Version Description
- Fix code conflict with Autoptimize plugin
Download this release
Release Info
| Developer | aminnz |
| Plugin |  Disable XML-RPC-API |
| Version | 1.0.8 |
| Comparing to | |
| See all releases | |
Code changes from version 1.0.7 to 1.0.8
- disable-xml-rpc-api.php +9 -17
- readme.txt +31 -14
disable-xml-rpc-api.php
CHANGED
|
@@ -2,11 +2,11 @@
|
|
| 2 |
/*
|
| 3 |
Plugin Name: Disable XML-RPC-API
|
| 4 |
Plugin URI: https://neatma.com/
|
| 5 |
-
Description:
|
| 6 |
-
Version: 1.0.
|
| 7 |
Tested up to: 5.6
|
| 8 |
Requires at least: 3.5
|
| 9 |
-
Author:
|
| 10 |
Author URI: https://neatma.com/
|
| 11 |
License: GPLv2
|
| 12 |
*/
|
|
@@ -19,45 +19,37 @@ require_once(dsxmlrpc_plugin_url . 'admin/admin.php');
|
|
| 19 |
add_action( 'admin_init', array( 'PAnD', 'init' ) );
|
| 20 |
add_filter('xmlrpc_enabled', '__return_false');
|
| 21 |
|
| 22 |
-
|
| 23 |
// Disable X-Pingback to header
|
| 24 |
-
|
| 25 |
add_filter( 'wp_headers', 'dsxmlrpc_x_pingback' );
|
| 26 |
add_filter('pings_open', '__return_false', PHP_INT_MAX);
|
| 27 |
-
add_action('wp_head','dsxmlrpc_wp_head_buffer', PHP_INT_MAX);
|
| 28 |
|
| 29 |
function dsxmlrpc_x_pingback( $headers ) {
|
|
|
|
| 30 |
unset( $headers['X-Pingback'] );
|
| 31 |
return $headers;
|
| 32 |
}
|
| 33 |
-
function dsxmlrpc_wp_head_buffer() {
|
| 34 |
-
$in = ob_get_contents();
|
| 35 |
-
$out = preg_replace('#<link rel="pingback"(.*?)>#', '', $in);
|
| 36 |
-
echo $out;
|
| 37 |
-
}
|
| 38 |
|
| 39 |
|
| 40 |
//
|
| 41 |
// Fix htaccess permissions
|
| 42 |
-
|
| 43 |
function dsxmlrpc_file_chmod() {
|
| 44 |
$htaccess_file = dsxmlrpc_home_path . '.htaccess';
|
| 45 |
chmod($htaccess_file, 0755);
|
| 46 |
}
|
| 47 |
|
| 48 |
-
|
| 49 |
// Disable access to xmlrpc.php entirely with .htaccess file
|
| 50 |
-
|
| 51 |
function dsxmlrpc_add_htaccess() {
|
| 52 |
|
| 53 |
$filename = dsxmlrpc_plugin_url . '/admin/dsxmlrpc-htaccess';
|
| 54 |
$htaccess_file = dsxmlrpc_home_path . '.htaccess';
|
| 55 |
insert_with_markers($htaccess_file, 'DS-XML-RPC-API', extract_from_markers($filename, 'DS-XML-RPC-API')) ? : dsxmlrpc_file_chmod();
|
| 56 |
}
|
| 57 |
-
|
| 58 |
-
|
| 59 |
-
|
| 60 |
|
|
|
|
|
|
|
| 61 |
function dsxmlrpc_remove_htaccess() {
|
| 62 |
|
| 63 |
$filename = dsxmlrpc_plugin_url . '/admin/dsxmlrpc-htaccess';
|
| 2 |
/*
|
| 3 |
Plugin Name: Disable XML-RPC-API
|
| 4 |
Plugin URI: https://neatma.com/
|
| 5 |
+
Description: Lightweight plugin to disable XML-RPC API and Pingbacks,Trackbacks for faster and more secure website.
|
| 6 |
+
Version: 1.0.8
|
| 7 |
Tested up to: 5.6
|
| 8 |
Requires at least: 3.5
|
| 9 |
+
Author: Neatmarketing
|
| 10 |
Author URI: https://neatma.com/
|
| 11 |
License: GPLv2
|
| 12 |
*/
|
| 19 |
add_action( 'admin_init', array( 'PAnD', 'init' ) );
|
| 20 |
add_filter('xmlrpc_enabled', '__return_false');
|
| 21 |
|
| 22 |
+
//
|
| 23 |
// Disable X-Pingback to header
|
|
|
|
| 24 |
add_filter( 'wp_headers', 'dsxmlrpc_x_pingback' );
|
| 25 |
add_filter('pings_open', '__return_false', PHP_INT_MAX);
|
|
|
|
| 26 |
|
| 27 |
function dsxmlrpc_x_pingback( $headers ) {
|
| 28 |
+
|
| 29 |
unset( $headers['X-Pingback'] );
|
| 30 |
return $headers;
|
| 31 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32 |
|
| 33 |
|
| 34 |
//
|
| 35 |
// Fix htaccess permissions
|
|
|
|
| 36 |
function dsxmlrpc_file_chmod() {
|
| 37 |
$htaccess_file = dsxmlrpc_home_path . '.htaccess';
|
| 38 |
chmod($htaccess_file, 0755);
|
| 39 |
}
|
| 40 |
|
| 41 |
+
//
|
| 42 |
// Disable access to xmlrpc.php entirely with .htaccess file
|
|
|
|
| 43 |
function dsxmlrpc_add_htaccess() {
|
| 44 |
|
| 45 |
$filename = dsxmlrpc_plugin_url . '/admin/dsxmlrpc-htaccess';
|
| 46 |
$htaccess_file = dsxmlrpc_home_path . '.htaccess';
|
| 47 |
insert_with_markers($htaccess_file, 'DS-XML-RPC-API', extract_from_markers($filename, 'DS-XML-RPC-API')) ? : dsxmlrpc_file_chmod();
|
| 48 |
}
|
| 49 |
+
add_action('admin_init', 'dsxmlrpc_add_htaccess', 1, 2 );
|
|
|
|
|
|
|
| 50 |
|
| 51 |
+
//
|
| 52 |
+
//Remove .htaccess codes when disabled
|
| 53 |
function dsxmlrpc_remove_htaccess() {
|
| 54 |
|
| 55 |
$filename = dsxmlrpc_plugin_url . '/admin/dsxmlrpc-htaccess';
|
readme.txt
CHANGED
|
@@ -2,30 +2,44 @@
|
|
| 2 |
|
| 3 |
Plugin Name: Disable XML-RPC-API
|
| 4 |
Plugin URI: https://neatma.com
|
| 5 |
-
Contributors: aminnz
|
| 6 |
-
Description: Simple plugin to disable XML-RPC API and X-Pingback
|
| 7 |
Tags: disable xml-rpc, disable xmlrpc,remove xmlrpc, XML-RPC, xmlrpc.php, XML-RPC API, stop brute force attacks
|
| 8 |
-
Version: 1.0.
|
| 9 |
Tested up to: 5.6
|
| 10 |
Requires at least: 3.5
|
| 11 |
-
Author:
|
| 12 |
Author URI: https://neatma.com
|
| 13 |
License: GPLv2
|
| 14 |
|
| 15 |
-
|
|
|
|
| 16 |
== Description ==
|
| 17 |
|
| 18 |
-
|
| 19 |
|
| 20 |
**PLUGIN FEATURES**
|
| 21 |
|
| 22 |
* Disable access to xmlrpc.php file using .httacess file
|
| 23 |
-
* Disable X-pingback
|
| 24 |
-
* Remove ping
|
| 25 |
-
*
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 26 |
|
| 27 |
|
| 28 |
-
Beginning in 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.
|
| 29 |
|
| 30 |
== Installation ==
|
| 31 |
|
|
@@ -50,7 +64,7 @@ There are three easy methods for checking if XML-RPC is off:
|
|
| 50 |
|
| 51 |
= Something doesn't seem to be working correctly =
|
| 52 |
|
| 53 |
-
If the plugin is activated, but XML-RPC appears to still be working ... OR ... the plugin is deactivated, but XML-RPC is not working, then it's possible that another plugin or theme function is affecting the
|
| 54 |
|
| 55 |
== Screenshots ==
|
| 56 |
screenshot-1.png
|
|
@@ -63,11 +77,14 @@ screenshot-1.png
|
|
| 63 |
* Fix bugs
|
| 64 |
|
| 65 |
= 1.0.5 =
|
| 66 |
-
*
|
| 67 |
-
* Add ability to fix htaccess
|
| 68 |
|
| 69 |
= 1.0.6 =
|
| 70 |
* Fix warnings for htaccess permission
|
| 71 |
|
| 72 |
= 1.0.7 =
|
| 73 |
-
* Fix blank page when using W3 Total Cache and some other cache plugins
|
|
|
|
|
|
|
|
|
| 2 |
|
| 3 |
Plugin Name: Disable XML-RPC-API
|
| 4 |
Plugin URI: https://neatma.com
|
| 5 |
+
Contributors: aminnz,neatmarketing
|
| 6 |
+
Description: Simple plugin to disable XML-RPC API and X-Pingback for faster and more secure website.
|
| 7 |
Tags: disable xml-rpc, disable xmlrpc,remove xmlrpc, XML-RPC, xmlrpc.php, XML-RPC API, stop brute force attacks
|
| 8 |
+
Version: 1.0.8
|
| 9 |
Tested up to: 5.6
|
| 10 |
Requires at least: 3.5
|
| 11 |
+
Author: Neatmarketing
|
| 12 |
Author URI: https://neatma.com
|
| 13 |
License: GPLv2
|
| 14 |
|
| 15 |
+
A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website
|
| 16 |
+
|
| 17 |
== Description ==
|
| 18 |
|
| 19 |
+
Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.
|
| 20 |
|
| 21 |
**PLUGIN FEATURES**
|
| 22 |
|
| 23 |
* Disable access to xmlrpc.php file using .httacess file
|
| 24 |
+
* Disable X-pingback to minimize CPU usage
|
| 25 |
+
* Remove pingback-ping link from header
|
| 26 |
+
* Disable trackbacks and pingbacks to avoid spammers and hackers
|
| 27 |
+
* Disable xmlrpc API entirely
|
| 28 |
+
|
| 29 |
+
**What is XMLRPC**
|
| 30 |
+
|
| 31 |
+
XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism.
|
| 32 |
+
Beginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.
|
| 33 |
+
|
| 34 |
+
**Why you should disable XML-RPC**
|
| 35 |
+
*Xmlrpc has two main weaknesses*
|
| 36 |
+
|
| 37 |
+
* Brute force attacks:
|
| 38 |
+
Attackers try to login to WordPress using xmlrpc.php with as many username/password combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”
|
| 39 |
+
* Denial of Service Attacks via Pingback:
|
| 40 |
+
Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”
|
| 41 |
|
| 42 |
|
|
|
|
| 43 |
|
| 44 |
== Installation ==
|
| 45 |
|
| 64 |
|
| 65 |
= Something doesn't seem to be working correctly =
|
| 66 |
|
| 67 |
+
If the plugin is activated, but XML-RPC appears to still be working ... OR ... the plugin is deactivated, but XML-RPC is not working, then it's possible that another plugin or theme function is affecting the plugin functions.
|
| 68 |
|
| 69 |
== Screenshots ==
|
| 70 |
screenshot-1.png
|
| 77 |
* Fix bugs
|
| 78 |
|
| 79 |
= 1.0.5 =
|
| 80 |
+
* Remove pingback link tag in header
|
| 81 |
+
* Add ability to fix htaccess file permission
|
| 82 |
|
| 83 |
= 1.0.6 =
|
| 84 |
* Fix warnings for htaccess permission
|
| 85 |
|
| 86 |
= 1.0.7 =
|
| 87 |
+
* Fix blank page when using W3 Total Cache and some other cache plugins
|
| 88 |
+
|
| 89 |
+
= 1.0.8 =
|
| 90 |
+
* Fix code conflict with Autoptimize plugin
|
