[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fjpqT0EpjQZSeHiEwCD8a9baQMhGsvoXm9MbiI81A7xA":3},{"slug":4,"display_name":4,"profile_url":5,"plugin_count":6,"total_installs":7,"avg_security_score":8,"avg_patch_time_days":7,"trust_score":9,"computed_at":10,"plugins":11},"vavkamil","https:\u002F\u002Fprofiles.wordpress.org\u002Fvavkamil\u002F",1,30,85,84,"2026-04-04T20:59:39.524Z",[12],{"slug":13,"name":14,"version":15,"author":4,"author_profile":5,"description":16,"short_description":17,"active_installs":7,"downloaded":18,"rating":19,"num_ratings":19,"last_updated":20,"tested_up_to":21,"requires_at_least":22,"requires_php":23,"tags":24,"homepage":29,"download_link":30,"security_score":8,"vuln_count":19,"unpatched_count":19,"last_vuln_date":31,"fetched_at":32},"xml-rpc-settings","XML-RPC Settings","1.2.1","\u003Ch3>XML-RPC Settings\u003C\u002Fh3>\n\u003Cp>Configure XML-RPC methods to increase the security of your website:\u003C\u002Fp>\n\u003Ch4>Build-in features could be used for malicious purposes and cannot be disabled by default.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable GET access\n\u003Cul>\n\u003Cli>XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable system.multicall\n\u003Cul>\n\u003Cli>system.multicall method can be misused for amplification attacks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable system.listMethods\n\u003Cul>\n\u003Cli>system.listMethods method can be used for verifying attack scope.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Prevent malicious actors from enumerating usernames and credentials.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable authenticated methods\n\u003Cul>\n\u003Cli>Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable pingbacks\n\u003Cul>\n\u003Cli>Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Remove X-Pingback header\n\u003Cul>\n\u003Cli>If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Hide WordPress version when verifying pingbacks\n\u003Cul>\n\u003Cli>Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Hide WordPress version when sending pingbacks\n\u003Cul>\n\u003Cli>Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Unnecessary XML-RPC API, leave enabled if you are not sure.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable Demo API\n\u003Cul>\n\u003Cli>Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable Blogger API\n\u003Cul>\n\u003Cli>WordPress supports the Blogger XML-RPC API methods.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable MetaWeblog API\n\u003Cul>\n\u003Cli>WordPress supports the metaWeblog XML-RPC API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable MovableType API\n\u003Cul>\n\u003Cli>WordPress supports the MovableType XML-RPC API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Allow XML-RPC only for\n\u003Cul>\n\u003Cli>IP comma separated eg. 192.168.10.242, 192.168.10.241\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Add message to XML-RPC methods\n\u003Cul>\n\u003Cli>We are hiring! Check jobs.yourdomains.com\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n","Secure your website with the most comprehensive XML-RPC Settings plugin.",1840,0,"2021-11-25T07:56:00.000Z","5.8.13","3.9","5.3",[25,26,27,28],"brute-force","ddos","security","xmlrpc","https:\u002F\u002Fgithub.com\u002Fvavkamil\u002Fxml-rpc-settings","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxml-rpc-settings.zip",null,"2026-03-15T15:16:48.613Z"]