diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml
index 90009265e2..4a9f1d6f3b 100644
--- a/group_vars/development/wordpress_sites.yml
+++ b/group_vars/development/wordpress_sites.yml
@@ -17,3 +17,5 @@ wordpress_sites:
       provider: self-signed
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml
index e8a875d1ca..fc94943c51 100644
--- a/group_vars/production/wordpress_sites.yml
+++ b/group_vars/production/wordpress_sites.yml
@@ -19,3 +19,5 @@ wordpress_sites:
       provider: letsencrypt
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml
index 054770ea7a..bf588be06b 100644
--- a/group_vars/staging/wordpress_sites.yml
+++ b/group_vars/staging/wordpress_sites.yml
@@ -19,3 +19,5 @@ wordpress_sites:
       provider: letsencrypt
     cache:
       enabled: false
+    xmlrpc:
+      enabled: false
diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
index d17f999c6a..b26085cbc3 100644
--- a/roles/wordpress-setup/templates/wordpress-site.conf.j2
+++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -174,6 +174,14 @@ server {
   }
   {% endblock %}
 
+  {% block disable_xmlrpc -%}
+    {% if item.value.xmlrpc.enabled is defined and item.value.xmlrpc.enabled == false %}
+      location ~* xmlrpc\.php$ {
+        return 444;
+      }
+    {% endif %}
+  {% endblock %}
+
   {% block h5bp -%}
   {% if h5bp_cache_file_descriptors_enabled -%}
   include h5bp/directive-only/cache-file-descriptors.conf;