{"id":148159,"date":"2021-10-07T13:25:06","date_gmt":"2021-10-07T13:25:06","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/xml-rpc-settings\/"},"modified":"2021-11-25T07:56:21","modified_gmt":"2021-11-25T07:56:21","slug":"xml-rpc-settings","status":"publish","type":"plugin","link":"https:\/\/hat.wordpress.org\/plugins\/xml-rpc-settings\/","author":17795899,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.2.1","stable_tag":"trunk","tested":"5.8.13","requires":"3.9","requires_php":"5.3","requires_plugins":"","header_name":"XML-RPC Settings","header_author":"@vavkamil","header_description":"Configure XML-RPC methods to increase the security of your website.","assets_banners_color":"313131","last_updated":"2021-11-25 07:56:21","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/github.com\/vavkamil\/xml-rpc-settings","header_author_uri":"https:\/\/vavkamil.cz","rating":0,"author_block_rating":0,"active_installs":30,"downloads":1896,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":[],"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":2611192,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":2611192,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":2611192,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":[],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":2611194,"resolution":"1","location":"assets","locale":""}},"screenshots":{"1":"The settings page is highly configurable, with a deep set of options available for each feature."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2439,13866,600,14731],"plugin_category":[54],"plugin_contributors":[203972],"plugin_business_model":[],"class_list":["post-148159","plugin","type-plugin","status-publish","hentry","plugin_tags-brute-force","plugin_tags-ddos","plugin_tags-security","plugin_tags-xmlrpc","plugin_category-security-and-spam-protection","plugin_contributors-vavkamil","plugin_committers-vavkamil"],"banners":{"banner":"https:\/\/ps.w.org\/xml-rpc-settings\/assets\/banner-772x250.png?rev=2611192","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/xml-rpc-settings\/assets\/icon-128x128.png?rev=2611192","icon_2x":"https:\/\/ps.w.org\/xml-rpc-settings\/assets\/icon-256x256.png?rev=2611192","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/xml-rpc-settings\/assets\/screenshot-1.png?rev=2611194","caption":"The settings page is highly configurable, with a deep set of options available for each feature."}],"raw_content":"<!--section=description-->\n<h3>XML-RPC Settings<\/h3>\n\n<p>Configure XML-RPC methods to increase the security of your website:<\/p>\n\n<h4>Build-in features could be used for malicious purposes and cannot be disabled by default.<\/h4>\n\n<ul>\n<li>Disable GET access\n\n<ul>\n<li>XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.<\/li>\n<\/ul><\/li>\n<li>Disable system.multicall\n\n<ul>\n<li>system.multicall method can be misused for amplification attacks.<\/li>\n<\/ul><\/li>\n<li>Disable system.listMethods\n\n<ul>\n<li>system.listMethods method can be used for verifying attack scope.<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<h4>Prevent malicious actors from enumerating usernames and credentials.<\/h4>\n\n<ul>\n<li>Disable authenticated methods\n\n<ul>\n<li>Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<h4>Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.<\/h4>\n\n<ul>\n<li>Disable pingbacks\n\n<ul>\n<li>Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.<\/li>\n<\/ul><\/li>\n<li>Remove X-Pingback header\n\n<ul>\n<li>If you decide to disable pingbacks, it's a good practice to remove the X-Pingback header return by your posts.<\/li>\n<\/ul><\/li>\n<li>Hide WordPress version when verifying pingbacks\n\n<ul>\n<li>Pingbacks' user-agent can reveal your exact WordPress version, even when hidden by other plugins.<\/li>\n<\/ul><\/li>\n<li>Hide WordPress version when sending pingbacks\n\n<ul>\n<li>Pingbacks' user-agent can reveal your exact WordPress version, even when hidden by other plugins.<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<h4>Unnecessary XML-RPC API, leave enabled if you are not sure.<\/h4>\n\n<ul>\n<li>Disable Demo API\n\n<ul>\n<li>Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.<\/li>\n<\/ul><\/li>\n<li>Disable Blogger API\n\n<ul>\n<li>WordPress supports the Blogger XML-RPC API methods.<\/li>\n<\/ul><\/li>\n<li>Disable MetaWeblog API\n\n<ul>\n<li>WordPress supports the metaWeblog XML-RPC API.<\/li>\n<\/ul><\/li>\n<li>Disable MovableType API\n\n<ul>\n<li>WordPress supports the MovableType XML-RPC API.<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<h4>If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.<\/h4>\n\n<ul>\n<li>Allow XML-RPC only for\n\n<ul>\n<li>IP comma separated eg. 192.168.10.242, 192.168.10.241<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<h4>It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).<\/h4>\n\n<ul>\n<li>Add message to XML-RPC methods\n\n<ul>\n<li>We are hiring! Check jobs.yourdomains.com<\/li>\n<\/ul><\/li>\n<\/ul>\n\n<!--section=installation-->\n<p>Secure your website using the following steps to install XML-RPC Settings:<\/p>\n\n<ol>\n<li>Install XML-RPC Settings automatically or by uploading the ZIP file. <\/li>\n<li>Activate the XML-RPC Settings through the 'Plugins' menu in WordPress. XML-RPC Settings is now activated.<\/li>\n<li>Go to the Settings &gt;&gt; XML-RPC Settings and configure the plugin based on your needs.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id='how%20does%20xml-rpc%20settings%20protect%20sites%20from%20attackers%3F'><h3>How does XML-RPC Settings protect sites from attackers?<\/h3><\/dt>\n<dd><p>The XML-RPC Settings plugin allows you to configure XML-RPC methods to increase the security of your website. For example, you can easily disable Pingback methods, which might be misused by attacks to launch DDoS attacks.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.1 - October 05, 2021<\/h4>\n\n<ul>\n<li>Fix callback function to register settings<\/li>\n<\/ul>\n\n<h4>1.2 - October 05, 2021<\/h4>\n\n<ul>\n<li>Add <code>xmlrpc_settings_<\/code> prefix to function names to be unique<\/li>\n<\/ul>\n\n<h4>1.1 - October 03, 2021<\/h4>\n\n<ul>\n<li>Updated readme.txt and fixed grammar<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>An initial release<\/li>\n<\/ul>","raw_excerpt":"Secure your website with the most comprehensive XML-RPC Settings plugin.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/148159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=148159"}],"author":[{"embeddable":true,"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/vavkamil"}],"wp:attachment":[{"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=148159"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=148159"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=148159"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=148159"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=148159"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/hat.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=148159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}