XML-RPC Settings
XML-RPC Settings Install Statistics
11
100%
Today: 11
Yesterday: 0
All-time: 649 downloads
Try plugin: XML-RPC Settings
We'll create fresh WordPress site with XML-RPC Settings installed. You have 20 minutes to test the plugin after that site we'll be deleted.
Takes ~10 seconds to install.
About XML-RPC Settings
Secure your website with the most comprehensive XML-RPC Settings plugin.Description
XML-RPC Settings
Configure XML-RPC methods to increase the security of your website:
Build-in features could be used for malicious purposes and cannot be disabled by default.
- Disable GET access
- XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.
- Disable system.multicall
- system.multicall method can be misused for amplification attacks.
- Disable system.listMethods
- system.listMethods method can be used for verifying attack scope.
Prevent malicious actors from enumerating usernames and credentials.
- Disable authenticated methods
- Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.
Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.
- Disable pingbacks
- Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.
- Remove X-Pingback header
- If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.
- Hide WordPress version when verifying pingbacks
- Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
- Hide WordPress version when sending pingbacks
- Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
Unnecessary XML-RPC API, leave enabled if you are not sure.
- Disable Demo API
- Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.
- Disable Blogger API
- WordPress supports the Blogger XML-RPC API methods.
- Disable MetaWeblog API
- WordPress supports the metaWeblog XML-RPC API.
- Disable MovableType API
- WordPress supports the MovableType XML-RPC API.
If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.
- Allow XML-RPC only for
- IP comma separated eg. 192.168.10.242, 192.168.10.241
It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).
- Add message to XML-RPC methods
- We are hiring! Check jobs.yourdomains.com