Disable XML-RPC-API - Version 2.1.2

Version Description

Download this release

Release Info

Developer aminnz
Plugin Icon 128x128 Disable XML-RPC-API
Version 2.1.2
Comparing to
See all releases

Code changes from version 2.1.1 to 2.1.2

Files changed (6) hide show
  1. admin/admin.php +101 -18
  2. admin/xmlrpc20.png +0 -0
  3. disable-xml-rpc-api.php +103 -75
  4. lib/admin-notices/persist-admin-notices-dismissal.php +8 -10
  5. lib/skelet/framework.config.php +8 -1
  6. readme.txt +9 -4
admin/admin.php CHANGED
@@ -14,30 +14,116 @@ function dsxmlrpc_action_links($links) {
14
  }
15
 
16
  function dsxmlrpc_admin_notice_wpsg() {
17
- if ( ! PAnD::is_admin_notice_active( 'dsxmlrpc-wpsg-notice-forever' ) ) {
18
  return;
19
  }
20
 
21
  ?>
22
- <div data-dismissible="dsxmlrpc-wpsg-notice-forever" id="dsxmlrpc-wpsg-notice" class="notice notice-warning is-dismissible">
23
- <img src="<?=DSXMLRPC_URL?>/admin/logo-icon.png" style="float:left; margin:10px 20px 10px 10px" width="100">
24
- <h2>You can improve your website security by using WP Security Guard!</h2>
25
  <div class="dsxmlrpc-wpsg-notice-innner">
26
- <p>Brand new <strong>lightweight</strong> security plugin is ready now you can buy it with special discount offer. Use <strong style="color:green;">"xmlrpc20"</strong> promo code to get 20% off in your purchase. </p>
27
- <a class="button button-primary dsxmlrpc_button" target="_blank" href="https://neatma.com/wpsg-plugin/" >More Info</a>
28
  </div>
 
 
 
 
29
  </div>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
30
  <style>
31
- div#dsxmlrpc-wpsg-notice {
32
- background-image: url('<?=DSXMLRPC_URL?>/admin/xmlrpc20.png');
33
- background-repeat: no-repeat;
34
- background-position: 95%;
35
- background-size: contain;
36
- height: 140px;
37
  }
38
- .dsxmlrpc_button {
39
- margin: 3px 0 15px 15px !important;
40
- transition: 500ms;
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
41
  }
42
  </style>
43
  <?php
@@ -49,9 +135,6 @@ function dsxmlrpc_admin_notice_review() {
49
  return;
50
  }
51
 
52
- if (isset($_POST['dsxmlrpc-notice-forever'])){
53
- update_option('dsxmlrpc-notice-forever','forever',false);
54
- }
55
  if ( ! PAnD::is_admin_notice_active( 'dsxmlrpc-notice-15' ) || get_option('dsxmlrpc-notice-forever') ) {
56
  return;
57
  }
14
  }
15
 
16
  function dsxmlrpc_admin_notice_wpsg() {
17
+ if ( ! PAnD::is_admin_notice_active( 'wpsg-notice-forever' ) ) {
18
  return;
19
  }
20
 
21
  ?>
22
+ <div data-dismissible="wpsg-notice-forever" id="dsxmlrpc-wpsg-notice" class="notice notice-warning is-dismissible">
23
+ <label class="gftp-plugin-name">WP Security Guard</label>
24
+ <h1>Did you know?</h1>
25
  <div class="dsxmlrpc-wpsg-notice-innner">
26
+ <p>You can improve your website security by using <strong> WP Security Guard!</strong> </p>
 
27
  </div>
28
+ <span class="dashicons dashicons-external" style="color: #2196f3;vertical-align:bottom;"></span><a href="https://neatma.com/wpsg-plugin/" target="_blank">Learn more</a>
29
+ <span class="dashicons dashicons-calendar" style="margin-left: 15px;color: #009688;vertical-align:-webkit-baseline-middle;"></span><a style="color:#009688;" class="remind-wpsg" href="#">Remind Me Later</a>
30
+ <span class="dashicons dashicons-dismiss" style="margin-left: 15px;color: #ff5722;vertical-align:-webkit-baseline-middle;"></span><a style="color:#ff5722;" class="dismiss-wpsg" href="#">Not Intrested!</a>
31
+
32
  </div>
33
+ <script type="text/javascript">
34
+ (function ($) {
35
+ //shorthand for ready event.
36
+ $(
37
+ function () {
38
+ $( 'div[data-dismissible] a.dismiss-wpsg' ).click(
39
+ function (event) {
40
+ event.preventDefault();
41
+ var $this = $( this );
42
+
43
+ var attr_value, option_name, dismissible_length, data;
44
+
45
+ attr_value = $this.parent().attr( 'data-dismissible' ).split( '-' );
46
+ console.log(attr_value);
47
+ // remove the dismissible length from the attribute value and rejoin the array.
48
+ dismissible_length = attr_value.pop();
49
+
50
+ option_name = attr_value.join( '-' );
51
+
52
+ data = {
53
+ 'action': 'dismiss_admin_notice',
54
+ 'option_name': option_name,
55
+ 'dismissible_length': dismissible_length,
56
+ 'nonce': dismissible_notice.nonce
57
+ };
58
+
59
+ // We can also pass the url value separately from ajaxurl for front end AJAX implementations
60
+ $.post( ajaxurl, data );
61
+ $this.parent().addClass('hide');
62
+ }
63
+ );
64
+ }
65
+
66
+
67
+
68
+ )
69
+ $(
70
+ function () {
71
+ $( 'div[data-dismissible] a.remind-wpsg' ).click(
72
+ function (event) {
73
+ event.preventDefault();
74
+ var $this = $( this );
75
+
76
+ var attr_value, option_name, data;
77
+
78
+ attr_value = $this.parent().attr( 'data-dismissible' ).split( '-' );
79
+ // remove the dismissible length from the attribute value and rejoin the array.
80
+
81
+
82
+ option_name = attr_value.join( '-' );
83
+
84
+ data = {
85
+ 'action': 'dismiss_admin_notice',
86
+ 'option_name': option_name,
87
+ 'dismissible_length': 10,
88
+ 'nonce': dismissible_notice.nonce
89
+ };
90
+
91
+ // We can also pass the url value separately from ajaxurl for front end AJAX implementations
92
+ $.post( ajaxurl, data );
93
+ $this.parent().addClass('hide');
94
+ }
95
+ );
96
+ }
97
+ )
98
+
99
+ }(jQuery));
100
+ </script>
101
  <style>
102
+ #dsxmlrpc-wpsg-notice.hide,#dsxmlrpc-wpsg-notice .notice-dismiss {
103
+ display:none;
 
 
 
 
104
  }
105
+ #dsxmlrpc-wpsg-notice a{
106
+ color: #2196f3;
107
+ vertical-align: sub;
108
+ }
109
+ #dsxmlrpc-wpsg-notice label.gftp-plugin-name {
110
+ background: #4caf50;
111
+ color: #fff;
112
+ padding: 2px 10px;
113
+ position: absolute;
114
+ top: auto;
115
+ bottom: 100%;
116
+ right: 15px;
117
+ -moz-border-radius: 0 0 3px 3px;
118
+ -webkit-border-radius: 0 0 3px 3px;
119
+ border-radius: 4px 4px 0px 0px;
120
+ left: auto;
121
+ font-size: 12px;
122
+ font-weight: bold;
123
+ cursor: auto;
124
+ }
125
+ div#dsxmlrpc-wpsg-notice {
126
+ padding: 10px 15px;
127
  }
128
  </style>
129
  <?php
135
  return;
136
  }
137
 
 
 
 
138
  if ( ! PAnD::is_admin_notice_active( 'dsxmlrpc-notice-15' ) || get_option('dsxmlrpc-notice-forever') ) {
139
  return;
140
  }
admin/xmlrpc20.png DELETED
Binary file
disable-xml-rpc-api.php CHANGED
@@ -3,8 +3,8 @@
3
  Plugin Name: Disable XML-RPC-API
4
  Plugin URI: https://neatma.com/dsxmlrpc-plugin/
5
  Description: Lightweight plugin to disable XML-RPC API and Pingbacks,Trackbacks for faster and more secure website.
6
- Version: 2.1.1
7
- Tested up to: 5.8
8
  Requires at least: 3.5
9
  Author: Neatma
10
  Author URI: https://neatma.com/
@@ -14,7 +14,7 @@ License: GPLv2
14
  //
15
  // Exit if accessed directly.
16
  if ( ! defined( 'ABSPATH' ) ) {
17
- exit;
18
  }
19
 
20
  define('DSXMLRPC_FILE', plugin_dir_path(__FILE__));
@@ -45,7 +45,7 @@ function dsxmlrpc_get_option($option){
45
  }
46
 
47
  //
48
- // Fix IP list
49
  function dsxmlrpc_fix_ip($type){
50
  if (!dsxmlrpc_get_option($type)) return;
51
  $ip_list = dsxmlrpc_get_option($type);
@@ -55,10 +55,10 @@ function dsxmlrpc_fix_ip($type){
55
  $ip = trim($ip);
56
  if(!filter_var( $ip, FILTER_VALIDATE_IP ) === false){
57
  if ($type == 'White-list-IPs') {
58
- return "Allow from ".$ip. "\n";
59
  } elseif ($type == 'Black-list-IPs') {
60
- return "Deny from ".$ip. "\n";
61
-
62
  }
63
  }
64
  }
@@ -68,25 +68,30 @@ function dsxmlrpc_fix_ip($type){
68
 
69
  //
70
  // Fix htaccess permissions
71
- function dsxmlrpc_file_chmod() {
72
- $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
73
- chmod($htaccess_file, 0755);
 
 
74
 
75
  }
 
76
  //
77
  // Fix htaccess permissions
78
- function dsxmlrpc_file_protect() {
79
- $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
 
80
  chmod($htaccess_file, 0444);
 
81
  }
82
 
83
 
84
  //
85
  // Disable access to xmlrpc.php completely with .htaccess file
86
-
87
  function dsxmlrpc_add_htaccess() {
88
  global $current_screen;
89
  if ( $current_screen->id == 'toplevel_page_Security Settings' || $current_screen->id == 'plugins' ) {
 
90
 
91
  if (dsxmlrpc_get_option('jetpack-switcher')) {
92
  $jp_allowed_ips = '
@@ -104,24 +109,24 @@ Allow from 192.0.102.95/32';
104
  } else {
105
  $jp_allowed_ips = '';
106
  }
107
-
108
 
109
  if (!dsxmlrpc_get_option('dsxmlrpc-switcher') ) {
110
 
111
- $dsxmlrpc_allowed_ips = dsxmlrpc_fix_ip('White-list-IPs') . $jp_allowed_ips;
112
  $htaccess_code =
113
  '<Files xmlrpc.php>
114
- order deny,allow
115
  deny from all
116
  '.$dsxmlrpc_allowed_ips.'
117
  </Files>
118
  ';
119
  } else {
120
-
121
  $dsxmlrpc_disallowed_ips = dsxmlrpc_fix_ip('Black-list-IPs');
122
  $htaccess_code =
123
  '<Files xmlrpc.php>
124
- order allow,deny
125
  allow from all
126
  '.$dsxmlrpc_disallowed_ips.'
127
  </Files>
@@ -129,8 +134,8 @@ allow from all
129
  }
130
  dsxmlrpc_file_chmod();
131
  insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-API', $htaccess_code);
132
- dsxmlrpc_file_protect();
133
-
134
  }
135
  } add_action('admin_head', 'dsxmlrpc_add_htaccess' );
136
 
@@ -147,40 +152,58 @@ function dsxmlrpc_remove_htaccess($plugin) {
147
  if(!is_writable ($htaccess_file) ) {
148
  dsxmlrpc_file_chmod();
149
  insert_with_markers($htaccess_file, 'DS-XML-RPC-API', '');
150
- dsxmlrpc_file_protect();
151
  } else {
152
  insert_with_markers($htaccess_file, 'DS-XML-RPC-API', '');
153
- dsxmlrpc_file_protect();
154
- }
 
 
155
  }
156
  add_action( 'deactivated_plugin' , 'dsxmlrpc_remove_htaccess', 10, 2);
157
 
158
  //
159
- // unistallation actions
160
  function dsxmlrpc_uninstall_action(){
161
  delete_option( 'dsxmlrpc-settings' );
162
- delete_option('dsxmlrpc-notice-forever');
163
-
 
164
  }
165
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
166
 
167
  //
168
- // Disable XML-RPC Methods
169
  function dsxmlrpc_dis_methods($xmlrpc) {
170
- $methods = dsxmlrpc_get_option('disabled-methods');
171
  foreach($methods as $method) {
172
-
173
  unset( $xmlrpc[$method] );
174
  } return $xmlrpc;
175
-
176
  }
177
- if (dsxmlrpc_get_option('dsxmlrpc-switcher')){
178
  add_filter( 'xmlrpc_methods', 'dsxmlrpc_dis_methods' );
179
- }
 
180
 
181
 
182
-
183
- //
184
  // Get XML-RPC Disabled Methods
185
  function dsxmlrpc_get_methods($method) {
186
  $option = dsxmlrpc_get_option('disabled-methods');
@@ -189,51 +212,50 @@ function dsxmlrpc_get_methods($method) {
189
  }
190
 
191
  }
192
-
193
-
194
 
195
 
 
196
  function dsxmlrpc_X_pingback_header( $headers ) {
197
  unset( $headers['X-Pingback'] );
198
  return $headers;
199
  }
200
 
201
-
202
  $dsxmlrpc_disabled_methods = dsxmlrpc_get_option('disabled-methods');
203
  if (is_array($dsxmlrpc_disabled_methods)) {
204
  if(dsxmlrpc_get_option('dsxmlrpc-switcher') && array_search('x-pingback',$dsxmlrpc_disabled_methods)) {
205
  add_filter( 'wp_headers', 'dsxmlrpc_X_pingback_header' );
206
  add_filter('pings_open', '__return_false', PHP_INT_MAX);
207
- }
208
  }
209
 
210
 
211
  if( !empty(dsxmlrpc_get_option('xmlrpc-slug')) && dsxmlrpc_get_option('dsxmlrpc-switcher')){
212
-
213
  add_action('wp_loaded', 'dsxmlrpc_xmlrpc_rename_wp_loaded');
214
-
215
  }
216
 
217
 
218
- // Rename the XML-RPC
219
  function dsxmlrpc_xmlrpc_rename_wp_loaded(){
220
-
221
  $page = dsxmlrpc_cur_page();
222
-
223
  if ($page === 'xmlrpc.php') {
224
  $header_one = apply_filters('dsxmlrpc_header_1', 'HTTP/1.0 404 Not Found');
225
  $header_two = apply_filters('dsxmlrpc_header_2', 'Status: 404 Not Found');
226
-
227
  header($header_one);
228
  header($header_two);
229
-
230
  exit();
231
  }
232
 
233
  if($page !== dsxmlrpc_get_option('xmlrpc-slug')){
234
  return false;
235
  }
236
-
237
  @define('NO_CACHE', true);
238
  @define('WTC_IN_MINIFY', true);
239
  @define('WP_CACHE', false);
@@ -242,27 +264,27 @@ function dsxmlrpc_xmlrpc_rename_wp_loaded(){
242
  error_reporting(E_ERROR | E_CORE_ERROR | E_COMPILE_ERROR);
243
 
244
  include ABSPATH.'/xmlrpc.php';
245
-
246
  exit();
247
-
248
  }
249
 
250
  // Find the page being accessed
251
  function dsxmlrpc_cur_page(){
252
-
253
  $blog_url = trailingslashit(get_bloginfo('url'));
254
-
255
  // Build the Current URL
256
  $url = (is_ssl() ? 'https://' : 'http://').$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
257
-
258
  if(is_ssl() && preg_match('/^http\:/is', $blog_url)){
259
  $blog_url = substr_replace($blog_url, 's', 4, 0);
260
  }
261
-
262
  // The relative URL to the Blog URL
263
  $req = str_replace($blog_url, '', $url);
264
  $req = str_replace('index.php/', '', $req);
265
-
266
  // We dont need the args
267
  $parts = explode('?', $req, 2);
268
  $relative = basename($parts[0]);
@@ -273,13 +295,13 @@ function dsxmlrpc_cur_page(){
273
  $page = end($tmp);
274
 
275
  return $page;
276
-
277
  }
278
 
279
  //
280
- // Speed Up wordprees
281
 
282
- /* remove emoji */
283
  if ( dsxmlrpc_get_option('remove-emojis') ) {
284
  remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
285
  remove_action( 'wp_print_styles', 'print_emoji_styles' );
@@ -289,7 +311,7 @@ function dsxmlrpc_cur_page(){
289
  remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );
290
  remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
291
  }
292
- /* slow heartbeat */
293
  if ( dsxmlrpc_get_option('slow-heartbeat') ) {
294
  add_filter( 'heartbeat_settings', 'dsxmlrpc_slow_heartbeat' );
295
  }
@@ -310,6 +332,7 @@ function dsxmlrpc_cur_page(){
310
  add_action('do_feed_rss2_comments', 'dsxmlrpc_disable_feed', 1);
311
  add_action('do_feed_atom_comments', 'dsxmlrpc_disable_feed', 1);
312
  }
 
313
  if ( dsxmlrpc_get_option('json-rest-api') ) {
314
  add_filter( 'rest_authentication_errors', function( $result ) {
315
  if ( ! empty( $result ) ) {
@@ -322,34 +345,33 @@ function dsxmlrpc_cur_page(){
322
  });
323
  }
324
 
 
325
  if ( dsxmlrpc_get_option('disable-wlw') ) {
326
  remove_action( 'wp_head', 'wlwmanifest_link' );
327
  }
328
  /* disable built-in file editor */
329
- if ( dsxmlrpc_get_option('disable-code-editor') ) {
330
  define( 'DISALLOW_FILE_EDIT', true );
331
  }
332
  /* disable oEmbed for youtube */
333
  if ( dsxmlrpc_get_option('disable-oembed') ) {
334
  add_action( 'wp_footer', 'dsxmlrpc_disable_oembed', 11 );
335
  }
336
- /* Remove the WordPress version info url parameter. */
337
  if ( dsxmlrpc_get_option('remove-wp-ver') ) {
338
  remove_action( 'wp_head', 'wp_generator' );
339
  add_filter( 'script_loader_src', 'dsxmlrpc_remove_ver_param' );
340
  add_filter( 'style_loader_src', 'dsxmlrpc_remove_ver_param' );
341
  }
342
- /* Fix Hotlink in images. */
343
- if ( dsxmlrpc_get_option('hotlink-fix') ) {
344
- add_action('admin_init', 'dsxmlrpc_hotlinkfix' );
345
- }
346
  /**
347
  * Remove the WordPress version info url parameter.
348
  */
349
  function dsxmlrpc_remove_ver_param( $url ) {
350
  return remove_query_arg( 'ver', $url );
351
  }
352
-
353
  function dsxmlrpc_slow_heartbeat( $settings ) {
354
  $settings['interval'] = 60;
355
  return $settings;
@@ -358,16 +380,18 @@ function dsxmlrpc_cur_page(){
358
  /**
359
  * Dequeue the oEmbed script.
360
  */
361
- function dsxmlrpc_disable_oembed() {
362
- wp_dequeue_script( 'wp-embed' );
363
  }
364
-
365
-
366
-
367
- function dsxmlrpc_hotlinkfix() {
368
-
369
- $home_url = get_home_url();
370
 
 
 
 
 
 
 
 
 
371
  $htaccess_code = '
372
  RewriteEngine on
373
  RewriteCond %{HTTP_REFERER} !^$
@@ -377,6 +401,10 @@ RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L] ';
377
 
378
  dsxmlrpc_file_chmod();
379
  insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-FIX-HOTLINK', $htaccess_code);
380
- dsxmlrpc_file_protect();
381
-
382
- }
 
 
 
 
3
  Plugin Name: Disable XML-RPC-API
4
  Plugin URI: https://neatma.com/dsxmlrpc-plugin/
5
  Description: Lightweight plugin to disable XML-RPC API and Pingbacks,Trackbacks for faster and more secure website.
6
+ Version: 2.1.2
7
+ Tested up to: 5.9
8
  Requires at least: 3.5
9
  Author: Neatma
10
  Author URI: https://neatma.com/
14
  //
15
  // Exit if accessed directly.
16
  if ( ! defined( 'ABSPATH' ) ) {
17
+ exit;
18
  }
19
 
20
  define('DSXMLRPC_FILE', plugin_dir_path(__FILE__));
45
  }
46
 
47
  //
48
+ // Fix IP list
49
  function dsxmlrpc_fix_ip($type){
50
  if (!dsxmlrpc_get_option($type)) return;
51
  $ip_list = dsxmlrpc_get_option($type);
55
  $ip = trim($ip);
56
  if(!filter_var( $ip, FILTER_VALIDATE_IP ) === false){
57
  if ($type == 'White-list-IPs') {
58
+ return "Allow from ".$ip. "\n";
59
  } elseif ($type == 'Black-list-IPs') {
60
+ return "Deny from ".$ip. "\n";
61
+
62
  }
63
  }
64
  }
68
 
69
  //
70
  // Fix htaccess permissions
71
+ function dsxmlrpc_file_chmod() {
72
+ $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
73
+ if (!is_writable($htaccess_file)){
74
+ chmod($htaccess_file, 0644);
75
+ }
76
 
77
  }
78
+
79
  //
80
  // Fix htaccess permissions
81
+ function dsxmlrpc_file_protect() {
82
+ $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
83
+ if (is_writable($htaccess_file)){
84
  chmod($htaccess_file, 0444);
85
+ }
86
  }
87
 
88
 
89
  //
90
  // Disable access to xmlrpc.php completely with .htaccess file
 
91
  function dsxmlrpc_add_htaccess() {
92
  global $current_screen;
93
  if ( $current_screen->id == 'toplevel_page_Security Settings' || $current_screen->id == 'plugins' ) {
94
+ dsxmlrpc_hotlinkfix();
95
 
96
  if (dsxmlrpc_get_option('jetpack-switcher')) {
97
  $jp_allowed_ips = '
109
  } else {
110
  $jp_allowed_ips = '';
111
  }
112
+
113
 
114
  if (!dsxmlrpc_get_option('dsxmlrpc-switcher') ) {
115
 
116
+ $dsxmlrpc_allowed_ips = dsxmlrpc_fix_ip('White-list-IPs') . $jp_allowed_ips;
117
  $htaccess_code =
118
  '<Files xmlrpc.php>
119
+ order deny,allow
120
  deny from all
121
  '.$dsxmlrpc_allowed_ips.'
122
  </Files>
123
  ';
124
  } else {
125
+
126
  $dsxmlrpc_disallowed_ips = dsxmlrpc_fix_ip('Black-list-IPs');
127
  $htaccess_code =
128
  '<Files xmlrpc.php>
129
+ order allow,deny
130
  allow from all
131
  '.$dsxmlrpc_disallowed_ips.'
132
  </Files>
134
  }
135
  dsxmlrpc_file_chmod();
136
  insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-API', $htaccess_code);
137
+ dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
138
+
139
  }
140
  } add_action('admin_head', 'dsxmlrpc_add_htaccess' );
141
 
152
  if(!is_writable ($htaccess_file) ) {
153
  dsxmlrpc_file_chmod();
154
  insert_with_markers($htaccess_file, 'DS-XML-RPC-API', '');
155
+ dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
156
  } else {
157
  insert_with_markers($htaccess_file, 'DS-XML-RPC-API', '');
158
+ dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
159
+ }
160
+ delete_option( 'pand-' . md5('wpsg-notice') );
161
+ delete_option( 'pand-' . md5('dsxmlrpc-notice') );
162
  }
163
  add_action( 'deactivated_plugin' , 'dsxmlrpc_remove_htaccess', 10, 2);
164
 
165
  //
166
+ // Unistallation actions
167
  function dsxmlrpc_uninstall_action(){
168
  delete_option( 'dsxmlrpc-settings' );
169
+ delete_option('pand-' . md5('wpsg-notice') );
170
+ delete_option('pand-' . md5('dsxmlrpc-notice') );
171
+
172
  }
173
 
174
+ //
175
+ // Update actions
176
+ function dsxmlrpc_after_update( $upgrader_object, $options ) {
177
+ $current_plugin_path_name = plugin_basename( __FILE__ );
178
+
179
+ if ($options['action'] == 'update' && $options['type'] == 'plugin' ) {
180
+ foreach($options['plugins'] as $each_plugin) {
181
+ if ($each_plugin==$current_plugin_path_name) {
182
+ delete_option('pand-' . md5('wpsg-notice') );
183
+ delete_option('pand-' . md5('dsxmlrpc-notice') );
184
+ }
185
+ }
186
+ }
187
+ }
188
+ add_action('upgrader_process_complete', 'dsxmlrpc_after_update',10, 2);
189
 
190
  //
191
+ // Disable XML-RPC Methods
192
  function dsxmlrpc_dis_methods($xmlrpc) {
193
+ $methods = dsxmlrpc_get_option('disabled-methods');
194
  foreach($methods as $method) {
195
+
196
  unset( $xmlrpc[$method] );
197
  } return $xmlrpc;
198
+
199
  }
200
+ if (dsxmlrpc_get_option('dsxmlrpc-switcher')){
201
  add_filter( 'xmlrpc_methods', 'dsxmlrpc_dis_methods' );
202
+ }
203
+
204
 
205
 
206
+ //
 
207
  // Get XML-RPC Disabled Methods
208
  function dsxmlrpc_get_methods($method) {
209
  $option = dsxmlrpc_get_option('disabled-methods');
212
  }
213
 
214
  }
 
 
215
 
216
 
217
+ // Remove x-pingback from header
218
  function dsxmlrpc_X_pingback_header( $headers ) {
219
  unset( $headers['X-Pingback'] );
220
  return $headers;
221
  }
222
 
223
+ // Remove selected methods from xml rpc
224
  $dsxmlrpc_disabled_methods = dsxmlrpc_get_option('disabled-methods');
225
  if (is_array($dsxmlrpc_disabled_methods)) {
226
  if(dsxmlrpc_get_option('dsxmlrpc-switcher') && array_search('x-pingback',$dsxmlrpc_disabled_methods)) {
227
  add_filter( 'wp_headers', 'dsxmlrpc_X_pingback_header' );
228
  add_filter('pings_open', '__return_false', PHP_INT_MAX);
229
+ }
230
  }
231
 
232
 
233
  if( !empty(dsxmlrpc_get_option('xmlrpc-slug')) && dsxmlrpc_get_option('dsxmlrpc-switcher')){
234
+
235
  add_action('wp_loaded', 'dsxmlrpc_xmlrpc_rename_wp_loaded');
236
+
237
  }
238
 
239
 
240
+ // Rename the XML-RPC
241
  function dsxmlrpc_xmlrpc_rename_wp_loaded(){
242
+
243
  $page = dsxmlrpc_cur_page();
244
+
245
  if ($page === 'xmlrpc.php') {
246
  $header_one = apply_filters('dsxmlrpc_header_1', 'HTTP/1.0 404 Not Found');
247
  $header_two = apply_filters('dsxmlrpc_header_2', 'Status: 404 Not Found');
248
+
249
  header($header_one);
250
  header($header_two);
251
+
252
  exit();
253
  }
254
 
255
  if($page !== dsxmlrpc_get_option('xmlrpc-slug')){
256
  return false;
257
  }
258
+
259
  @define('NO_CACHE', true);
260
  @define('WTC_IN_MINIFY', true);
261
  @define('WP_CACHE', false);
264
  error_reporting(E_ERROR | E_CORE_ERROR | E_COMPILE_ERROR);
265
 
266
  include ABSPATH.'/xmlrpc.php';
267
+
268
  exit();
269
+
270
  }
271
 
272
  // Find the page being accessed
273
  function dsxmlrpc_cur_page(){
274
+
275
  $blog_url = trailingslashit(get_bloginfo('url'));
276
+
277
  // Build the Current URL
278
  $url = (is_ssl() ? 'https://' : 'http://').$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
279
+
280
  if(is_ssl() && preg_match('/^http\:/is', $blog_url)){
281
  $blog_url = substr_replace($blog_url, 's', 4, 0);
282
  }
283
+
284
  // The relative URL to the Blog URL
285
  $req = str_replace($blog_url, '', $url);
286
  $req = str_replace('index.php/', '', $req);
287
+
288
  // We dont need the args
289
  $parts = explode('?', $req, 2);
290
  $relative = basename($parts[0]);
295
  $page = end($tmp);
296
 
297
  return $page;
298
+
299
  }
300
 
301
  //
302
+ // Speed Up wordprees
303
 
304
+ /* remove emoji */
305
  if ( dsxmlrpc_get_option('remove-emojis') ) {
306
  remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
307
  remove_action( 'wp_print_styles', 'print_emoji_styles' );
311
  remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );
312
  remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
313
  }
314
+ /* slow down the heartbeat */
315
  if ( dsxmlrpc_get_option('slow-heartbeat') ) {
316
  add_filter( 'heartbeat_settings', 'dsxmlrpc_slow_heartbeat' );
317
  }
332
  add_action('do_feed_rss2_comments', 'dsxmlrpc_disable_feed', 1);
333
  add_action('do_feed_atom_comments', 'dsxmlrpc_disable_feed', 1);
334
  }
335
+ /* Disable wp-json rest api */
336
  if ( dsxmlrpc_get_option('json-rest-api') ) {
337
  add_filter( 'rest_authentication_errors', function( $result ) {
338
  if ( ! empty( $result ) ) {
345
  });
346
  }
347
 
348
+ /* remove wlw from manifest */
349
  if ( dsxmlrpc_get_option('disable-wlw') ) {
350
  remove_action( 'wp_head', 'wlwmanifest_link' );
351
  }
352
  /* disable built-in file editor */
353
+ if ( dsxmlrpc_get_option('disable-code-editor') && !defined('DISALLOW_FILE_EDIT') ) {
354
  define( 'DISALLOW_FILE_EDIT', true );
355
  }
356
  /* disable oEmbed for youtube */
357
  if ( dsxmlrpc_get_option('disable-oembed') ) {
358
  add_action( 'wp_footer', 'dsxmlrpc_disable_oembed', 11 );
359
  }
360
+ /* Remove the WordPress version info url parameter. */
361
  if ( dsxmlrpc_get_option('remove-wp-ver') ) {
362
  remove_action( 'wp_head', 'wp_generator' );
363
  add_filter( 'script_loader_src', 'dsxmlrpc_remove_ver_param' );
364
  add_filter( 'style_loader_src', 'dsxmlrpc_remove_ver_param' );
365
  }
366
+
367
+
 
 
368
  /**
369
  * Remove the WordPress version info url parameter.
370
  */
371
  function dsxmlrpc_remove_ver_param( $url ) {
372
  return remove_query_arg( 'ver', $url );
373
  }
374
+ /* Slow down the wordpress hearbeat */
375
  function dsxmlrpc_slow_heartbeat( $settings ) {
376
  $settings['interval'] = 60;
377
  return $settings;
380
  /**
381
  * Dequeue the oEmbed script.
382
  */
383
+ function dsxmlrpc_disable_oembed() {
384
+ wp_dequeue_script( 'wp-embed' );
385
  }
 
 
 
 
 
 
386
 
387
+
388
+ /**
389
+ * Fix hotlink issue.
390
+ */
391
+ function dsxmlrpc_hotlinkfix() {
392
+ if ( dsxmlrpc_get_option('hotlink-fix') ) {
393
+
394
+ $home_url = get_home_url();
395
  $htaccess_code = '
396
  RewriteEngine on
397
  RewriteCond %{HTTP_REFERER} !^$
401
 
402
  dsxmlrpc_file_chmod();
403
  insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-FIX-HOTLINK', $htaccess_code);
404
+ dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
405
+ } else {
406
+ dsxmlrpc_file_chmod();
407
+ insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-FIX-HOTLINK', '');
408
+ dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
409
+ }
410
+ }
lib/admin-notices/persist-admin-notices-dismissal.php CHANGED
@@ -1,9 +1,8 @@
1
  <?php
2
-
3
  /**
4
  * Persist Admin notices Dismissal
5
  *
6
- * Copyright (C) 2016 Collins Agbonghama <http://w3guy.com>
7
  *
8
  * This program is free software: you can redistribute it and/or modify
9
  * it under the terms of the GNU General Public License as published by
@@ -19,8 +18,7 @@
19
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
20
  *
21
  * @package Persist Admin notices Dismissal
22
- * @author Collins Agbonghama
23
- * @author Andy Fragen
24
  * @license http://www.gnu.org/licenses GNU General Public License
25
  */
26
 
@@ -107,12 +105,12 @@ if ( ! class_exists( 'PAnD' ) ) {
107
  * Uses check_ajax_referer to verify nonce.
108
  */
109
  public static function dismiss_admin_notice() {
110
- $option_name = sanitize_text_field( $_POST['option_name'] );
111
- $dismissible_length = sanitize_text_field( $_POST['dismissible_length'] );
112
 
113
- if ( 'forever' != $dismissible_length ) {
114
- // If $dismissible_length is not an integer default to 1
115
- $dismissible_length = ( 0 == absint( $dismissible_length ) ) ? 1 : $dismissible_length;
116
  $dismissible_length = strtotime( absint( $dismissible_length ) . ' days' );
117
  }
118
 
@@ -134,7 +132,7 @@ if ( ! class_exists( 'PAnD' ) ) {
134
  $option_name = implode( '-', $array );
135
  $db_record = self::get_admin_notice_cache( $option_name );
136
 
137
- if ( 'forever' == $db_record ) {
138
  return false;
139
  } elseif ( absint( $db_record ) >= time() ) {
140
  return false;
1
  <?php
 
2
  /**
3
  * Persist Admin notices Dismissal
4
  *
5
+ * Copyright (C) 2016 Collins Agbonghama <https://w3guy.com>
6
  *
7
  * This program is free software: you can redistribute it and/or modify
8
  * it under the terms of the GNU General Public License as published by
18
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
19
  *
20
  * @package Persist Admin notices Dismissal
21
+ * @author Collins Agbonghama, Andy Fragen
 
22
  * @license http://www.gnu.org/licenses GNU General Public License
23
  */
24
 
105
  * Uses check_ajax_referer to verify nonce.
106
  */
107
  public static function dismiss_admin_notice() {
108
+ $option_name = isset( $_POST['option_name'] ) ? sanitize_text_field( wp_unslash( $_POST['option_name'] ) ) : '';
109
+ $dismissible_length = isset( $_POST['dismissible_length'] ) ? sanitize_text_field( wp_unslash( $_POST['dismissible_length'] ) ) : 0;
110
 
111
+ if ( 'forever' !== $dismissible_length ) {
112
+ // If $dismissible_length is not an integer default to 1.
113
+ $dismissible_length = ( 0 === absint( $dismissible_length ) ) ? 1 : $dismissible_length;
114
  $dismissible_length = strtotime( absint( $dismissible_length ) . ' days' );
115
  }
116
 
132
  $option_name = implode( '-', $array );
133
  $db_record = self::get_admin_notice_cache( $option_name );
134
 
135
+ if ( 'forever' === $db_record ) {
136
  return false;
137
  } elseif ( absint( $db_record ) >= time() ) {
138
  return false;
lib/skelet/framework.config.php CHANGED
@@ -234,7 +234,14 @@ Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximate
234
  'id' => 'json-rest-api',
235
  'type' => 'switcher',
236
  'title' => 'Disable JSON REST API',
237
- 'desc' => 'disable the JSON REST API for logged out users',
 
 
 
 
 
 
 
238
  'default' => false,
239
  ),
240
  array(
234
  'id' => 'json-rest-api',
235
  'type' => 'switcher',
236
  'title' => 'Disable JSON REST API',
237
+ 'desc' => 'disable the JSON REST API for not logged in users',
238
+ 'default' => false,
239
+ ),
240
+ array(
241
+ 'id' => 'htaccess protection',
242
+ 'type' => 'switcher',
243
+ 'title' => 'Disable writing in htaccess file',
244
+ 'desc' => 'Protect your website by changing htaccess file permission to read-only (0444)',
245
  'default' => false,
246
  ),
247
  array(
readme.txt CHANGED
@@ -4,9 +4,9 @@ Plugin Name: Disable XML-RPC-API
4
  Plugin URI: https://neatma.com
5
  Contributors: aminnz,neatmarketing
6
  Description: Simple plugin to disable XML-RPC API and X-Pingback for faster and more secure website.
7
- Tags: disable xml-rpc, disable xmlrpc,remove xmlrpc, XML-RPC, pingback, stop brute force attacks
8
- Version: 2.1.0
9
- Tested up to: 5.8
10
  Requires at least: 3.5
11
  Author: Neatma
12
  Author URI: https://neatma.com
@@ -137,4 +137,9 @@ screenshot-2.jpg
137
 
138
  = 2.1.1 =
139
  * Add new feature fix hotlinks
140
- * Change notif timing
 
 
 
 
 
4
  Plugin URI: https://neatma.com
5
  Contributors: aminnz,neatmarketing
6
  Description: Simple plugin to disable XML-RPC API and X-Pingback for faster and more secure website.
7
+ Tags: disable xml-rpc, xmlrpc, disable xmlrpc,remove xmlrpc, XML-RPC, pingback, stop brute force attacks
8
+ Version: 2.1.2
9
+ Tested up to: 5.9
10
  Requires at least: 3.5
11
  Author: Neatma
12
  Author URI: https://neatma.com
137
 
138
  = 2.1.1 =
139
  * Add new feature fix hotlinks
140
+ * Change notif timing
141
+
142
+ = 2.1.2 =
143
+ * Add an option to disable auto change htaccess permission
144
+ * Fix "DISALLOW_FILE_EDIT" warning
145
+ * Wordpress 5.8 compatibility