Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block XMLRPC entirely #3

Open
edjeavons opened this issue Sep 14, 2022 · 2 comments
Open

Block XMLRPC entirely #3

edjeavons opened this issue Sep 14, 2022 · 2 comments
Labels
enhancement New feature or request

Comments

@edjeavons
Copy link
Member

At the moment we are using the xmlrpc_enabled filter to disable XML-RPC methods requiring authentication but ideally there would be an option to disable access to xmlrpc.php entirely so it can't be used for any purpose (inc. bruteforcing credentials).
@edjeavons edjeavons added the enhancement New feature or request label Sep 25, 2022
@edjeavons
Copy link
Member Author

We have seen Search Console reporting 403 responses on /xmlrpc.php as a site error, which misleads website owners.

Perhaps we can look into discouraging robots on this path, or else give another HTTP response that doesn't have the this side affect.

@DanielHudson2
Copy link
Member

Encountered XMLRPC being exploited for attempts to access authenticated methods, used the following to completely disable it:
add_filter('wp_xmlrpc_server_class', 'disable_wp_xmlrpc');
function disable_wp_xmlrpc($data) {
exit('You dont have permission to access this file');
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@edjeavons @DanielHudson2