Disable XML-RPC-API

描述

Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.

PLUGIN FEATURES
(These are options you can enable or disable each one)

  • Disable access to xmlrpc.php file using .httacess file
  • Automatically change htaccess file permission to read-only (0444)
  • Disable X-pingback to minimize CPU usage
  • Disable selected methods from XML-RPC
  • Remove pingback-ping link from header
  • Disable trackbacks and pingbacks to avoid spammers and hackers
  • Rename XML-RPC slug to whatever you want
  • Black list IPs for XML-RPC
  • White list IPs for XML-RPC
  • Some options to speed-up your wordpress website
  • Disable JSON REST API
  • Hide WordPress Version
  • Disable built-in WordPress file editor
  • Disable wlw manifest
  • And some other options

Need more protection for your website?

Use WP Security Guard to protect your website againts hackers, spammers and bad bots.

WP Security Guard Main Features

  • Anti BruteForce Attack
  • Anti Hack Firewall
  • Security Monitoring
  • Math Captcha & Google reCaptcha
  • Two Factor Authentication
  • File Integrity Monitoring
  • No Captcha Anti Spam
  • And More…

Learn more about WP Security Guard

What is XMLRPC

XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism.
Beginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.

Why you should disable XML-RPC
Xmlrpc has two main weaknesses

  • Brute force attacks:
    Attackers try to login to WordPress using xmlrpc.php with as many username/password combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”
  • Denial of Service Attacks via Pingback:
    Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”

屏幕截图

安装

  1. Upload the disable-xml-rpc directory to the /wp-content/plugins/ directory in your WordPress installation
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. XML-RPC-API is now disabled!

To re-enable XML-RPC, just deactivate the plugin through the ‘Plugins’ menu.

常见问题

Is there an admin interface for this plugin?

Yes, You can find the “XML-RPC Security” in your admin menu.

How do I know if the plugin is working?

There are three easy methods for checking if XML-RPC is off:
1. Easiest way is going to this url: http://yourdomain/xmlrpc.php enter your domain name instead of ‘yourdomain’ if you see “Access forbidden!” or “403 error” it’s working.
2. First, try using an XML-RPC client, like the official WordPress mobile apps. The WordPress mobile app should tell you that “XML-RPC services are disabled on this site” if the plugin is activated.
3. Or you can try the XML-RPC Validator, written by Danilo Ercoli of the Automattic Mobile Team – the tool is available at http://xmlrpc.eritreo.it/ with a blog post about it at http://daniloercoli.com/2012/05/15/wordpress-xml-rpc-endpoint-validator/. Keep in mind that you want the validator to fail and tell you that XML-RPC services are disabled.

Something doesn’t seem to be working correctly

If the plugin is activated, but XML-RPC appears to still be working … OR … the plugin is deactivated, but XML-RPC is not working, then it’s possible that another plugin or theme function is affecting the plugin functions.

评价

2023年1月10日
Especially for anyone using WordPress in a professional context, e.g. for clients, this plugin is unusable without manually patching out some code Particularly in the file wp-content/plugins/disable-xml-rpc-api/admin/admin.php, you will find the following: add_action( 'admin_notices', 'dsxmlrpc_admin_notice_wpsg' ); Which repeatedly, without any way to disable it permanently, shows an advertisement for a different plugin called WP Security Guard. The ad says the following: Did you know?You can improve your website security by using WP Security Guard! Learn moreRemind Me LaterNot Intrested! The option Not Intrested! did not disable the notification permanently. It came back. I'm personally not against being contacted by the author of a plugin I actively use, in order to ask whether I might be interested in a more fully-featured professional product - because I legitimately might be interested, and we pay for a lot of our plugins - but nagging everyone in the admin panel, without being able to turn it off, for a product that isn't even the same one, without mentioning it at the top of the plugin's description page as a disclaimer before we install, crossed a line. It comes across as unprofessional, without warning, so unusable in a professional context. For users with a personal website looking to disable the notification permanently, they can do so via functions.php or a plugin for PHP code snippets with: add_action( 'init', function() { remove_action( 'admin_notices', 'dsxmlrpc_admin_notice_wpsg' ); }, 11); With this, I hope others are informed. Three stars because, without this advertisement, it does what it says.
2022年12月19日
Slow the website and can't be delete !
2022年12月1日
Tracky plugin that u cannot delete it on the dashboard. Finally I have to do it on my Cpanel
2022年11月29日 4 回复
The whole site crashed just after activation. 500 server error. Unistalled, found another solution. However, the support is prompt and nice.
阅读所有35条评价

贡献者及开发者

“Disable XML-RPC-API” 是开源软件。 以下人员对此插件做出了贡献。

贡献者

将“Disable XML-RPC-API”翻译成您的语言。

对开发感兴趣吗?

您可以浏览代码,查看SVN仓库,或通过RSS订阅开发日志

更新日志

1.0.0

  • Initial release

1.0.1

  • Fix bugs

1.0.5

  • Remove pingback link tag in header
  • Add ability to fix htaccess file permission

1.0.6

  • Fix warnings for htaccess permission

1.0.7

  • Fix blank page when using W3 Total Cache and some other cache plugins

1.0.8

  • Fix code conflict with Autoptimize plugin

1.0.9

  • WordPress 5.7 compatible
  • Fix some issues

2.0.0

  • Fix code conflict with some other plugin
  • Fix hiding data in WooCommerce Product Tabs

2.1.0

*Major Update
*Add “XML-RPC Security”settings menu
*Add some new features
*Fix plugin deactivation bug

2.1.1

  • Add new feature fix hotlinks
  • Change notif timing

2.1.2

  • Add an option to disable auto change htaccess permission
  • Fix “DISALLOW_FILE_EDIT” warning
  • WordPress 5.8 compatibility

2.1.3

  • Fix compatibility issue with WordPress 5.9
  • Fix htaccess cleaning function

2.1.4

  • Fix some minor bugs
  • Refactor the entire codes
  • Add a fallback function for situations htaccess is not working

2.1.4.2

  • Hotfix for error on update

2.1.4.3

  • Hotfix for error on removing wordpress metadata

2.1.4.4

  • Fix warning undefined variable $htaccess_code when disable hotlink fix is off
  • Fix warning Undefined array key “plugins” on PHP 8+

2.1.4.5

  • Fix removing pingback header issue in the last major update
  • Update tested up to wp 6.1

2.1.4.7

  • Fix issues on uninstallation hook
  • Minor improvements on admin review notification