| Version Reviewed | 1.2.2 |
| Creator | Samuel Aguilera |
| Plugin Link | https://wordpress.org/plugins/disable-xml-rpc-pingback/ |
| Multi-language | yes |
| Paid/Premium Version | N/A |
| ClassicPress Compatible | yes – v2.3.1 |
| Nagware/Notifications | no |
Add-on Plugins
- N/A
Plugin Resources
A list of 3rd party libraries, API connections, PHP mods, and/or WordPress hooks that are used/required.
WP Actions
- wp
WP Hooks
- get_bloginfo()
WP Filters
- xmlrpc_methods
- wp_headers
The Review
Hardening your WordPress website is crucial and one of the easiest ways of doing so is to remove/disable features built into core that you do not use. Sometimes that includes builtin features that are no longer needed or used, in this case xml-rpc. There are a few ways to go about disbaling this builtin feature, but one of the easiest is activating a plugin. Today we’re going to review a plugin developed by Samuel Aguilera, Disable XML-RPC Pingback, which is a simple plugin for disabling only a portion of the xml-rpc protocol, one that gets abused, the pingback.
For this testing we used the latest version of WordPress, version 6.7.2, on a development server in a docker container. So does this plugin do what it says it does?
Installation and Activation
Installation and activating was a breeze. First we located the plugin in the Plugins Repository, which is found on all default WordPress sites under the Add New Plugin and doing a search for “Disable xml-rpc”
Testing
After activation we decided to check to see if the plugin is working and doing what it says it does. This plugin only disables or removes the pingback function for xml-rpc in both sending or receiving pingbacks. This data is passed via headers in WordPress. Checking the code of the plugin it seems to unset the ping function for the website, and depending upon the version of WordPress you’re running, it removes the correctly named header value.
This should only remove the ping feature, the rest of the xml-rpc set should still functionally operate.
Caution! – Some plugins may rely on this ping feature to function properly.
Conclusion
The Disable XML-RPC Pingback plugin does what it says it does. We didn’t find any additional functions or nagware. There are no notifications once you install, there is also no settings page. Which we’re not too suprised since there is no additional settings to set. A simple yet effective plugin doing only one function.
And while this doesn’t disable the entire xml-rpc protocol, this at least disables the most widely used part which is used for ddos attacks. Bottom line, if you still need to used XML-RPC for some remote publishing or a plugin requires it, this is probably the safest way to still have remote publihsing enabled but disable the ping function.
