[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9tFW3E0M-jE4lAu2uAnJ-_pq0uvOd-yMnF9RZF4zEUw":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":14,"last_updated":15,"tested_up_to":16,"requires_at_least":17,"requires_php":18,"tags":19,"homepage":25,"download_link":26,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29,"vulnerabilities":30,"developer":31,"crawl_stats":28,"alternatives":38,"analysis":130,"fingerprints":193},"stop-xml-rpc-attacks","Stop XML-RPC Attacks","2.0.0","Pascal CESCATO","https:\u002F\u002Fprofiles.wordpress.org\u002Fpcescato\u002F","\u003Cp>Stop XML-RPC Attacks protects your WordPress site from XML-RPC brute force attacks, DDoS attempts, and reconnaissance probes while maintaining compatibility with essential services like Jetpack and WooCommerce.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Three security modes: Full Disable, Guest Disable, or Selective Blocking\u003C\u002Fli>\n\u003Cli>Blocks dangerous methods: system.multicall, pingback.ping, and more\u003C\u002Fli>\n\u003Cli>Compatible with Jetpack and WooCommerce\u003C\u002Fli>\n\u003Cli>Optional user enumeration blocking\u003C\u002Fli>\n\u003Cli>Attack logging for monitoring\u003C\u002Fli>\n\u003Cli>Zero configuration required – works out of the box\u003C\u002Fli>\n\u003Cli>Clean, intuitive admin interface\u003C\u002Fli>\n\u003C\u002Ful>\n","Blocks dangerous XML-RPC methods while preserving Jetpack, WooCommerce, and mobile apps compatibility.",6000,26717,100,4,"2026-01-01T13:41:00.000Z","6.9.4","6.0","7.4",[20,21,22,23,24],"brute-force","ddos","jetpack","security","xmlrpc","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstop-xml-rpc-attacks.2.0.0.zip",0,null,"2026-03-15T15:16:48.613Z",[],{"slug":32,"display_name":7,"profile_url":8,"plugin_count":33,"total_installs":34,"avg_security_score":13,"avg_patch_time_days":35,"trust_score":36,"computed_at":37},"pcescato",3,6100,30,94,"2026-04-04T01:05:44.505Z",[39,56,77,94,113],{"slug":40,"name":41,"version":42,"author":43,"author_profile":44,"description":45,"short_description":46,"active_installs":35,"downloaded":47,"rating":27,"num_ratings":27,"last_updated":48,"tested_up_to":49,"requires_at_least":50,"requires_php":51,"tags":52,"homepage":53,"download_link":54,"security_score":55,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"xml-rpc-settings","XML-RPC Settings","1.2.1","vavkamil","https:\u002F\u002Fprofiles.wordpress.org\u002Fvavkamil\u002F","\u003Ch3>XML-RPC Settings\u003C\u002Fh3>\n\u003Cp>Configure XML-RPC methods to increase the security of your website:\u003C\u002Fp>\n\u003Ch4>Build-in features could be used for malicious purposes and cannot be disabled by default.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable GET access\n\u003Cul>\n\u003Cli>XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable system.multicall\n\u003Cul>\n\u003Cli>system.multicall method can be misused for amplification attacks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable system.listMethods\n\u003Cul>\n\u003Cli>system.listMethods method can be used for verifying attack scope.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Prevent malicious actors from enumerating usernames and credentials.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable authenticated methods\n\u003Cul>\n\u003Cli>Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable pingbacks\n\u003Cul>\n\u003Cli>Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Remove X-Pingback header\n\u003Cul>\n\u003Cli>If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Hide WordPress version when verifying pingbacks\n\u003Cul>\n\u003Cli>Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Hide WordPress version when sending pingbacks\n\u003Cul>\n\u003Cli>Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Unnecessary XML-RPC API, leave enabled if you are not sure.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable Demo API\n\u003Cul>\n\u003Cli>Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable Blogger API\n\u003Cul>\n\u003Cli>WordPress supports the Blogger XML-RPC API methods.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable MetaWeblog API\n\u003Cul>\n\u003Cli>WordPress supports the metaWeblog XML-RPC API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable MovableType API\n\u003Cul>\n\u003Cli>WordPress supports the MovableType XML-RPC API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Allow XML-RPC only for\n\u003Cul>\n\u003Cli>IP comma separated eg. 192.168.10.242, 192.168.10.241\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Add message to XML-RPC methods\n\u003Cul>\n\u003Cli>We are hiring! Check jobs.yourdomains.com\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n","Secure your website with the most comprehensive XML-RPC Settings plugin.",1840,"2021-11-25T07:56:00.000Z","5.8.13","3.9","5.3",[20,21,23,24],"https:\u002F\u002Fgithub.com\u002Fvavkamil\u002Fxml-rpc-settings","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxml-rpc-settings.zip",85,{"slug":57,"name":58,"version":59,"author":60,"author_profile":61,"description":62,"short_description":63,"active_installs":11,"downloaded":64,"rating":65,"num_ratings":14,"last_updated":66,"tested_up_to":67,"requires_at_least":68,"requires_php":25,"tags":69,"homepage":74,"download_link":75,"security_score":76,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"manage-xml-rpc","Manage XML-RPC","1.0.2","brainvireinfo","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrainvireinfo\u002F","\u003Cp>You can now disable XML-RPC to avoid Brute force attack for given IPs or can even enable access for some IPs. XML-RPC on WordPress is actually an API that gives developers who build mobile apps, desktop apps and other services, the ability to talk to a WordPress site. The XML-RPC API that WordPress provides gives developers, a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Block XML-RPC by following way.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable pingback.ping, pingback.extensions.getPingbacks and Unset X-Pingback from HTTP headers, that will block bots to access specified method.\u003C\u002Fli>\n\u003Cli>Disable\u002FBlock XML-RPC for all users.\u003C\u002Fli>\n\u003C\u002Ful>\n","Enable\u002FDisable XML-RPC for all or based on IP list, also you can control pingback and Unset X-Pingback from HTTP headers.",64108,60,"2024-12-02T07:10:00.000Z","6.7.5","4.0",[70,71,23,72,73],"block-xml-rpc","brute-force-attacks","xml-rpc-pingback","xmlrpc-php-attack","http:\u002F\u002Fwww.brainvire.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmanage-xml-rpc.1.0.2.zip",92,{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":13,"num_ratings":14,"last_updated":87,"tested_up_to":88,"requires_at_least":89,"requires_php":25,"tags":90,"homepage":25,"download_link":93,"security_score":55,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"protection-against-ddos","Protection Against DDoS","1.5.2","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>This plugin resolves performance issues caused by brute force attacks described in the WordPress Codex here: \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FBrute_Force_Attacks\" rel=\"nofollow ugc\">https:\u002F\u002Fcodex.wordpress.org\u002FBrute_Force_Attacks\u003C\u002Fa>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>From WordPress Codex:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cem>Due to the nature of these attacks, you may find your server’s memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>\u003Cem>A common attack point on WordPress is to hammer the wp-login.php file over and over until they get in or the server dies. You can do some things to protect yourself.\u003C\u002Fem>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Protection Against DDoS plugin addresses these issues very well.\u003C\u002Fp>\n\u003Cp>It also allows to deny access to common WordPress features that get frequently attacked, like xmlrpc or RSS feeds pages.\u003C\u002Fp>\n\u003Cp>CloudFlare users can allow or deny access for visitors from specified countries.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>All checks are done via the .htaccess file so that bogus requests can’t even reach your WordPress site and get bounced at the web server level.\u003C\u002Fstrong> You can also specify exactly where they can be bounced to.\u003C\u002Fp>\n\u003Ch4>Compatibility\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Doesn’t have any known conflicts with any other security plugins.\u003C\u002Fli>\n\u003Cli>Fully compatible with WordPress multisites.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Advanced users can get more technical information on the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fprotection-against-ddos\u002Ffaq\u002F\" rel=\"ugc\">FAQ page\u003C\u002Fa>.\u003C\u002Fp>\n","Protects your login, xmlrpc and RSS feeds pages against DDoS attacks. Denies access to your site from certain countries via CloudFlare.",3000,48497,"2020-04-29T14:17:00.000Z","5.4.19","3.5.2",[20,21,91,92,23],"login","peformance","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprotection-against-ddos.1.5.2.zip",{"slug":95,"name":96,"version":97,"author":98,"author_profile":99,"description":100,"short_description":101,"active_installs":102,"downloaded":103,"rating":104,"num_ratings":105,"last_updated":106,"tested_up_to":16,"requires_at_least":107,"requires_php":108,"tags":109,"homepage":111,"download_link":112,"security_score":13,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"wp-login-delay","Login Delay Shield","2.1.4","michael.damoiseau","https:\u002F\u002Fprofiles.wordpress.org\u002Fmichaeldamoiseau\u002F","\u003Cp>WordPress is one of the most widely used content management systems on the internet, making it a frequent target for bots and hackers attempting brute-force attacks.\u003C\u002Fp>\n\u003Cp>A brute-force attack works by systematically trying passwords until finding the correct one. Login Delay Shield defends against this by adding a configurable delay after each failed login attempt. Since successful logins are never delayed, legitimate users experience no slowdown. This approach is particularly effective against bots that send thousands of login requests, as each failed attempt forces the attacker to wait before trying the next password.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Login delay\u003C\u002Fstrong> — Fixed or random delay on failed login attempts (1-10 seconds)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Progressive delay\u003C\u002Fstrong> — Delay increases with each consecutive failed attempt from the same IP\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP lockout\u003C\u002Fstrong> — Temporarily block IP addresses after too many failed attempts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Username-aware lockout strategy\u003C\u002Fstrong> — Choose \u003Ccode>IP only\u003C\u002Fcode> or \u003Ccode>IP + username\u003C\u002Fcode> to reduce false positives on shared networks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login feedback\u003C\u002Fstrong> — Shows remaining attempts before lockout and a lockout countdown when blocked\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP whitelist\u003C\u002Fstrong> — Bypass all security measures for trusted IPs (supports CIDR notation)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email notifications\u003C\u002Fstrong> — Receive alerts when failed login thresholds are reached\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Failed login log\u003C\u002Fstrong> — Track all failed attempts with a dashboard widget showing recent activity\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC protection\u003C\u002Fstrong> — Apply delays to XML-RPC authentication or block it entirely\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Log retention\u003C\u002Fstrong> — Automatic cleanup of old log entries (configurable retention period)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Accessible admin interface\u003C\u002Fstrong> — WCAG 2.1 compliant with keyboard navigation and screen reader support\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multilingual\u003C\u002Fstrong> — Translated into 18 languages including French, German, Spanish, Japanese, Chinese, Arabic, and more\u003C\u002Fli>\n\u003Cli>Lightweight and compatible with other security plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>This plugin is not a complete security solution — dedicated security plugins offer more comprehensive protection.\u003C\u002Fem> However, Login Delay Shield adds an effective layer of defense that works alongside your existing security measures without conflict.\u003C\u002Fp>\n\u003Cp>\u003Cem>Note: This plugin was formerly known as “WP Login Delay”.\u003C\u002Fem>\u003C\u002Fp>\n","Login Delay Shield slows down brute-force attacks by adding a configurable delay to failed login attempts while keeping successful logins instant.",80,4181,88,5,"2026-03-10T03:28:00.000Z","3.5.1","5.4",[20,110,91,23,24],"lockout","https:\u002F\u002Fdamoiseau.me","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-login-delay.2.1.4.zip",{"slug":114,"name":115,"version":116,"author":117,"author_profile":118,"description":119,"short_description":120,"active_installs":102,"downloaded":121,"rating":13,"num_ratings":122,"last_updated":123,"tested_up_to":67,"requires_at_least":25,"requires_php":124,"tags":125,"homepage":128,"download_link":129,"security_score":76,"vuln_count":27,"unpatched_count":27,"last_vuln_date":28,"fetched_at":29},"xmlrpc-lockdown","XMLRPC Lockdown by AO Digital","2.0","aodigitalau","https:\u002F\u002Fprofiles.wordpress.org\u002Faodigitalau\u002F","\u003Cp>XMLRPC Lockdown by AO Digital is an advanced security plugin for WordPress. It blocks access to \u003Ccode>xmlrpc.php\u003C\u002Fcode> for all requests except those explicitly allowed, such as requests from Jetpack, the WordPress mobile app, and other specified services. With the latest enhancements, users can customize the list of allowed services and create custom allowances for specific IPs, URLs, or referrers directly from the WordPress admin dashboard.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Key Features:\u003C\u002Fstrong>\u003Cbr \u002F>\n– Blocks unauthorized access to \u003Ccode>xmlrpc.php\u003C\u002Fcode>, enhancing WordPress security.\u003Cbr \u002F>\n– Allows specific services like Jetpack and the WordPress mobile app to work seamlessly.\u003Cbr \u002F>\n– New settings page for managing allowed plugins and custom allowances.\u003Cbr \u002F>\n– AJAX-powered options saving for a smooth user experience.\u003Cbr \u002F>\n– Fully compatible with PHP 8.0+ and tested up to WordPress 6.7.2.\u003C\u002Fp>\n\u003Cp>Whether you’re looking to secure your site or fine-tune \u003Ccode>xmlrpc.php\u003C\u002Fcode> access, XMLRPC Lockdown by AO Digital offers a robust, user-friendly solution.\u003C\u002Fp>\n\u003Ch3>Support\u003C\u002Fh3>\n\u003Cp>For assistance with XMLRPC Lockdown by AO Digital, please visit \u003Ca href=\"http:\u002F\u002Faodigital.com.au\" rel=\"nofollow ugc\">AO Digital Support\u003C\u002Fa> or email us at support@aodigital.com.au.\u003C\u002Fp>\n","XMLRPC Lockdown by AO Digital is an advanced security plugin for WordPress. It blocks access to xmlrpc.php for all requests except those explicitly al …",2134,1,"2024-12-10T10:03:00.000Z","8.0",[22,126,23,127,24],"mobile-app","wordpress","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fxmlrpc-lockdown\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxmlrpc-lockdown.2.0.zip",{"attackSurface":131,"codeSignals":180,"taintFlows":188,"riskAssessment":189,"analyzedAt":192},{"hooks":132,"ajaxHandlers":176,"restRoutes":177,"shortcodes":178,"cronEvents":179,"entryPointCount":27,"unprotectedCount":27},[133,139,143,147,152,154,158,160,164,168,172],{"type":134,"name":135,"callback":136,"file":137,"line":138},"action","admin_menu","add_admin_menu","stop-xml-rpc-attacks.php",44,{"type":134,"name":140,"callback":141,"file":137,"line":142},"admin_init","register_settings",45,{"type":134,"name":144,"callback":145,"file":137,"line":146},"admin_enqueue_scripts","enqueue_admin_styles",46,{"type":148,"name":149,"callback":150,"file":137,"line":151},"filter","xmlrpc_enabled","__return_false",56,{"type":148,"name":149,"callback":153,"file":137,"line":65},"disable_for_guests",{"type":148,"name":155,"callback":156,"file":137,"line":157},"xmlrpc_methods","block_dangerous_methods",61,{"type":148,"name":155,"callback":156,"file":137,"line":159},66,{"type":134,"name":161,"callback":162,"priority":122,"file":137,"line":163},"init","remove_headers_and_links",71,{"type":134,"name":165,"callback":166,"file":137,"line":167},"send_headers","remove_pingback_header",72,{"type":148,"name":169,"callback":170,"file":137,"line":171},"xmlrpc_call","log_blocked_attempts",76,{"type":148,"name":173,"callback":174,"file":137,"line":175},"wp_headers","closure",373,[],[],[],[],{"dangerousFunctions":181,"sqlUsage":182,"outputEscaping":184,"fileOperations":27,"externalRequests":27,"nonceChecks":27,"capabilityChecks":122,"bundledLibraries":187},[],{"prepared":27,"raw":27,"locations":183},[],{"escaped":185,"rawEcho":27,"locations":186},27,[],[],[],{"summary":190,"deductions":191},"The \"stop-xml-rpc-attacks\" v2.0.0 plugin exhibits a very strong security posture based on the provided static analysis.  The absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events means the plugin has an extremely small attack surface, with zero entry points.  Furthermore, the code signals indicate robust security practices: no dangerous functions are used, all SQL queries utilize prepared statements, and all output is properly escaped.  The plugin also demonstrates proper handling of file operations and external HTTP requests. The sole capability check is present, which is positive, though the absence of nonce checks on AJAX handlers is moot given there are no AJAX handlers.  The lack of any identified taint flows, critical or otherwise, further reinforces its secure design. The plugin's vulnerability history is also exemplary, with zero recorded CVEs, indicating a history of secure development.  Overall, this plugin appears to be highly secure, with no immediate exploitable vulnerabilities or concerning code patterns detected.",[],"2026-03-16T18:05:51.478Z",{"wat":194,"direct":199},{"assetPaths":195,"generatorPatterns":196,"scriptPaths":197,"versionParams":198},[],[],[],[],{"cssClasses":200,"htmlComments":207,"htmlAttributes":208,"restEndpoints":209,"jsGlobals":210,"shortcodeOutput":211},[201,202,203,204,205,206],"sxra-card","sxra-option","sxra-stats","sxra-stat-box","sxra-warning","sxra-success",[],[],[],[],[]]