| Version Reviewed | 2.1.7 |
| Creator | Amin Nazemi |
| Plugin Link | https://wordpress.org/plugins/disable-xml-rpc-api/ |
| Multi-language | yes |
| Paid/Premium Version | no |
| ClassicPress Compatible | yes |
| Nagware/Notifications | no |
Index
The Review
In our last plugin review, Disable XML-RPC Pingback, we tested out a plugin that just disabled the pingback feature for XMl-RPC in WordPress. We wondered if there was yet another plugin that went an additional step and disabled more core features of XML-RPC. We came across the Disable XML-RPC-API plugin in the plugin directory, built by Amin Nazemi. The plugin claims that it has options for disabling different parts of XML-RPC as well as other features:
- Disable access to xmlrpc.php file using .httacess file
- Automatically change htaccess file permission to read-only (0444)
- Disable X-pingback to minimize CPU usage
- Disable selected methods from XML-RPC
- Remove pingback-ping link from header
- Disable trackbacks and pingbacks to avoid spammers and hackers
- Rename XML-RPC slug to whatever you want
- Black list IPs for XML-RPC
- White list IPs for XML-RPC
- Some options to speed-up your wordpress website
- Disable JSON REST API
- Hide WordPress Version
- Disable built-in WordPress file editor
- Disable wlw manifest
- And some other options
So does Disable XML-RPC-API live up to expectations on what it says it does, let’s find out.
Installation & Activation
Installing and activating the plugin was easy. Simply either search for the plugin name, “Disable XML-RPC-API” in the Plugin’s directory on your WordPress website or visit the WordPress.org Plugin Directory page to download and then upload via zip.
After installing and activating you’ll need to visit the XML-RPC Security tab located in the admin section of WordPress.
There was no nagware or admin notifications after activation.
Testing
At the time of this posting, for our testing environment we used the latest version of WordPress, 6.7.2, on a Linux based server running PHP 8.2, with Nginx, and MySQL. These results may not be the same as yours.
We’ll go through each listed item above to make sure the plugin says and does what is listed.
Disable access to xmlrpc.php file using .htacess file
Since we were running the plugin test on a Nginx development server and not Apache, which uses .htaccess files for control, the server would not block access. However, if you are running a WordPress site using Apache, this will work.
The next bulleted items listed are more marketing phrase than actual actions, some of which is the result of disabling XML-RPC in our first test. The next real feature on the list is disabling XML-RPC in the header of the WordPress core and not just blocking external access to the xml-rpc.php file.
Next, we decided to open the code in an editor of choice and take a look to make sure the plugin is removing the xml-rpc headers in WordPress. We also checked out the rest of the functions in the plugin to make sure it was also doing the rest of the features.Looking through the code it does appear to remove/disable all said features.
However, we did notice that under the admin folder of the plugin, there does seem to be (disabled) a few action hooks to call up the admin notice for ads. This might be what users were complaining about in an older release on the plugin reviews page. Currently, these are disabled.
Conclusion
This seems to be a simple yet effective plugin for disabling XML-RPC as well as some other features built into the WordPress core that may no longer be needed. Make sure to check before disabling all features like Heartbeat and RSS feeds.
Caution! – Your site may rely on some of these features to function properly.
Plugin Resources
A list of 3rd party libraries, API connections, PHP mods, and/or WordPress hooks that are used/required.
- Skeleton: Responsive CSS Boilerplate – http://getskeleton.com/
- Persist Admin notices Dismissal – https://w3guy.com
Vulnerabilities
There are currently no known vulnerabilities exploited.
