XML-RPC Settings is a WordPress plugin that can be used to disable, enable, and remove certain functions of XML-RPC on your site.
To disable XML-RPC entirely, just add the following snippets to your
<Files xmlrpc.php> Order allow,deny Deny from all Satisfy All </Files>
How to use it:
1. Install and activate the XML-RPC Settings plugin on your site.
2. Go to the settings page and config the XML-RPC Settings plugin:
Build-in features could be used for malicious purposes and cannot be disabled by default.
Disable GET access: XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.
Disable system.multicall: system.multicall method can be misused for amplification attacks.
Disable system.listMethods: system.listMethods method can be used for verifying attack scope.
Prevent malicious actors from enumerating usernames and credentials.
Disable authenticated methods: Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.
Pingbacks are a useful feature to discover back-links to your posts but can be misused for DDoS attacks or to fingerprint your WP version.
Disable pingbacks: Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.
Remove X-Pingback header: If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.
Hide WordPress version when verifying pingbacks: Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
Hide WordPress version when sending pingbacks: Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
Unnecessary XML-RPC API, leave enabled if you are not sure.
Disable Demo API: Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.
Disable Blogger API: WordPress supports the Blogger XML-RPC API methods.
Disable MetaWeblog API: WordPress supports the metaWeblog XML-RPC API.
Disable MovableType API: WordPress supports the MovableType XML-RPC API.
If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.
It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).
Download WordPress Plugin:
You can download this free WordPress plugin using the download button below. Unless otherwise stated, the WordPress plugin is available under GNU General Public License.
Don’t forget to share this WordPress plugin and also check out other awesome plugins on our site.