Disabled XML RPC

Disabled XML RPC via Defender security tweaks, but WP Checkup is showing the following results as:
XML-RPC interface available under: https://sitename/xmlrpc.php

Please check the chat notes for more info.

  • Adam Czajczyk
    • Support Gorilla

    Hello Daniel Lyne

    I hope you're well today!

    The Defender plugin can either block trackback and pingbacks only or it can block entire XML-RPC access. It does that on a WP core level so the xmlrpc.php file itself remains accessible, it just shouldn't accept any request.

    The .htaccess code that you were given during the chat would block access to the file entirely.

    However, I just run multiple tests on my own test sites and I admit I'm getting some inconsistent results. It's possible then that we might be dealing with an issue in Defender so I've reported this to our developers asking them to take a closer look at it.

    Please keep an eye on this ticket for further information and we'll update you here as soon as we got some feedback on this from our developers.

    Best regards,
    Adam

  • Ari
    • Recruit

    Hey Daniel Lyne

    Hope you are good today!

    There are usually two ways to disable the XML-RPC:

    1: Block entire xmlrpc.php file with .htaccess, so anyone can't access it.
    2: Block the XML-RPC methods which requiring authentication by WordPress way using these methods:
    add_filter( 'xmlrpc_enabled', '__return_false' );
    add_filter( 'xmlrpc_methods', 'block_xmlrpc_attacks' );
    Here's more details:
    https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/
    https://developer.wordpress.org/reference/hooks/xmlrpc_methods/

    Our plugin uses the second method, we blocked all the XML-RPC methods like:

    wp.getUsersBlogs
    wp.newPost
    wp.editPost
    wp.deletePost
    ...

    We only accept two methods for pingback:

    pingback.ping
    pingback.extensions.getPingbacks

    Here's the more details about Pingback: https://www.wpbeginner.com/glossary/pingback/

    ============

    You can read more about it here: https://www.greengeeks.com/tutorials/article/how-to-enable-and-disable-xmlrpc-php-in-wordpress-and-why/

    ============

    So this is secure enough, but if you think to disable the whole XML-RPC, you can add the following code in the very bottom of the .htaccess file:

    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    deny from all
    </Files>

    Thanks, let me know if you have any question regarding this issue!

    Best Regards,
    Ari

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.