Disable XML-RPC-API

Screenshots

Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website. PLUGIN FEATURES (These are options you can enable or disable each one) Disable access to xmlrpc.php file using .httacess file Automatically change htaccess file permission to read-only (0444) Disable X-pingback to minimize CPU usage Disable selected methods from XML-RPC Remove pingback-ping link from header Disable trackbacks and pingbacks to avoid spammers and hackers Rename XML-RPC slug to whatever you want Black list IPs for XML-RPC White list IPs for XML-RPC Some options to speed-up your wordpress website Disable JSON REST API Hide WordPress Version Disable built-in WordPress file editor Disable wlw manifest And some other options Need more protection for your website? Use WP Security Guard to protect your website againts hackers, spammers and bad bots. WP Security Guard Main Features Anti BruteForce Attack Anti Hack Firewall Security Monitoring Math Captcha & Google reCaptcha Two Factor Authentication File Integrity Monitoring No Captcha Anti Spam And More… Learn more about WP Security Guard What is XMLRPC XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism. Beginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so. Why you should disable XML-RPC Xmlrpc has two main weaknesses Brute force attacks: Attackers try to login to WordPress using xmlrpc.php with as many username/password combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.” Denial of Service Attacks via Pingback: Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”