Secure your website with the most comprehensive XML-RPC Settings plugin.
| Author: | @vavkamil (profile at wordpress.org) |
| WordPress version required: | 3.9 |
| WordPress version tested: | 5.8.2 |
| Plugin version: | 1.2.1 |
| Added to WordPress repository: | 07-10-2021 |
| Last updated: | 25-11-2021
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|
| Rating, %: | 0 |
| Rated by: | 0 |
| Plugin URI: | https://github.com/vavkamil/xml-rpc-settings |
| Total downloads: | 649 |
| Active installs: | 30+ |
 Click to start download |
|
XML-RPC Settings
Configure XML-RPC methods to increase the security of your website:
Build-in features could be used for malicious purposes and cannot be disabled by default.
- Disable GET access
- XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.
- Disable system.multicall
- system.multicall method can be misused for amplification attacks.
- Disable system.listMethods
- system.listMethods method can be used for verifying attack scope.
Prevent malicious actors from enumerating usernames and credentials.
- Disable authenticated methods
- Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.
Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.
- Disable pingbacks
- Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.
- Remove X-Pingback header
- If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.
- Hide WordPress version when verifying pingbacks
- Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
- Hide WordPress version when sending pingbacks
- Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
Unnecessary XML-RPC API, leave enabled if you are not sure.
- Disable Demo API
- Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.
- Disable Blogger API
- WordPress supports the Blogger XML-RPC API methods.
- Disable MetaWeblog API
- WordPress supports the metaWeblog XML-RPC API.
- Disable MovableType API
- WordPress supports the MovableType XML-RPC API.
If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.
- Allow XML-RPC only for
- IP comma separated eg. 192.168.10.242, 192.168.10.241
It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).
- Add message to XML-RPC methods
- We are hiring! Check jobs.yourdomains.com
Screenshots
FAQ
ChangeLog