Configure XML-RPC Methods To Increase Security – XML-RPC Settings

XML-RPC Settings is a WordPress plugin that can be used to disable, enable, and remove certain functions of XML-RPC on your site.

To disable XML-RPC entirely, just add the following snippets to your .htacess file.

<Files xmlrpc.php>
  Order allow,deny
  Deny from all
  Satisfy All

How to use it:

1. Install and activate the XML-RPC Settings plugin on your site.

2. Go to the settings page and config the XML-RPC Settings plugin:

Build-in features could be used for malicious purposes and cannot be disabled by default.

  • Disable GET access: XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.
  • Disable system.multicall: system.multicall method can be misused for amplification attacks.
  • Disable system.listMethods: system.listMethods method can be used for verifying attack scope.

Prevent malicious actors from enumerating usernames and credentials.

  • Disable authenticated methods: Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.

Pingbacks are a useful feature to discover back-links to your posts but can be misused for DDoS attacks or to fingerprint your WP version.

  • Disable pingbacks: Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.
  • Remove X-Pingback header: If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.
  • Hide WordPress version when verifying pingbacks: Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
  • Hide WordPress version when sending pingbacks: Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.

Unnecessary XML-RPC API, leave enabled if you are not sure.

  • Disable Demo API: Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.
  • Disable Blogger API: WordPress supports the Blogger XML-RPC API methods.
  • Disable MetaWeblog API: WordPress supports the metaWeblog XML-RPC API.
  • Disable MovableType API: WordPress supports the MovableType XML-RPC API.

If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.

It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).

Download WordPress Plugin:

You can download this free WordPress plugin using the download button below. Unless otherwise stated, the WordPress plugin is available under GNU General Public License.

Author: @vavkamil


Don’t forget to share this WordPress plugin and also check out other awesome plugins on our site.

Rate This Plugin
User Review
0 (0 votes)