using DirectAdmin templates.
Run:
cd /usr/local/directadmin/data/templates/custom/
touch virtual_host2.conf.CUSTOM.4.post
touch virtual_host2_secure.conf.CUSTOM.4.post
touch virtual_host2_secure_sub.conf.CUSTOM.4.post
touch virtual_host2_sub.conf.CUSTOM.4.post
chmod 644 *.postAdd this into each file:
<Location ~ "/xmlrpc.php">
Order allow,deny
Deny from all
ErrorDocument 403 "Sorry, you are not allowed to view this page!"
</Location>Copy the first file into the others:
cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_secure.conf.CUSTOM.4.post
cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_secure_sub.conf.CUSTOM.4.post
cp -p virtual_host2.conf.CUSTOM.4.post virtual_host2_sub.conf.CUSTOM.4.postApply changes:
cd /usr/local/directadmin/custombuild/
./build rewrite_confsNow DirectAdmin XMLRPC requests will be blocked server-wide.
Lock Down XML-RPC Today
Blocking XML-RPC on Nginx
If your server uses Nginx, do this:
cd /usr/local/directadmin/data/templates/custom/
touch nginx_server.conf.CUSTOM.4.post
touch nginx_server_secure.conf.CUSTOM.4.post
touch nginx_server_secure_sub.conf.CUSTOM.4.post
touch nginx_server_sub.conf.CUSTOM.4.post
chmod 644 *.postInsert:
location =/xmlrpc.php {
deny all;
}Copy and apply:
cp -p nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
cp -p nginx_server_secure.conf.CUSTOM.4.post nginx_server_secure_sub.conf.CUSTOM.4.post
cp -p nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post
cd /usr/local/directadmin/custombuild/
./build rewrite_confsHow to Disable XML-RPC From DirectAdmin Itself
If you just want it completely off, you can do it through the UI.
1. Log in to DirectAdmin
2. Go to Server Manager
3. Open Services Monitor
4. Click httpd
5. Select Action → Edit Configuration File
6. Add:
SetEnvIf Request_URI xmlrpc.php noxmlrpc7. Save
8. Restart Apache
This shuts off DirectAdmin XMLRPC without touching templates.
Conclusion
Admins often overlook XML-RPC until it becomes a security nightmare or starts breaking app connections. With the steps above, you can enable it, secure it, or disable it entirely, without guesswork and without following outdated posts.
