Removing the ability to disable XML-RPC in emergency release 5.0.3

We screwed up. Wordfence 5 was a very big release for us and in our haste to get it out the door we didn’t sufficiently test one of the features we added towards the end of the development cycle: The ability to disable XML-RPC.

Turns out that adding this feature and turning it on by default broke many users ability to remotely publish to their sites along with several mobile apps.

To fix this we just put out Wordfence 5.0.3 which has only one difference: We have completely removed the ability to disable XML-RPC.

We did this after some feedback from the community and WordPress core developers.

So how do we avoid this from happening in the future? We’re going to take a long hard look at the process we use to evaluate whether or not to add a feature and include it in a particular release. And we’re going to reevaluate our software quality assurance processes and procedures.

Wordfence has grown up into a very popular product and is used by tens of thousands of WordPress publishers to keep their sites safe, secure and now with Wordfence 5, fast. It’s time we take our company through the next stage in its evolution so that it keeps pace with the demands of our large user-base.

So, from me, Mark Maunder, the creator of Wordfence and lead developer, please accept my sincere apology for any inconvenience caused by us including this feature. Wordfence 5.0.3 fixes the issue and I can assure you that we’re focused on fixing the larger issue of delivering enterprise ready, rock solid and well tested software.

Expect more on this in the near future as we work with the community to improve our testing and release process.


Mark Maunder – Wordfence founder and Feedjit Inc CEO.





Did you enjoy this post? Share it!


  • And Why not leaving the option disabled?

    I use it and now I can't update until found an alternative.

    • We'll probably add it back in the next release and make darn sure it's off by default.



  • Hi Mark
    I don't use WordFence but I heard about this over on the WordPress Tavern blog.

    These things happen but not all plugin devs sort out the problem as quickly and graciously as you have done.

    Well done for that and I may give the plugin a try.

    • Thanks Keith.

  • So can you clarify... how do we get this option back? The option to enable/disable is not in your plugin (free), or in my native dashboard even after I remove your plugin. This should always be an option since you don't "create" this feature, you shouldn't disable it or change the status of it unless explicitly requested.