Disable XML-RPC-API - Version 2.1.4

Version Description

  • Fix some minor bugs
  • Refactor the entire codes
  • Add a fallback function for situations htaccess is not working
Download this release

Release Info

Developer aminnz
Plugin Icon 128x128 Disable XML-RPC-API
Version 2.1.4
Comparing to
See all releases

Code changes from version 2.1.3 to 2.1.4

Files changed (7) hide show
  1. admin/hire-expert.png +0 -0
  2. admin/xmlrpc20.png +0 -0
  3. disable-xml-rpc-api.php +425 -351
  4. index.php +34 -1
  5. lib/skelet/classes/admin-options.class.php +1 -1
  6. lib/skelet/framework.config.php +8 -7
  7. readme.txt +7 -2
admin/hire-expert.png ADDED
Binary file
admin/xmlrpc20.png ADDED
Binary file
disable-xml-rpc-api.php CHANGED
@@ -1,100 +1,181 @@
1
  <?php
2
- /*
3
- Plugin Name: Disable XML-RPC-API
4
- Plugin URI: https://neatma.com/dsxmlrpc-plugin/
5
- Description: Lightweight plugin to disable XML-RPC API and Pingbacks,Trackbacks for faster and more secure website.
6
- Version: 2.1.3
7
- Tested up to: 6.0
8
- Requires at least: 3.5
9
- Author: Neatma
10
- Author URI: https://neatma.com/
11
- License: GPLv2
12
- */
13
-
14
- //
15
- // Exit if accessed directly.
16
- if ( ! defined( 'ABSPATH' ) ) {
17
- exit;
18
  }
19
 
20
- define('DSXMLRPC_FILE', plugin_dir_path(__FILE__));
21
- define('DSXMLRPC_URL', plugin_dir_url( __FILE__ ));
22
- define('DSXMLRPC_HOME_PATH', function_exists('get_home_path') ? get_home_path() : ABSPATH);
23
- register_activation_hook( __FILE__, 'dsxmlrpc_add_htaccess' );
24
- register_uninstall_hook( __FILE__, 'dsxmlrpc_uninstall_action' );
 
25
 
26
 
 
 
27
 
28
- if ( ! class_exists( 'PAnD' ) ) {
29
- require_once(DSXMLRPC_FILE . '/lib/admin-notices/persist-admin-notices-dismissal.php');
30
- }
31
 
32
- require_once(DSXMLRPC_FILE . '/admin/admin.php');
33
- require_once (DSXMLRPC_FILE . '/lib/skelet/framework.config.php');
34
 
35
- add_action( 'admin_init', array( 'PAnD', 'init' ) );
 
36
 
 
 
37
 
38
- //
39
- // Get options
40
- function dsxmlrpc_get_option($option){
41
- $options = get_option( 'dsxmlrpc-settings' );
42
- if (isset($options[$option])){
43
- return $options[$option];
44
- }
45
- }
46
 
47
- //
48
- // Fix IP list
49
- function dsxmlrpc_fix_ip($type){
50
- if (!dsxmlrpc_get_option($type)) return;
51
- $ip_list = dsxmlrpc_get_option($type);
52
- $ips = explode(",",$ip_list);
53
- foreach ($ips as $ip)
54
- {
55
- $ip = trim($ip);
56
- if(!filter_var( $ip, FILTER_VALIDATE_IP ) === false){
57
- if ($type == 'White-list-IPs') {
58
- return "Allow from ".$ip. "\n";
59
- } elseif ($type == 'Black-list-IPs') {
60
- return "Deny from ".$ip. "\n";
61
-
62
- }
63
- }
64
- }
65
- }
66
 
 
 
 
67
 
 
 
 
 
 
 
68
 
69
- //
70
- // Fix htaccess permissions
71
- function dsxmlrpc_file_chmod() {
72
- $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
73
- if (!is_writable($htaccess_file)){
74
- chmod($htaccess_file, 0644);
75
- }
76
 
77
- }
 
 
 
 
 
 
 
 
 
78
 
79
- //
80
- // Fix htaccess permissions
81
- function dsxmlrpc_file_protect() {
82
- $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
83
- if (is_writable($htaccess_file)){
84
- chmod($htaccess_file, 0444);
85
- }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
86
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
87
 
 
 
 
 
88
 
89
- //
90
- // Disable access to xmlrpc.php completely with .htaccess file
91
- function dsxmlrpc_add_htaccess() {
92
- global $current_screen;
93
- if ( $current_screen->id == 'toplevel_page_Security Settings' || $current_screen->id == 'plugins' ) {
94
- dsxmlrpc_hotlinkfix();
95
-
96
- if (dsxmlrpc_get_option('jetpack-switcher')) {
97
- $jp_allowed_ips = '
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
98
  Allow from 122.248.245.244/32
99
  Allow from 54.217.201.243/32
100
  Allow from 54.232.116.4/32
@@ -106,328 +187,321 @@ Allow from 192.0.96.202/32
106
  Allow from 192.0.98.138/32
107
  Allow from 192.0.102.71/32
108
  Allow from 192.0.102.95/32';
109
- } else {
110
- $jp_allowed_ips = '';
111
- }
 
112
 
 
113
 
114
- if (!dsxmlrpc_get_option('dsxmlrpc-switcher') ) {
115
-
116
- $allowed_ips = dsxmlrpc_fix_ip('White-list-IPs') . $jp_allowed_ips;
117
- $htaccess_code =
118
- '<Files xmlrpc.php>
119
  order deny,allow
120
  deny from all
121
- '.$allowed_ips.'
122
  </Files>
123
  ';
124
- } else {
125
 
126
- $disallowed_ips = dsxmlrpc_fix_ip('Black-list-IPs');
127
- $htaccess_code =
128
- '<Files xmlrpc.php>
129
  order allow,deny
130
  allow from all
131
- '.$disallowed_ips.'
132
  </Files>
133
  ';
134
- }
135
- add_filter('xmlrpc_enabled', '__return_false');
136
-
137
- dsxmlrpc_file_chmod();
138
- insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-API', $htaccess_code);
139
- dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
140
-
141
- }
142
- } add_action('admin_head', 'dsxmlrpc_add_htaccess' );
143
-
144
-
145
- //
146
- // Remove with markers from files (.htaccess)
147
- function dsxmlrpc_remove_with_markers($marker, $filename){
148
- if (file_exists($filename)) {
149
- $myfile = file_get_contents($filename);
150
- $pattern = "/#.BEGIN $marker(?<=# BEGIN $marker).*(?=# END $marker)#.END $marker/sui";
151
-
152
- $result = preg_replace($pattern, '', $myfile);
153
- $result = preg_replace('/\s+$/sui', '', $result);
154
- file_put_contents($filename, $result);
155
- }
156
- }
157
-
158
- //
159
- // Remove .htaccess codes when disabled
160
- function dsxmlrpc_remove_htaccess($plugin) {
161
- if ($plugin !== 'disable-xml-rpc-api/disable-xml-rpc-api.php') {
162
- return;
163
- }
164
- $filename = DSXMLRPC_FILE . '/admin/dsxmlrpc-htaccess';
165
- $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
166
- if(!is_writable ($htaccess_file) ) {
167
- dsxmlrpc_file_chmod();
168
- dsxmlrpc_remove_with_markers('DS-XML-RPC-API', $htaccess_file);
169
- dsxmlrpc_remove_with_markers('DS-XML-RPC-FIX-HOTLINK', $htaccess_file);
170
- dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
171
- } else {
172
-
173
- dsxmlrpc_remove_with_markers('DS-XML-RPC-API', $htaccess_file);
174
- dsxmlrpc_remove_with_markers('DS-XML-RPC-FIX-HOTLINK', $htaccess_file);
175
- dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
176
- }
177
- delete_option( 'pand-' . md5('wpsg-notice') );
178
- delete_option( 'pand-' . md5('dsxmlrpc-notice') );
179
- }
180
- add_action( 'deactivated_plugin' , 'dsxmlrpc_remove_htaccess', 10, 2);
181
 
 
 
182
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
183
 
184
- //
185
- // Unistallation actions
186
- function dsxmlrpc_uninstall_action(){
187
- delete_option( 'dsxmlrpc-settings' );
188
- delete_option('pand-' . md5('wpsg-notice') );
189
- delete_option('pand-' . md5('dsxmlrpc-notice') );
 
 
 
 
190
 
191
- }
 
 
 
 
 
 
 
192
 
193
- //
194
- // Update actions
195
- function dsxmlrpc_after_update( $upgrader_object, $options ) {
196
- $current_plugin_path_name = plugin_basename( __FILE__ );
197
-
198
- if ($options['action'] == 'update' && $options['type'] == 'plugin' ) {
199
- foreach($options['plugins'] as $each_plugin) {
200
- if ($each_plugin==$current_plugin_path_name) {
201
- delete_option('pand-' . md5('wpsg-notice') );
202
- delete_option('pand-' . md5('dsxmlrpc-notice') );
203
- }
204
- }
205
  }
206
- }
207
- add_action('upgrader_process_complete', 'dsxmlrpc_after_update',10, 2);
208
 
209
- //
210
- // Disable XML-RPC Methods
211
- function dsxmlrpc_dis_methods($xmlrpc) {
212
- $methods = dsxmlrpc_get_option('disabled-methods');
213
- foreach($methods as $method) {
 
 
 
 
 
 
 
 
 
 
 
 
 
214
 
215
- unset( $xmlrpc[$method] );
216
- } return $xmlrpc;
 
 
 
 
 
 
 
 
 
 
 
 
 
217
 
218
- }
219
- if (dsxmlrpc_get_option('dsxmlrpc-switcher')){
220
- add_filter( 'xmlrpc_methods', 'dsxmlrpc_dis_methods' );
221
- }
222
 
 
 
 
 
 
 
 
 
 
 
 
223
 
 
224
 
225
- //
226
- // Get XML-RPC Disabled Methods
227
- function dsxmlrpc_get_methods($method) {
228
- $option = dsxmlrpc_get_option('disabled-methods');
229
- if(in_array($method,$option)){
230
- return array($method);
231
- }
 
 
 
232
 
233
- }
 
 
 
 
 
 
 
 
 
234
 
 
235
 
236
- // Remove x-pingback from header
237
- function dsxmlrpc_X_pingback_header( $headers ) {
238
- unset( $headers['X-Pingback'] );
239
- return $headers;
240
- }
 
241
 
242
- // Remove selected methods from xml rpc
243
- $dsxmlrpc_disabled_methods = dsxmlrpc_get_option('disabled-methods');
244
- if (is_array($dsxmlrpc_disabled_methods)) {
245
- if(dsxmlrpc_get_option('dsxmlrpc-switcher') && array_search('x-pingback',$dsxmlrpc_disabled_methods)) {
246
- add_filter( 'wp_headers', 'dsxmlrpc_X_pingback_header' );
247
- add_filter('pings_open', '__return_false', PHP_INT_MAX);
248
- }
249
- }
250
 
 
 
 
251
 
252
- if( !empty(dsxmlrpc_get_option('xmlrpc-slug')) && dsxmlrpc_get_option('dsxmlrpc-switcher')){
 
253
 
254
- add_action('wp_loaded', 'dsxmlrpc_xmlrpc_rename_wp_loaded');
255
-
256
- }
257
 
 
 
 
258
 
259
- // Rename the XML-RPC
260
- function dsxmlrpc_xmlrpc_rename_wp_loaded(){
 
261
 
262
- $page = dsxmlrpc_cur_page();
 
263
 
264
- if ($page === 'xmlrpc.php') {
265
- $header_one = apply_filters('dsxmlrpc_header_1', 'HTTP/1.0 404 Not Found');
266
- $header_two = apply_filters('dsxmlrpc_header_2', 'Status: 404 Not Found');
267
 
268
- header($header_one);
269
- header($header_two);
270
 
271
- exit();
272
- }
273
 
274
- if($page !== dsxmlrpc_get_option('xmlrpc-slug')){
275
- return false;
276
- }
 
 
 
277
 
278
- @define('NO_CACHE', true);
279
- @define('WTC_IN_MINIFY', true);
280
- @define('WP_CACHE', false);
281
 
282
- // Prevent errors from defining constants again
283
- error_reporting(E_ERROR | E_CORE_ERROR | E_COMPILE_ERROR);
284
 
285
- include ABSPATH.'/xmlrpc.php';
 
 
286
 
287
- exit();
 
 
288
 
289
- }
 
 
290
 
291
- // Find the page being accessed
292
- function dsxmlrpc_cur_page(){
 
 
293
 
294
- $blog_url = trailingslashit(get_bloginfo('url'));
295
 
296
- // Build the Current URL
297
- $url = (is_ssl() ? 'https://' : 'http://').$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
298
 
299
- if(is_ssl() && preg_match('/^http\:/is', $blog_url)){
300
- $blog_url = substr_replace($blog_url, 's', 4, 0);
301
- }
 
 
 
 
 
 
 
 
 
 
 
302
 
303
- // The relative URL to the Blog URL
304
- $req = str_replace($blog_url, '', $url);
305
- $req = str_replace('index.php/', '', $req);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
306
 
307
- // We dont need the args
308
- $parts = explode('?', $req, 2);
309
- $relative = basename($parts[0]);
 
 
 
 
310
 
311
- // Remove trailing slash
312
- $relative = rtrim($relative, '/');
313
- $tmp = explode('/', $relative, 2);
314
- $page = end($tmp);
 
 
 
 
 
 
315
 
316
- return $page;
 
 
 
 
 
 
317
 
318
- }
 
 
 
 
 
 
 
 
 
 
319
 
320
- //
321
- // Speed Up wordprees
322
-
323
- /* remove emoji */
324
- if ( dsxmlrpc_get_option('remove-emojis') ) {
325
- remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
326
- remove_action( 'wp_print_styles', 'print_emoji_styles' );
327
- remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
328
- remove_action( 'admin_print_styles', 'print_emoji_styles' );
329
- remove_filter( 'the_content_feed', 'wp_staticize_emoji' );
330
- remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );
331
- remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
332
- }
333
- /* slow down the heartbeat */
334
- if ( dsxmlrpc_get_option('slow-heartbeat') ) {
335
- add_filter( 'heartbeat_settings', 'dsxmlrpc_slow_heartbeat' );
336
- }
337
- /* remove rss */
338
- if ( dsxmlrpc_get_option('remove-rss') ) {
339
-
340
- remove_action( 'wp_head', 'rsd_link' );
341
- remove_action( 'wp_head', 'feed_links', 2 );
342
- remove_action( 'wp_head', 'feed_links_extra', 3 );
343
- function dsxmlrpc_disable_feed() {
344
- wp_die( __('No feed available,please visit our <a href="'. get_bloginfo('url') .'">homepage</a>!') );
345
- }
346
- add_action('do_feed', 'dsxmlrpc_disable_feed', 1);
347
- add_action('do_feed_rdf', 'dsxmlrpc_disable_feed', 1);
348
- add_action('do_feed_rss', 'dsxmlrpc_disable_feed', 1);
349
- add_action('do_feed_rss2', 'dsxmlrpc_disable_feed', 1);
350
- add_action('do_feed_atom', 'dsxmlrpc_disable_feed', 1);
351
- add_action('do_feed_rss2_comments', 'dsxmlrpc_disable_feed', 1);
352
- add_action('do_feed_atom_comments', 'dsxmlrpc_disable_feed', 1);
353
- }
354
- /* Disable wp-json rest api */
355
- if ( dsxmlrpc_get_option('json-rest-api') ) {
356
- add_filter( 'rest_authentication_errors', function( $result ) {
357
- if ( ! empty( $result ) ) {
358
- return $result;
359
- }
360
- if ( ! is_user_logged_in() ) {
361
- return new WP_Error( 'restx_logged_out', 'Sorry, you must be logged in to make a request.', array( 'status' => 401 ) );
362
- }
363
- return $result;
364
- });
365
- }
366
-
367
- /* remove wlw from manifest */
368
- if ( dsxmlrpc_get_option('disable-wlw') ) {
369
- remove_action( 'wp_head', 'wlwmanifest_link' );
370
- }
371
- /* disable built-in file editor */
372
- if ( dsxmlrpc_get_option('disable-code-editor') && !defined('DISALLOW_FILE_EDIT') ) {
373
- define( 'DISALLOW_FILE_EDIT', true );
374
- }
375
- /* disable oEmbed for youtube */
376
- if ( dsxmlrpc_get_option('disable-oembed') ) {
377
- add_action( 'wp_footer', 'dsxmlrpc_disable_oembed', 11 );
378
- }
379
- /* Remove the WordPress version info url parameter. */
380
- if ( dsxmlrpc_get_option('remove-wp-ver') ) {
381
- remove_action( 'wp_head', 'wp_generator' );
382
-
383
- if (!is_admin()) {
384
- add_filter( 'script_loader_src', 'dsxmlrpc_remove_ver_param' );
385
- add_filter( 'style_loader_src', 'dsxmlrpc_remove_ver_param' );
386
- }
387
-
388
- }
389
-
390
-
391
- /**
392
- * Remove the WordPress version info url parameter.
393
- */
394
- function dsxmlrpc_remove_ver_param( $url ) {
395
- return remove_query_arg( 'ver', $url );
396
- }
397
- /* Slow down the wordpress hearbeat */
398
- function dsxmlrpc_slow_heartbeat( $settings ) {
399
- $settings['interval'] = 60;
400
- return $settings;
401
- }
402
-
403
- /**
404
- * Dequeue the oEmbed script.
405
- */
406
- function dsxmlrpc_disable_oembed() {
407
- wp_dequeue_script( 'wp-embed' );
408
- }
409
-
410
-
411
- /**
412
- * Fix hotlink issue.
413
- */
414
- function dsxmlrpc_hotlinkfix() {
415
- if ( dsxmlrpc_get_option('hotlink-fix') ) {
416
-
417
- $home_url = get_home_url();
418
- $htaccess_code = '
419
- RewriteEngine on
420
- RewriteCond %{HTTP_REFERER} !^$
421
- RewriteCond %{HTTP_REFERER} !^'. $home_url .' [NC]
422
- RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
423
- RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L] ';
424
-
425
- dsxmlrpc_file_chmod();
426
- insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-FIX-HOTLINK', $htaccess_code);
427
- dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
428
- } else {
429
- dsxmlrpc_file_chmod();
430
- insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess' , 'DS-XML-RPC-FIX-HOTLINK', '');
431
- dsxmlrpc_get_option('htaccess protection') ? dsxmlrpc_file_protect() : '' ;
432
- }
433
- }
1
  <?php
2
+
3
+ namespace dsxmlrpc;
4
+
5
+ if (!defined('ABSPATH')) {
6
+ exit;
 
 
 
 
 
 
 
 
 
 
 
7
  }
8
 
9
+ /**
10
+ * Class xmlrpcSecurity
11
+ * @package dsxmlrpc
12
+ */
13
+ class xmlrpcSecurity
14
+ {
15
 
16
 
17
+ public function __construct()
18
+ {
19
 
20
+ $disabled_methods = $this->get_option('disabled-methods');
 
 
21
 
22
+ // Activation hook
23
+ register_activation_hook(DSXMLRPC_FILE, [$this, 'add_htaccess']);
24
 
25
+ // Deactivation hook
26
+ register_deactivation_hook(DSXMLRPC_FILE, [$this, 'pluginDeactivated']);
27
 
28
+ // Uninstall hook
29
+ register_uninstall_hook(DSXMLRPC_FILE, 'uninstall_action');
30
 
31
+ add_action('admin_init', ['PAnD', 'init']);
32
+ add_filter('wp_xmlrpc_server_class', [$this, 'disable_wp_xmlrpc']);
33
+ add_action('admin_head', [$this, 'add_htaccess']);
34
+ add_action('upgrader_process_complete', [$this, 'after_update'], 10, 2);
35
+ add_action('init', [$this, 'speedUpWordpress']);
 
 
 
36
 
37
+ add_action('skelet_options_inside', [$this, 'optionsSidebar']);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
38
 
39
+ if (isset($disabled_methods) && is_array($disabled_methods)) {
40
+ add_action('init', [$this, 'removeSelectedMethods']);
41
+ }
42
 
43
+ if ($this->get_option('remove-emojis')) {
44
+ add_action('init', [$this, 'removeEmojies']);
45
+ }
46
+ if (!empty($this->get_option('xmlrpc-slug')) && $this->get_option('dsxmlrpc-switcher')) {
47
+ add_action('wp_loaded', [$this, 'xmlrpc_rename_wp_loaded']);
48
+ }
49
 
50
+ // remove rss
51
+ if ($this->get_option('remove-rss')) {
52
+ remove_action('wp_head', 'rsd_link');
53
+ remove_action('wp_head', 'feed_links', 2);
54
+ remove_action('wp_head', 'feed_links_extra', 3);
 
 
55
 
56
+ add_action('do_feed', [$this, 'disable_feed'], 1);
57
+ add_action('do_feed_rdf', [$this, 'disable_feed'], 1);
58
+ add_action('do_feed_rss', [$this, 'disable_feed'], 1);
59
+ add_action('do_feed_rss2', [$this, 'disable_feed'], 1);
60
+ add_action('do_feed_atom', [$this, 'disable_feed'], 1);
61
+ add_action('do_feed_rss2_comments', [$this, 'disable_feed'], 1);
62
+ add_action('do_feed_atom_comments', [$this, 'disable_feed'], 1);
63
+ }
64
+
65
+ }
66
 
67
+ /**
68
+ * @param $option
69
+ * @return mixed
70
+ * Get options
71
+ */
72
+ public function get_option($option)
73
+ {
74
+ $options = get_option('dsxmlrpc-settings');
75
+ if (isset($options[$option])) {
76
+ return $options[$option];
77
+ }
78
+ }
79
+
80
+ /**
81
+ * @return xmlrpcSecurity
82
+ */
83
+ static function initialize()
84
+ {
85
+ return new static();
86
+ }
87
+
88
+ function optionsSidebar()
89
+ {
90
+ $html = '<style>.skelet.skelet-options.skelet-theme-dark {
91
+ display: flex;
92
+ flex-direction: row-reverse;
93
+ }.wp-expert h2,.wp-expert p {
94
+ color: #185283;
95
+ text-align: center;
96
  }
97
+ .skelet-container {
98
+ width: 80%;
99
+ }</style>';
100
+ $html .= '<div class="wp-expert"><img alt="" src="' . DSXMLRPC_URL . '/admin/hire-expert.png" class="avatar avatar-26 photo" height="490" width="395" loading="lazy">
101
+ <a href="https://wa.me/15302173760?text=" target="_blank"><H2>Hire an WordPress expert for your site</H2><p>Click for a free consult on WhatsApp</p></a></div>';
102
+ echo $html;
103
+ }
104
+
105
+ /**
106
+ * Deactivation method
107
+ */
108
+ public function pluginDeactivated()
109
+ {
110
+ $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
111
+ $this->file_chmod();
112
+ $this->remove_with_markers('DS-XML-RPC-API', $htaccess_file);
113
 
114
+ delete_option('pand-' . md5('wpsg-notice'));
115
+ delete_option('pand-' . md5('dsxmlrpc-notice'));
116
+
117
+ }
118
 
119
+ /**
120
+ * Change htaccess permissions to writeable
121
+ */
122
+ function file_chmod()
123
+ {
124
+ $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
125
+ if (!is_writable($htaccess_file)) {
126
+ chmod($htaccess_file, 0644);
127
+ }
128
+
129
+ }
130
+
131
+ /**
132
+ * @param $marker
133
+ * @param $filename
134
+ * Remove with markers from files (.htaccess)
135
+ */
136
+ public function remove_with_markers($marker, $filename)
137
+ {
138
+ if (file_exists($filename)) {
139
+ $myfile = file_get_contents($filename);
140
+ $pattern = "/#.BEGIN $marker(?<=# BEGIN $marker).*(?=# END $marker)#.END $marker/sui";
141
+
142
+ $result = preg_replace($pattern, '', $myfile);
143
+ $result = preg_replace('/\s+$/sui', '', $result);
144
+ file_put_contents($filename, $result);
145
+ }
146
+ }
147
+
148
+ /**
149
+ * Remove Rss Feed
150
+ */
151
+ public function disable_feed()
152
+ {
153
+ wp_die(__('No feed available,please visit our <a href="' . get_bloginfo('url') . '">homepage</a>!'));
154
+ }
155
+
156
+ /**
157
+ * Disable access to xmlrpc.php completely with .htaccess file
158
+ */
159
+ public function add_htaccess()
160
+ {
161
+ global $current_screen;
162
+ if ($current_screen->id == 'toplevel_page_Security Settings' || $current_screen->id == 'plugins') {
163
+
164
+ if ($this->get_option('hotlink-fix')) {
165
+ $home_url = get_home_url();
166
+ $htaccess_code = '
167
+ RewriteEngine on
168
+ RewriteCond %{HTTP_REFERER} !^$
169
+ RewriteCond %{HTTP_REFERER} !^' . $home_url . ' [NC]
170
+ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
171
+ RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
172
+
173
+ ';
174
+ }
175
+
176
+
177
+ if ($this->get_option('jetpack-switcher')) {
178
+ $jp_allowed_ips = '
179
  Allow from 122.248.245.244/32
180
  Allow from 54.217.201.243/32
181
  Allow from 54.232.116.4/32
187
  Allow from 192.0.98.138/32
188
  Allow from 192.0.102.71/32
189
  Allow from 192.0.102.95/32';
190
+ } else {
191
+ $jp_allowed_ips = '';
192
+ }
193
+
194
 
195
+ if (!$this->get_option('dsxmlrpc-switcher')) {
196
 
197
+ $allowed_ips = $this->fix_ip('White-list-IPs') . $jp_allowed_ips;
198
+ $htaccess_code .= '<Files xmlrpc.php>
 
 
 
199
  order deny,allow
200
  deny from all
201
+ ' . $allowed_ips . '
202
  </Files>
203
  ';
204
+ } else {
205
 
206
+ $disallowed_ips = $this->fix_ip('Black-list-IPs');
207
+ $htaccess_code .= '<Files xmlrpc.php>
 
208
  order allow,deny
209
  allow from all
210
+ ' . $disallowed_ips . '
211
  </Files>
212
  ';
213
+ }
214
+ $this->file_chmod();
215
+ insert_with_markers(DSXMLRPC_HOME_PATH . '.htaccess', 'DS-XML-RPC-API', $htaccess_code);
216
+ $this->get_option('htaccess protection') ? $this->file_protect() : '';
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
217
 
218
+ }
219
+ }
220
 
221
+ /**
222
+ * @param $type
223
+ * @return string|void
224
+ * Fix IP list
225
+ */
226
+ public function fix_ip($type)
227
+ {
228
+ if (!$this->get_option($type)) return;
229
+ $ip_list = $this->get_option($type);
230
+ $ips = explode(",", $ip_list);
231
+ foreach ((array)$ips as $ip) {
232
+ $ip = trim($ip);
233
+ if (!filter_var($ip, FILTER_VALIDATE_IP) === false) {
234
+ if ($type == 'White-list-IPs') {
235
+ return "Allow from " . $ip . "\n";
236
+ } elseif ($type == 'Black-list-IPs') {
237
+ return "Deny from " . $ip . "\n";
238
+
239
+ }
240
+ }
241
+ }
242
+ }
243
 
244
+ /**
245
+ * Change htaccess permissions to readonly
246
+ */
247
+ public function file_protect()
248
+ {
249
+ $htaccess_file = DSXMLRPC_HOME_PATH . '.htaccess';
250
+ if (is_writable($htaccess_file)) {
251
+ chmod($htaccess_file, 0444);
252
+ }
253
+ }
254
 
255
+ /**
256
+ * Unistallation actions
257
+ */
258
+ public function uninstall_action()
259
+ {
260
+ delete_option('dsxmlrpc-settings');
261
+ delete_option('pand-' . md5('wpsg-notice'));
262
+ delete_option('pand-' . md5('dsxmlrpc-notice'));
263
 
 
 
 
 
 
 
 
 
 
 
 
 
264
  }
 
 
265
 
266
+ /**
267
+ * @param $upgrader_object
268
+ * @param $options
269
+ * Update actions
270
+ */
271
+ public function after_update($upgrader_object, $options)
272
+ {
273
+ $current_plugin_path_name = plugin_basename(DSXMLRPC_FILE);
274
+
275
+ if ($options['action'] == 'update' && $options['type'] == 'plugin') {
276
+ foreach ($options['plugins'] as $each_plugin) {
277
+ if ($each_plugin == $current_plugin_path_name) {
278
+ delete_option('pand-' . md5('wpsg-notice'));
279
+ delete_option('pand-' . md5('dsxmlrpc-notice'));
280
+ }
281
+ }
282
+ }
283
+ }
284
 
285
+ /**
286
+ * @param $xmlrpc
287
+ * @return array
288
+ * Disable XML-RPC Methods
289
+ */
290
+ public function dis_methods($xmlrpc)
291
+ {
292
+ if (is_array($xmlrpc)) {
293
+ $methods = $this->get_option('disabled-methods');
294
+ foreach ($methods as $method) {
295
+
296
+ unset($xmlrpc[$method]);
297
+ }
298
+ }
299
+ return $xmlrpc;
300
 
301
+ }
 
 
 
302
 
303
+ /**
304
+ * @param $method
305
+ * @return array
306
+ * Get XML-RPC Disabled Methods
307
+ */
308
+ public function get_methods($method)
309
+ {
310
+ $option = $this->get_option('disabled-methods');
311
+ if (in_array($method, $option)) {
312
+ return array($method);
313
+ }
314
 
315
+ }
316
 
317
+ /**
318
+ * @param $headers
319
+ * @return mixed
320
+ * Remove x-pingback from header
321
+ */
322
+ public function X_pingback_header($headers)
323
+ {
324
+ unset($headers['X-Pingback']);
325
+ return $headers;
326
+ }
327
 
328
+ /**
329
+ * Remove selected methods from xml rpc
330
+ */
331
+ public function removeSelectedMethods()
332
+ {
333
+ $disabled_methods = $this->get_option('disabled-methods');
334
+ if ($this->get_option('dsxmlrpc-switcher') && array_search('x-pingback', $disabled_methods)) {
335
+ add_filter('wp_headers', array($this, 'X_pingback_header'));
336
+ add_filter('pings_open', '__return_false', PHP_INT_MAX);
337
+ }
338
 
339
+ }
340
 
341
+ /**
342
+ * @return bool
343
+ * Rename the XML-RPC
344
+ */
345
+ public function xmlrpc_rename_wp_loaded()
346
+ {
347
 
348
+ $page = $this->get_current_page();
 
 
 
 
 
 
 
349
 
350
+ if ($page === 'xmlrpc.php') {
351
+ $header_one = apply_filters('header_1', 'HTTP/1.0 404 Not Found');
352
+ $header_two = apply_filters('header_2', 'Status: 404 Not Found');
353
 
354
+ header($header_one);
355
+ header($header_two);
356
 
357
+ exit();
358
+ }
 
359
 
360
+ if ($page !== $this->get_option('xmlrpc-slug')) {
361
+ return false;
362
+ }
363
 
364
+ @define('NO_CACHE', true);
365
+ @define('WTC_IN_MINIFY', true);
366
+ @define('WP_CACHE', false);
367
 
368
+ // Prevent errors from defining constants again
369
+ error_reporting(E_ERROR | E_CORE_ERROR | E_COMPILE_ERROR);
370
 
371
+ include ABSPATH . '/xmlrpc.php';
 
 
372
 
373
+ exit();
 
374
 
375
+ }
 
376
 
377
+ /**
378
+ * @return mixed
379
+ * Find the page being accessed
380
+ */
381
+ public function get_current_page()
382
+ {
383
 
384
+ $blog_url = trailingslashit(get_bloginfo('url'));
 
 
385
 
386
+ // Build the Current URL
387
+ $url = (is_ssl() ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
388
 
389
+ if (is_ssl() && preg_match('/^http\:/is', $blog_url)) {
390
+ $blog_url = substr_replace($blog_url, 's', 4, 0);
391
+ }
392
 
393
+ // The relative URL to the Blog URL
394
+ $req = str_replace($blog_url, '', $url);
395
+ $req = str_replace('index.php/', '', $req);
396
 
397
+ // We dont need the args
398
+ $parts = explode('?', $req, 2);
399
+ $relative = basename($parts[0]);
400
 
401
+ // Remove trailing slash
402
+ $relative = rtrim($relative, '/');
403
+ $tmp = explode('/', $relative, 2);
404
+ $page = end($tmp);
405
 
406
+ return $page;
407
 
408
+ }
 
409
 
410
+ /**
411
+ * Speed Up wordprees
412
+ * remove emoji
413
+ */
414
+ public function removeEmojies()
415
+ {
416
+ remove_action('wp_head', 'print_emoji_detection_script', 7);
417
+ remove_action('wp_print_styles', 'print_emoji_styles');
418
+ remove_action('admin_print_scripts', 'print_emoji_detection_script');
419
+ remove_action('admin_print_styles', 'print_emoji_styles');
420
+ remove_filter('the_content_feed', 'wp_staticize_emoji');
421
+ remove_filter('comment_text_rss', 'wp_staticize_emoji');
422
+ remove_filter('wp_mail', 'wp_staticize_emoji_for_email');
423
+ }
424
 
425
+ /**
426
+ * Speed Up wordprees
427
+ */
428
+ public function speedUpWordpress()
429
+ {
430
+ /* slow down the heartbeat */
431
+ if ($this->get_option('slow-heartbeat')) {
432
+ add_filter('heartbeat_settings', 'slow_heartbeat');
433
+ }
434
+
435
+ /* Disable wp-json rest api */
436
+ if ($this->get_option('json-rest-api')) {
437
+ add_filter('rest_authentication_errors', function ($result) {
438
+ if (!empty($result)) {
439
+ return $result;
440
+ }
441
+ if (!is_user_logged_in()) {
442
+ return new WP_Error('restx_logged_out', 'Sorry, you must be logged in to make a request.', array('status' => 401));
443
+ }
444
+ return $result;
445
+ });
446
+ }
447
+
448
+ /* remove wlw from manifest */
449
+ if ($this->get_option('disable-wlw')) {
450
+ remove_action('wp_head', 'wlwmanifest_link');
451
+ }
452
+ /* disable built-in file editor */
453
+ if ($this->get_option('disable-code-editor') && !defined('DISALLOW_FILE_EDIT')) {
454
+ define('DISALLOW_FILE_EDIT', true);
455
+ }
456
+ /* disable oEmbed for youtube */
457
+ if ($this->get_option('disable-oembed')) {
458
+ add_action('wp_footer', 'disable_oembed', 11);
459
+ }
460
+ /* Remove the WordPress version info url parameter. */
461
+ if ($this->get_option('remove-wp-ver')) {
462
+ remove_action('wp_head', 'wp_generator');
463
+ add_filter('script_loader_src', 'remove_ver_param');
464
+ add_filter('style_loader_src', 'remove_ver_param');
465
+ }
466
+ }
467
 
468
+ /**
469
+ * Remove the WordPress version info url parameter.
470
+ */
471
+ public function remove_ver_param($url)
472
+ {
473
+ return remove_query_arg('ver', $url);
474
+ }
475
 
476
+ /**
477
+ * @param $settings
478
+ * @return mixed
479
+ * Slow down the wordpress hearbeat
480
+ */
481
+ public function slow_heartbeat($settings)
482
+ {
483
+ $settings['interval'] = 60;
484
+ return $settings;
485
+ }
486
 
487
+ /**
488
+ * Dequeue the oEmbed script.
489
+ */
490
+ public function disable_oembed()
491
+ {
492
+ wp_dequeue_script('wp-embed');
493
+ }
494
 
495
+ /**
496
+ * Fallback for disabling the xmlrpc if .htaccess not working
497
+ */
498
+ function disable_wp_xmlrpc($data)
499
+ {
500
+ if (!$this->get_option('dsxmlrpc-switcher') && empty($this->get_option('White-list-IPs'))) {
501
+ http_response_code(403);
502
+ exit('You dont have permission to access this file :)');
503
+ }
504
+ return $data;
505
+ }
506
 
507
+ }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
index.php CHANGED
@@ -1,2 +1,35 @@
1
  <?php
2
- // Silence is golden.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
  <?php
2
+ /*
3
+ Plugin Name: Disable XML-RPC-API
4
+ Plugin URI: https://neatma.com/dsxmlrpc-plugin/
5
+ Description: Lightweight plugin to disable XML-RPC API and Pingbacks,Trackbacks for faster and more secure website.
6
+ Version: 2.1.4
7
+ Tested up to: 6.0
8
+ Requires at least: 3.5
9
+ Author: Neatma
10
+ Author URI: https://neatma.com/
11
+ License: GPLv2
12
+ */
13
+
14
+ if ( ! defined( 'ABSPATH' ) ) {
15
+ exit;
16
+ }
17
+
18
+ use dsxmlrpc\xmlrpcSecurity;
19
+
20
+ // Constants
21
+ define('DSXMLRPC_FILE', __FILE__);
22
+ define('DSXMLRPC_PLUGIN_FILE', plugin_dir_path(__FILE__));
23
+ define('DSXMLRPC_URL', plugin_dir_url(__FILE__));
24
+ define('DSXMLRPC_HOME_PATH', function_exists('get_home_path') ? get_home_path() : ABSPATH);
25
+
26
+ require_once(DSXMLRPC_PLUGIN_FILE . 'disable-xml-rpc-api.php');
27
+ require_once(DSXMLRPC_PLUGIN_FILE . '/admin/admin.php');
28
+ require_once(DSXMLRPC_PLUGIN_FILE . '/lib/skelet/framework.config.php');
29
+ if (!class_exists('PAnD')) {
30
+ require_once(DSXMLRPC_PLUGIN_FILE . '/lib/admin-notices/persist-admin-notices-dismissal.php');
31
+ }
32
+
33
+ // Initialize the main class
34
+ xmlrpcSecurity::initialize();
35
+
lib/skelet/classes/admin-options.class.php CHANGED
@@ -539,7 +539,7 @@ if ( ! class_exists( 'SKELET_Options' ) ) {
539
  do_action( 'skelet_options_before' );
540
 
541
  echo '<div class="skelet skelet-options'. esc_attr( $theme . $class . $wrapper_class ) .'" data-slug="'. esc_attr( $this->args['menu_slug'] ) .'" data-unique="'. esc_attr( $this->unique ) .'">';
542
-
543
  echo '<div class="skelet-container">';
544
 
545
  echo '<form method="post" action="'. esc_attr( $form_action ) .'" enctype="multipart/form-data" id="skelet-form" autocomplete="off" novalidate="novalidate">';
539
  do_action( 'skelet_options_before' );
540
 
541
  echo '<div class="skelet skelet-options'. esc_attr( $theme . $class . $wrapper_class ) .'" data-slug="'. esc_attr( $this->args['menu_slug'] ) .'" data-unique="'. esc_attr( $this->unique ) .'">';
542
+ do_action( 'skelet_options_inside' );
543
  echo '<div class="skelet-container">';
544
 
545
  echo '<form method="post" action="'. esc_attr( $form_action ) .'" enctype="multipart/form-data" id="skelet-form" autocomplete="off" novalidate="novalidate">';
lib/skelet/framework.config.php CHANGED
@@ -28,12 +28,13 @@ if( class_exists( 'SKELET' ) ) {
28
  'menu_type' => 'menu',
29
  'menu_icon' => 'dashicons-shield-alt',
30
  'theme' => 'dark',
 
31
  'menu_capability' => 'edit_users',
32
  'show_reset_section' => false,
33
  'show_search' => true,
34
  'show_bar_menu' => false,
35
  'ajax_save' => false,
36
- 'footer_text'=> '<span style="color:gainsboro;">Please <a target="_blank" href="https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/#new-post">rate us</a> in wordprees repository</span><script type="text/javascript">window.$crisp=[];window.CRISP_WEBSITE_ID="a0979335-6589-492d-8623-bc4622d40ba0";(function(){d=document;s=d.createElement("script");s.src="https://client.crisp.chat/l.js";s.async=1;d.getElementsByTagName("head")[0].appendChild(s);})();</script>',
37
 
38
 
39
 
@@ -102,14 +103,14 @@ Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximate
102
  'help' => 'Leave empty if you dont want to change it',
103
  'desc' => 'If you dont want to disable XML-RPC entirely you can change the xmlrpc.php slug to whatever you want to prevent automated attacks',
104
  'dependency' => array( 'dsxmlrpc-switcher', '==', 'true' ),
105
- 'placeholder' => 'mobile-api'
106
  ),
107
  array(
108
  'id' => 'jetpack-switcher',
109
  'type' => 'switcher',
110
  'title' => 'Enable xml-rpc for Jetpack',
111
  'label' => 'This switch will add Jetpack servers IP range to the whitelist',
112
- 'default' => true,
113
  'dependency' => array( 'dsxmlrpc-switcher', '==', 'false' ),
114
 
115
  ),
@@ -249,7 +250,7 @@ Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximate
249
  'type' => 'switcher',
250
  'title' => 'Hide WordPress Version',
251
  'desc' => 'Remove WordPress version for security reasons',
252
- 'default' => false,
253
  ),
254
  array(
255
  'id' => 'disable-code-editor',
@@ -290,9 +291,9 @@ Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximate
290
  'id' => 'hotlink-fix',
291
  'type' => 'switcher',
292
  'title' => 'Hotlink Fix',
293
- 'desc' => 'Disable Hotlinking and Leaching of Your Content',
294
- 'help' => 'disable hotlinking of images with forbidden or custom image option',
295
- 'default' => true,
296
  ),
297
  array(
298
  'id' => 'remove-emojis',
28
  'menu_type' => 'menu',
29
  'menu_icon' => 'dashicons-shield-alt',
30
  'theme' => 'dark',
31
+ 'nav' => 'normal',
32
  'menu_capability' => 'edit_users',
33
  'show_reset_section' => false,
34
  'show_search' => true,
35
  'show_bar_menu' => false,
36
  'ajax_save' => false,
37
+ 'footer_text'=> '<span style="color:gainsboro;">Please <a target="_blank" href="https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/#new-post">rate us</a> in wordprees repository</span>',
38
 
39
 
40
 
103
  'help' => 'Leave empty if you dont want to change it',
104
  'desc' => 'If you dont want to disable XML-RPC entirely you can change the xmlrpc.php slug to whatever you want to prevent automated attacks',
105
  'dependency' => array( 'dsxmlrpc-switcher', '==', 'true' ),
106
+ 'placeholder' => 'Example: mobile-api'
107
  ),
108
  array(
109
  'id' => 'jetpack-switcher',
110
  'type' => 'switcher',
111
  'title' => 'Enable xml-rpc for Jetpack',
112
  'label' => 'This switch will add Jetpack servers IP range to the whitelist',
113
+ 'default' => false,
114
  'dependency' => array( 'dsxmlrpc-switcher', '==', 'false' ),
115
 
116
  ),
250
  'type' => 'switcher',
251
  'title' => 'Hide WordPress Version',
252
  'desc' => 'Remove WordPress version for security reasons',
253
+ 'default' => true,
254
  ),
255
  array(
256
  'id' => 'disable-code-editor',
291
  'id' => 'hotlink-fix',
292
  'type' => 'switcher',
293
  'title' => 'Hotlink Fix',
294
+ 'desc' => 'Disable Hotlinking and Leaching of Your Content (On means it will prevent hotlinking)',
295
+ 'help' => 'disable hotlinking of images with forbidden',
296
+ 'default' => false,
297
  ),
298
  array(
299
  'id' => 'remove-emojis',
readme.txt CHANGED
@@ -5,7 +5,7 @@ Plugin URI: https://neatma.com
5
  Contributors: aminnz,neatmarketing
6
  Description: Simple plugin to disable XML-RPC API and X-Pingback for faster and more secure website.
7
  Tags: disable xml-rpc, xmlrpc, disable xmlrpc,remove xmlrpc, XML-RPC, pingback, stop brute force attacks
8
- Version: 2.1.3
9
  Tested up to: 6.0
10
  Requires at least: 3.5
11
  Author: Neatma
@@ -146,4 +146,9 @@ screenshot-2.jpg
146
 
147
  = 2.1.3 =
148
  * Fix compatibility issue with WordPress 5.9
149
- * Fix htaccess cleaning function
 
 
 
 
 
5
  Contributors: aminnz,neatmarketing
6
  Description: Simple plugin to disable XML-RPC API and X-Pingback for faster and more secure website.
7
  Tags: disable xml-rpc, xmlrpc, disable xmlrpc,remove xmlrpc, XML-RPC, pingback, stop brute force attacks
8
+ Version: 2.1.4
9
  Tested up to: 6.0
10
  Requires at least: 3.5
11
  Author: Neatma
146
 
147
  = 2.1.3 =
148
  * Fix compatibility issue with WordPress 5.9
149
+ * Fix htaccess cleaning function
150
+
151
+ = 2.1.4 =
152
+ * Fix some minor bugs
153
+ * Refactor the entire codes
154
+ * Add a fallback function for situations htaccess is not working