[Defender] author scans, xmlrpc and rest disable

Wondering if Defender blocks scans for Author=1, author=2 etc - ?
Can it be used to disable xmlrpc? and disable the rest api?
These are the main things I used "shield" plugin for, but I had to remove it to a conflice with hummingbird, and it was suggested I use defender in the meantime.
I would like to see these options in defender.. but if defender does not have author= scans blocking then I need to search for something else, and I could add a couple other plugins to disable the rest and xmlrpc I guess.

  • Oguz
    • QA Engineer

    Hey djsteve ,

    Hope you're well!

    In the current version of Defender, There is no feature for that feature disabling. But I can recommend solutions for them, and if also other members support adding these to Defender maybe our developers can consider implementing these.

    For user enumeration (URL scans like author=1) you can use this .htaccess code, basically, it's just preventing that URLs;

    # Block User ID Phishing Requests
    <IfModule mod_rewrite.c>
    	RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    	RewriteRule .* http://example.com/? [L,R=302]

    Also, you can disable XMLRPC by adding this code to your .htaccess;

    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    allow from

    For disabling rest API you can add these codes to your functions.php;

    // Disable REST API link tag
    remove_action('wp_head', 'rest_output_link_wp_head', 10);
    // Disable oEmbed Discovery Links
    remove_action('wp_head', 'wp_oembed_add_discovery_links', 10);
    // Disable REST API link in HTTP headers
    remove_action('template_redirect', 'rest_output_link_header', 11, 0);


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.