[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f84I5BNuGeUK04B41trQvsSBafSheXAux30WSKcoca_I":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28,"vulnerabilities":29,"developer":30,"crawl_stats":27,"alternatives":36,"analysis":137,"fingerprints":162},"simple-xml-rpc-disabler","Simple XML-RPC Disabler","1.1.0","Vikash Chand","https:\u002F\u002Fprofiles.wordpress.org\u002Fvikichand\u002F","\u003Ch4>What Is xmlrpc.php?\u003C\u002Fh4>\n\u003Cp>\u003Ca href=\"http:\u002F\u002Fwww.xmlrpc.com\u002F\" rel=\"nofollow ugc\">XML-RPC\u003C\u002Fa> is a remote procedure call (RPC) protocol, a feature included in WordPress, which enables data to be transmitted. It uses HTTP as the transport mechanism, and XML to encode its calls.\u003C\u002Fp>\n\u003Cp>Unless you use remote technologies and mobile applications to update your WordPress site, you might not be familiar with XML-RPC. For the uninitiated, you can use xmlrpc.php to establish a remote connection to WordPress, and make updates to your site without directly logging in to your WordPress system.\u003C\u002Fp>\n\u003Cp>XML-RPC is indeed useful for enabling remote connections between various external applications and WordPress. On the other hand, disabling this feature can help improve your site’s security.\u003C\u002Fp>\n\u003Ch4>Why You Should Disable xmlrpc.php?\u003C\u002Fh4>\n\u003Cp>The problem is that xmlrpc.php poses a security risk. It creates an additional access point to your site, which could leave it vulnerable to external attacks. Every time you authenticate XML-RPC, you need to supply your username and password. As you can imagine, this isn’t exactly ideal for security purposes.\u003C\u002Fp>\n\u003Cp>For example, in order to prevent brute force attacks, you can limit login attempts on your WordPress site. However, with XML-RPC enabled, that limit does not exist. There’s no capping on login attempts, which means it’s only a matter of time before a determined cybercriminal gains access.\u003C\u002Fp>\n\u003Cp>By disabling the feature, you are closing a potential area of entry for hackers.\u003C\u002Fp>\n\u003Cp>XML-RPC functionality is turned on by default since WordPress 3.5. This plugin completely disables the XML-RPC API which can be abused by hackers on a WordPress site, providing an easy and simple way to disable\u002Fenable the XML-RPC API.\u003C\u002Fp>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.8.1 or higher.\u003C\u002Fli>\n\u003C\u002Ful>\n","This plugin completely disables the XML-RPC API which can be abused by hackers on a WordPress site, providing an easy and simple way to disable\u002Fenable …",20,1512,0,"2021-05-15T04:56:00.000Z","5.7.15","3.5","5.6",[19,20,21,22,23],"ddos","rpc","xml","xml-rpc","xmlrpc","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fsimple-xml-rpc-disabler","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsimple-xml-rpc-disabler.1.1.0.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":31,"display_name":7,"profile_url":8,"plugin_count":32,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":33,"trust_score":34,"computed_at":35},"vikichand",1,30,84,"2026-04-04T04:31:35.126Z",[37,54,77,94,114],{"slug":38,"name":39,"version":40,"author":41,"author_profile":42,"description":43,"short_description":44,"active_installs":45,"downloaded":46,"rating":13,"num_ratings":13,"last_updated":47,"tested_up_to":48,"requires_at_least":16,"requires_php":49,"tags":50,"homepage":52,"download_link":53,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"deactivate-xml-rpc","Deactivate XML-RPC on WordPress","1.0","tildemark","https:\u002F\u002Fprofiles.wordpress.org\u002Ftildemark\u002F","\u003Cp>This plugin will completely disable or deactivate XML-RPC on your WordPress installation. This will prevent any brute force attacks to your website using XML-RPC.\u003C\u002Fp>\n\u003Cp>By using the plugin, it will remove your ability to post using XML-RPC protocol, which means no more,\u003C\u002Fp>\n\u003Cul>\n\u003Cli>post ping backs, \u003C\u002Fli>\n\u003Cli>remote post from WordPress mobile app, \u003C\u002Fli>\n\u003Cli>remote post from windows live writer, \u003C\u002Fli>\n\u003Cli>and other applications that requires XML-RPC.\u003C\u002Fli>\n\u003C\u002Ful>\n","This plugin will completely disable or deactivates XML-RPC on your WordPress installation. This will prevent any brute force attacks to your website u …",200,4844,"2015-05-13T02:01:00.000Z","4.2.39","",[19,51,22,23],"firewall","http:\u002F\u002Fcazimiweb.com\u002Fplugin\u002Fdeactivate-xml-rpc","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdeactivate-xml-rpc.1.0.zip",{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":62,"downloaded":63,"rating":64,"num_ratings":65,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":49,"tags":69,"homepage":74,"download_link":75,"security_score":76,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"disable-xml-rpc-api","Disable XML-RPC-API","2.1.7","Amin Nazemi","https:\u002F\u002Fprofiles.wordpress.org\u002Faminnz\u002F","\u003Cp>Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>PLUGIN FEATURES\u003C\u002Fstrong>\u003Cbr \u002F>\n(These are options you can enable or disable each one)\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable access to xmlrpc.php file using .httacess file \u003C\u002Fli>\n\u003Cli>Automatically change htaccess file permission to read-only (0444)\u003C\u002Fli>\n\u003Cli>Disable X-pingback to minimize CPU usage \u003C\u002Fli>\n\u003Cli>Disable selected methods from XML-RPC\u003C\u002Fli>\n\u003Cli>Remove pingback-ping link from header\u003C\u002Fli>\n\u003Cli>Disable trackbacks and pingbacks to avoid spammers and hackers\u003C\u002Fli>\n\u003Cli>Rename XML-RPC slug to whatever you want\u003C\u002Fli>\n\u003Cli>Black list IPs for XML-RPC\u003C\u002Fli>\n\u003Cli>White list IPs for XML-RPC\u003C\u002Fli>\n\u003Cli>Some options to speed-up your wordpress website\u003C\u002Fli>\n\u003Cli>Disable JSON REST API\u003C\u002Fli>\n\u003Cli>Hide WordPress Version\u003C\u002Fli>\n\u003Cli>Disable built-in WordPress file editor\u003C\u002Fli>\n\u003Cli>Disable wlw manifest\u003C\u002Fli>\n\u003Cli>And some other options\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>What is XMLRPC\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism.\u003Cbr \u002F>\nBeginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable\u002Fenable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Why you should disable XML-RPC\u003C\u002Fstrong>\u003Cbr \u002F>\n\u003Cem>Xmlrpc has two main weaknesses\u003C\u002Fem>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Brute force attacks:\u003Cbr \u002F>\nAttackers try to login to WordPress using xmlrpc.php with as many username\u002Fpassword combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”\u003C\u002Fli>\n\u003Cli>Denial of Service Attacks via Pingback:\u003Cbr \u002F>\nBack in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”\u003C\u002Fli>\n\u003C\u002Ful>\n","A simple and lightweight plugin to disable XML-RPC API, X-Pingback and pingback-ping in WordPress 3.5+ for a faster and more secure website",100000,792973,82,42,"2026-02-04T06:54:00.000Z","6.9.4","5.0",[70,71,72,73,23],"disable-xml-rpc","disable-xmlrpc","pingback","stop-brute-force-attacks","https:\u002F\u002Fneatma.com\u002Fdsxmlrpc-plugin\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-xml-rpc-api.zip",100,{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":87,"num_ratings":88,"last_updated":89,"tested_up_to":90,"requires_at_least":91,"requires_php":17,"tags":92,"homepage":49,"download_link":93,"security_score":76,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"disable-xml-rpc-pingback","Disable XML-RPC Pingback","1.2.2","Samuel Aguilera","https:\u002F\u002Fprofiles.wordpress.org\u002Fsamuelaguilera\u002F","\u003Cp>Stops abuse of your site’s XML-RPC by simply removing some methods used by attackers. While you can use the rest of XML-RPC methods.\u003C\u002Fp>\n\u003Cp>This is more friendly than disabling totally XML-RPC, that it’s needed by some plugins and apps (I.e. Mobile apps or some Jetpack’s modules).\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The original one.\u003C\u002Fli>\n\u003Cli>Simple and effective.\u003C\u002Fli>\n\u003Cli>No marketing buzz.\u003C\u002Fli>\n\u003Cli>Maintained and \u003Cstrong>updated when needed\u003C\u002Fstrong> since 2014.\u003C\u002Fli>\n\u003Cli>100% compliant with \u003Cstrong>WordPress coding standards\u003C\u002Fstrong> which makes it fail safe.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>60,000+ active installations\u003C\u002Fstrong> can’t be wrong.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>If you’re happy with the plugin \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fsupport\u002Fplugin\u002Fdisable-xml-rpc-pingback\u002Freviews\u002F?filter=5\" rel=\"ugc\">please don’t forget to give it a good rating\u003C\u002Fa>, it will motivate me to keep sharing and improving this plugin (and others).\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Removes the following methods from XML-RPC interface.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>pingback.ping\u003C\u002Fli>\n\u003Cli>pingback.extensions.getPingbacks\u003C\u002Fli>\n\u003Cli>X-Pingback from HTTP headers. This will hopefully stops some bots from trying to hit your xmlrpc.php file.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Requirements\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>WordPress 3.8.1 or higher.\u003C\u002Fli>\n\u003C\u002Ful>\n","Stops abuse of your site's XML-RPC by simply removing some methods used by attackers. While you can use the rest of XML-RPC methods.",60000,420220,78,14,"2025-11-24T11:09:00.000Z","6.8.5","4.8",[19,72,20,21,22],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisable-xml-rpc-pingback.1.2.2.zip",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":104,"num_ratings":105,"last_updated":106,"tested_up_to":107,"requires_at_least":108,"requires_php":17,"tags":109,"homepage":112,"download_link":113,"security_score":26,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"remove-xmlrpc-pingback-ping","Remove & Disable XML-RPC Pingback","1.6","cleverplugins","https:\u002F\u002Fprofiles.wordpress.org\u002Fcleverplugins\u002F","\u003Cp>Prevent your WordPress site from participating and being a victim of pingback denial of service attacks. \u003Cstrong>After activation the plugin automatically disables XML-RPC. There’s no need to configure anything.\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>By disabling the XML-RPC pingback you’ll:\u003Cbr \u002F>\n* lower your server CPU usage\u003Cbr \u002F>\n* prevent malicious scripts from using your site to run pingback denial of service attacks\u003Cbr \u002F>\n* prevent malicious scripts to run denial of service attacks on your site via pingback\u003C\u002Fp>\n\u003Cp>From sucuri.net:\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Ch4>Learn More\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fwptavern.com\u002Fhow-to-prevent-wordpress-from-participating-in-pingback-denial-of-service-attacks\" rel=\"nofollow ugc\">How To Prevent WordPress From Participating In Pingback Denial of Service Attacks\u003C\u002Fa> – wptavern.com\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fblog.sucuri.net\u002F2014\u002F03\u002Fmore-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html\" rel=\"nofollow ugc\">More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack\u003C\u002Fa> – sucuri.net\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"http:\u002F\u002Fhackguard.com\u002Fxmlrpc-php-ping-backs-hackers-denial-service-attacks\" rel=\"nofollow ugc\">xmlrpc.php and Pingbacks and Denial of Service Attacks, Oh My!\u003C\u002Fa> – hackguard.com\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Is Your Site Attacking Others?\u003C\u002Fh4>\n\u003Cp>Use \u003Ca href=\"http:\u002F\u002Flabs.sucuri.net\u002F?is-my-wordpress-ddosing\" rel=\"nofollow ugc\">Sucuri’s WordPress DDOS Scanner\u003C\u002Fa> to check if your site is DDOS’ing other websites\u003C\u002Fp>\n\u003Ch4>Why Not Just Disable XMLRPC Altogether?\u003C\u002Fh4>\n\u003Cp>Yes, you can choose to do that, but if you use popular plugins like JetPack (that use XMLRPC) then those plugins will stop working. That is why this small plugin exists.\u003C\u002Fp>\n","Prevent pingback, XML-RPC and denial of service DDOS attacks by disabling the XML-RPC pingback functionality.",9000,94267,60,6,"2023-07-24T23:03:00.000Z","6.3.8","5.2",[110,111,72,22,23],"disable-ping","ping","http:\u002F\u002Fwordpress.org\u002Fplugins\u002Fremove-xmlrpc-pingback-ping","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fremove-xmlrpc-pingback-ping.1.6.zip",{"slug":115,"name":116,"version":117,"author":118,"author_profile":119,"description":120,"short_description":121,"active_installs":122,"downloaded":123,"rating":104,"num_ratings":124,"last_updated":125,"tested_up_to":126,"requires_at_least":127,"requires_php":49,"tags":128,"homepage":134,"download_link":135,"security_score":136,"vuln_count":13,"unpatched_count":13,"last_vuln_date":27,"fetched_at":28},"manage-xml-rpc","Manage XML-RPC","1.0.2","brainvireinfo","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrainvireinfo\u002F","\u003Cp>You can now disable XML-RPC to avoid Brute force attack for given IPs or can even enable access for some IPs. XML-RPC on WordPress is actually an API that gives developers who build mobile apps, desktop apps and other services, the ability to talk to a WordPress site. The XML-RPC API that WordPress provides gives developers, a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Block XML-RPC by following way.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable pingback.ping, pingback.extensions.getPingbacks and Unset X-Pingback from HTTP headers, that will block bots to access specified method.\u003C\u002Fli>\n\u003Cli>Disable\u002FBlock XML-RPC for all users.\u003C\u002Fli>\n\u003C\u002Ful>\n","Enable\u002FDisable XML-RPC for all or based on IP list, also you can control pingback and Unset X-Pingback from HTTP headers.",6000,64108,4,"2024-12-02T07:10:00.000Z","6.7.5","4.0",[129,130,131,132,133],"block-xml-rpc","brute-force-attacks","security","xml-rpc-pingback","xmlrpc-php-attack","http:\u002F\u002Fwww.brainvire.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmanage-xml-rpc.1.0.2.zip",92,{"attackSurface":138,"codeSignals":150,"taintFlows":157,"riskAssessment":158,"analyzedAt":161},{"hooks":139,"ajaxHandlers":146,"restRoutes":147,"shortcodes":148,"cronEvents":149,"entryPointCount":13,"unprotectedCount":13},[140],{"type":141,"name":142,"callback":143,"file":144,"line":145},"filter","xmlrpc_enabled","__return_false","simple-xml-rpc-disabler.php",32,[],[],[],[],{"dangerousFunctions":151,"sqlUsage":152,"outputEscaping":154,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":156},[],{"prepared":13,"raw":13,"locations":153},[],{"escaped":13,"rawEcho":13,"locations":155},[],[],[],{"summary":159,"deductions":160},"The \"simple-xml-rpc-disabler\" plugin, version 1.1.0, exhibits an excellent security posture based on the provided static analysis. The absence of any identified entry points such as AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the attack surface.  Furthermore, the code analysis reveals no dangerous functions, no raw SQL queries (all prepared statements), and all outputs are properly escaped.  The lack of file operations, external HTTP requests, nonce checks, and capability checks within the analyzed code suggests a well-secured codebase, especially considering the plugin's stated purpose is to disable XML-RPC. The vulnerability history is also clean, with no known CVEs, indicating a stable and secure track record for this plugin.\n\nWhile the plugin's current state appears highly secure, the analysis is limited by the reported zero flows in taint analysis. It's possible that complex or indirect data flows might not have been detected. However, given the plugin's straightforward functionality, this is less likely to be a significant concern. The plugin's strength lies in its minimal attack surface and adherence to secure coding practices.  Without any detected vulnerabilities or concerning code patterns, this plugin appears to be a safe and reliable choice for its intended purpose.",[],"2026-03-16T22:54:26.290Z",{"wat":163,"direct":168},{"assetPaths":164,"generatorPatterns":165,"scriptPaths":166,"versionParams":167},[],[],[],[],{"cssClasses":169,"htmlComments":170,"htmlAttributes":171,"restEndpoints":172,"jsGlobals":173,"shortcodeOutput":174},[],[],[],[],[],[]]