[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKkHPTmAPrAeJvnP1HPop2GUwZi5_SZ1rS5_GJuMapj4":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":23,"download_link":24,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27,"vulnerabilities":28,"developer":29,"crawl_stats":26,"alternatives":33,"analysis":130,"fingerprints":213},"xml-rpc-settings","XML-RPC Settings","1.2.1","vavkamil","https:\u002F\u002Fprofiles.wordpress.org\u002Fvavkamil\u002F","\u003Ch3>XML-RPC Settings\u003C\u002Fh3>\n\u003Cp>Configure XML-RPC methods to increase the security of your website:\u003C\u002Fp>\n\u003Ch4>Build-in features could be used for malicious purposes and cannot be disabled by default.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable GET access\n\u003Cul>\n\u003Cli>XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable system.multicall\n\u003Cul>\n\u003Cli>system.multicall method can be misused for amplification attacks.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable system.listMethods\n\u003Cul>\n\u003Cli>system.listMethods method can be used for verifying attack scope.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Prevent malicious actors from enumerating usernames and credentials.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable authenticated methods\n\u003Cul>\n\u003Cli>Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable pingbacks\n\u003Cul>\n\u003Cli>Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Remove X-Pingback header\n\u003Cul>\n\u003Cli>If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Hide WordPress version when verifying pingbacks\n\u003Cul>\n\u003Cli>Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Hide WordPress version when sending pingbacks\n\u003Cul>\n\u003Cli>Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Unnecessary XML-RPC API, leave enabled if you are not sure.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Disable Demo API\n\u003Cul>\n\u003Cli>Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable Blogger API\n\u003Cul>\n\u003Cli>WordPress supports the Blogger XML-RPC API methods.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable MetaWeblog API\n\u003Cul>\n\u003Cli>WordPress supports the metaWeblog XML-RPC API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003Cli>Disable MovableType API\n\u003Cul>\n\u003Cli>WordPress supports the MovableType XML-RPC API.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Allow XML-RPC only for\n\u003Cul>\n\u003Cli>IP comma separated eg. 192.168.10.242, 192.168.10.241\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Add message to XML-RPC methods\n\u003Cul>\n\u003Cli>We are hiring! Check jobs.yourdomains.com\u003C\u002Fli>\n\u003C\u002Ful>\n\u003C\u002Fli>\n\u003C\u002Ful>\n","Secure your website with the most comprehensive XML-RPC Settings plugin.",30,1840,0,"2021-11-25T07:56:00.000Z","5.8.13","3.9","5.3",[19,20,21,22],"brute-force","ddos","security","xmlrpc","https:\u002F\u002Fgithub.com\u002Fvavkamil\u002Fxml-rpc-settings","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxml-rpc-settings.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":30,"total_installs":11,"avg_security_score":25,"avg_patch_time_days":11,"trust_score":31,"computed_at":32},1,84,"2026-04-04T15:10:36.024Z",[34,54,75,92,111],{"slug":35,"name":36,"version":37,"author":38,"author_profile":39,"description":40,"short_description":41,"active_installs":42,"downloaded":43,"rating":44,"num_ratings":45,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":52,"download_link":53,"security_score":44,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"stop-xml-rpc-attacks","Stop XML-RPC Attacks","2.0.0","Pascal CESCATO","https:\u002F\u002Fprofiles.wordpress.org\u002Fpcescato\u002F","\u003Cp>Stop XML-RPC Attacks protects your WordPress site from XML-RPC brute force attacks, DDoS attempts, and reconnaissance probes while maintaining compatibility with essential services like Jetpack and WooCommerce.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Three security modes: Full Disable, Guest Disable, or Selective Blocking\u003C\u002Fli>\n\u003Cli>Blocks dangerous methods: system.multicall, pingback.ping, and more\u003C\u002Fli>\n\u003Cli>Compatible with Jetpack and WooCommerce\u003C\u002Fli>\n\u003Cli>Optional user enumeration blocking\u003C\u002Fli>\n\u003Cli>Attack logging for monitoring\u003C\u002Fli>\n\u003Cli>Zero configuration required – works out of the box\u003C\u002Fli>\n\u003Cli>Clean, intuitive admin interface\u003C\u002Fli>\n\u003C\u002Ful>\n","Blocks dangerous XML-RPC methods while preserving Jetpack, WooCommerce, and mobile apps compatibility.",6000,26717,100,4,"2026-01-01T13:41:00.000Z","6.9.4","6.0","7.4",[19,20,51,21,22],"jetpack","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstop-xml-rpc-attacks.2.0.0.zip",{"slug":55,"name":56,"version":57,"author":58,"author_profile":59,"description":60,"short_description":61,"active_installs":42,"downloaded":62,"rating":63,"num_ratings":45,"last_updated":64,"tested_up_to":65,"requires_at_least":66,"requires_php":52,"tags":67,"homepage":72,"download_link":73,"security_score":74,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"manage-xml-rpc","Manage XML-RPC","1.0.2","brainvireinfo","https:\u002F\u002Fprofiles.wordpress.org\u002Fbrainvireinfo\u002F","\u003Cp>You can now disable XML-RPC to avoid Brute force attack for given IPs or can even enable access for some IPs. XML-RPC on WordPress is actually an API that gives developers who build mobile apps, desktop apps and other services, the ability to talk to a WordPress site. The XML-RPC API that WordPress provides gives developers, a way to write applications (for you) that can do many of the things that you can do when logged into WordPress via the web interface.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>Block XML-RPC by following way.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Disable pingback.ping, pingback.extensions.getPingbacks and Unset X-Pingback from HTTP headers, that will block bots to access specified method.\u003C\u002Fli>\n\u003Cli>Disable\u002FBlock XML-RPC for all users.\u003C\u002Fli>\n\u003C\u002Ful>\n","Enable\u002FDisable XML-RPC for all or based on IP list, also you can control pingback and Unset X-Pingback from HTTP headers.",64108,60,"2024-12-02T07:10:00.000Z","6.7.5","4.0",[68,69,21,70,71],"block-xml-rpc","brute-force-attacks","xml-rpc-pingback","xmlrpc-php-attack","http:\u002F\u002Fwww.brainvire.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmanage-xml-rpc.1.0.2.zip",92,{"slug":76,"name":77,"version":78,"author":79,"author_profile":80,"description":81,"short_description":82,"active_installs":83,"downloaded":84,"rating":44,"num_ratings":45,"last_updated":85,"tested_up_to":86,"requires_at_least":87,"requires_php":52,"tags":88,"homepage":52,"download_link":91,"security_score":25,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"protection-against-ddos","Protection Against DDoS","1.5.2","WPChef","https:\u002F\u002Fprofiles.wordpress.org\u002Fwpchefgadget\u002F","\u003Cp>This plugin resolves performance issues caused by brute force attacks described in the WordPress Codex here: \u003Ca href=\"https:\u002F\u002Fcodex.wordpress.org\u002FBrute_Force_Attacks\" rel=\"nofollow ugc\">https:\u002F\u002Fcodex.wordpress.org\u002FBrute_Force_Attacks\u003C\u002Fa>\u003C\u002Fp>\n\u003Cblockquote>\n\u003Cp>\u003Cstrong>From WordPress Codex:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>\u003Cem>Due to the nature of these attacks, you may find your server’s memory goes through the roof, causing performance problems. This is because the number of http requests (that is the number of times someone visits your site) is so high that servers run out of memory.\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>\u003Cem>A common attack point on WordPress is to hammer the wp-login.php file over and over until they get in or the server dies. You can do some things to protect yourself.\u003C\u002Fem>\u003C\u002Fp>\n\u003C\u002Fblockquote>\n\u003Cp>Protection Against DDoS plugin addresses these issues very well.\u003C\u002Fp>\n\u003Cp>It also allows to deny access to common WordPress features that get frequently attacked, like xmlrpc or RSS feeds pages.\u003C\u002Fp>\n\u003Cp>CloudFlare users can allow or deny access for visitors from specified countries.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>All checks are done via the .htaccess file so that bogus requests can’t even reach your WordPress site and get bounced at the web server level.\u003C\u002Fstrong> You can also specify exactly where they can be bounced to.\u003C\u002Fp>\n\u003Ch4>Compatibility\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Doesn’t have any known conflicts with any other security plugins.\u003C\u002Fli>\n\u003Cli>Fully compatible with WordPress multisites.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>Advanced users can get more technical information on the \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fprotection-against-ddos\u002Ffaq\u002F\" rel=\"ugc\">FAQ page\u003C\u002Fa>.\u003C\u002Fp>\n","Protects your login, xmlrpc and RSS feeds pages against DDoS attacks. Denies access to your site from certain countries via CloudFlare.",3000,48497,"2020-04-29T14:17:00.000Z","5.4.19","3.5.2",[19,20,89,90,21],"login","peformance","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprotection-against-ddos.1.5.2.zip",{"slug":93,"name":94,"version":95,"author":96,"author_profile":97,"description":98,"short_description":99,"active_installs":100,"downloaded":101,"rating":102,"num_ratings":103,"last_updated":104,"tested_up_to":47,"requires_at_least":105,"requires_php":106,"tags":107,"homepage":109,"download_link":110,"security_score":44,"vuln_count":13,"unpatched_count":13,"last_vuln_date":26,"fetched_at":27},"wp-login-delay","Login Delay Shield","2.1.4","michael.damoiseau","https:\u002F\u002Fprofiles.wordpress.org\u002Fmichaeldamoiseau\u002F","\u003Cp>WordPress is one of the most widely used content management systems on the internet, making it a frequent target for bots and hackers attempting brute-force attacks.\u003C\u002Fp>\n\u003Cp>A brute-force attack works by systematically trying passwords until finding the correct one. Login Delay Shield defends against this by adding a configurable delay after each failed login attempt. Since successful logins are never delayed, legitimate users experience no slowdown. This approach is particularly effective against bots that send thousands of login requests, as each failed attempt forces the attacker to wait before trying the next password.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Features:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Login delay\u003C\u002Fstrong> — Fixed or random delay on failed login attempts (1-10 seconds)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Progressive delay\u003C\u002Fstrong> — Delay increases with each consecutive failed attempt from the same IP\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP lockout\u003C\u002Fstrong> — Temporarily block IP addresses after too many failed attempts\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Username-aware lockout strategy\u003C\u002Fstrong> — Choose \u003Ccode>IP only\u003C\u002Fcode> or \u003Ccode>IP + username\u003C\u002Fcode> to reduce false positives on shared networks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Login feedback\u003C\u002Fstrong> — Shows remaining attempts before lockout and a lockout countdown when blocked\u003C\u002Fli>\n\u003Cli>\u003Cstrong>IP whitelist\u003C\u002Fstrong> — Bypass all security measures for trusted IPs (supports CIDR notation)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Email notifications\u003C\u002Fstrong> — Receive alerts when failed login thresholds are reached\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Failed login log\u003C\u002Fstrong> — Track all failed attempts with a dashboard widget showing recent activity\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC protection\u003C\u002Fstrong> — Apply delays to XML-RPC authentication or block it entirely\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Log retention\u003C\u002Fstrong> — Automatic cleanup of old log entries (configurable retention period)\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Accessible admin interface\u003C\u002Fstrong> — WCAG 2.1 compliant with keyboard navigation and screen reader support\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multilingual\u003C\u002Fstrong> — Translated into 18 languages including French, German, Spanish, Japanese, Chinese, Arabic, and more\u003C\u002Fli>\n\u003Cli>Lightweight and compatible with other security plugins\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>This plugin is not a complete security solution — dedicated security plugins offer more comprehensive protection.\u003C\u002Fem> However, Login Delay Shield adds an effective layer of defense that works alongside your existing security measures without conflict.\u003C\u002Fp>\n\u003Cp>\u003Cem>Note: This plugin was formerly known as “WP Login Delay”.\u003C\u002Fem>\u003C\u002Fp>\n","Login Delay Shield slows down brute-force attacks by adding a configurable delay to failed login attempts while keeping successful logins instant.",80,4181,88,5,"2026-03-10T03:28:00.000Z","3.5.1","5.4",[19,108,89,21,22],"lockout","https:\u002F\u002Fdamoiseau.me","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-login-delay.2.1.4.zip",{"slug":112,"name":113,"version":114,"author":115,"author_profile":116,"description":117,"short_description":118,"active_installs":119,"downloaded":120,"rating":44,"num_ratings":30,"last_updated":121,"tested_up_to":122,"requires_at_least":105,"requires_php":52,"tags":123,"homepage":52,"download_link":127,"security_score":128,"vuln_count":30,"unpatched_count":30,"last_vuln_date":129,"fetched_at":27},"authentication-and-xmlrpc-log-writer","Authentication and xmlrpc log writer","1.2.2","Federico Rota","https:\u002F\u002Fprofiles.wordpress.org\u002Fmrrotella\u002F","\u003Cp>This plugin writes the log of failed access attempts (brute force attack) and invalids pingbacks requests ( by xmlrpc.php ). Very useful to process data via fail2ban.\u003Cbr \u002F>\nYou can activate the log for each pingback request feature and stop the user enumeration method (by redirecting to the home) with log.\u003Cbr \u002F>\nIf activated it remove the wordpress version number and meta generator in the head section of your site.\u003Cbr \u002F>\nIf activated it disable xmlrpc methods that require authentication, in order to avoid brute force attack by xmlrpc. Use this feature if you don’t need these xmlrpc methods.\u003Cbr \u002F>\nIf activated can kill multiple requests in a single xmlrpc call returning a 401 code on xmlrpc login error. This feature may be useful to prevent server overloading on brute force attack by xmlrpc.\u003Cbr \u002F>\nYou can also view your CUSTOM error log in the admin panel.\u003C\u002Fp>\n\u003Ch4>You can write error by\u003C\u002Fh4>\n\u003Col>\n\u003Cli>SYSLOG\u003C\u002Fli>\n\u003Cli>APACHE ERROR_LOG\u003C\u002Fli>\n\u003Cli>CUSTOM a custom error log file (the used path need to be writable or APACHE ERROR LOG wil be used)\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>Log examples\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\n\u003Cp>SYSLOG\u003C\u002Fp>\n\u003Cpre>\u003Ccode>Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`\nDec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\nDec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\nDec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>APACHE\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`, referer: SITE_ADDRESS\u002Fwp-login.php\n[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`, referer: SITE_ADDRESS\u002Fxmlrpc.php\n[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`, referer: SITE_ADDRESS\u002Fxmlrpc.php\n[Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003Cli>\n\u003Cp>CUSTOM\u003C\u002Fp>\n\u003Cpre>\u003Ccode>[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`\n[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Pingback requested for `PINGBACK_URL` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n[Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) User enumeration attempt generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>fail2ban configuration\u003C\u002Fh4>\n\u003Cp>See the FAQ section\u003C\u002Fp>\n\u003Ch4>Log viewer\u003C\u002Fh4>\n\u003Cp>Log viewer is available only in CUSTOM mode. Note: the log path and the file must exist.\u003C\u002Fp>\n\u003Ch4>Localization\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>English (default) – always included\u003C\u002Fli>\n\u003Cli>Italian – since 1.1.3 version\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Translations\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>English – default, always included\u003C\u002Fli>\n\u003Cli>Italiano – disponibile dalla versione 1.1.3\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cem>Note:\u003C\u002Fem> Feel free to translate this plugin in your language. This is very important for all users worldwide. So please contribute your language to the plugin to make it even more useful. For translating I recommend the \u003Ca href=\"http:\u002F\u002Fwww.poedit.net\u002F\" rel=\"nofollow ugc\">“Poedit Editor”\u003C\u002Fa>.\u003C\u002Fp>\n","Log of failed access, pingbacks, user enumeration, disable xmlrpc authenticated methods, kill xmlrpc request on authentication error.",70,4603,"2016-11-18T13:47:00.000Z","4.7.32",[124,19,125,21,126],"authentication-logger","fail2ban","xmlrpc-hack","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fauthentication-and-xmlrpc-log-writer.1.2.2.zip",63,"2025-08-13 00:00:00",{"attackSurface":131,"codeSignals":197,"taintFlows":204,"riskAssessment":205,"analyzedAt":212},{"hooks":132,"ajaxHandlers":193,"restRoutes":194,"shortcodes":195,"cronEvents":196,"entryPointCount":13,"unprotectedCount":13},[133,139,143,148,151,154,157,160,164,168,171,174,177,180,183,186,189],{"type":134,"name":135,"callback":136,"file":137,"line":138},"action","admin_menu","xmlrpc_settings_options_page","xml-rpc-settings.php",24,{"type":134,"name":140,"callback":141,"file":137,"line":142},"admin_init","xmlrpc_settings_register_settings",32,{"type":144,"name":145,"callback":146,"file":137,"line":147},"filter","xmlrpc_methods","xmlrpc_settings_disable_get_access",443,{"type":144,"name":145,"callback":149,"file":137,"line":150},"xmlrpc_settings_disable_xmlrpc_multicall",447,{"type":144,"name":145,"callback":152,"file":137,"line":153},"xmlrpc_settings_disable_xmlrpc_listmethods",452,{"type":144,"name":145,"callback":155,"file":137,"line":156},"xmlrpc_settings_disable_xmlrpc_auth",457,{"type":144,"name":145,"callback":158,"file":137,"line":159},"xmlrpc_settings_disable_xmlrpc_pingbacks",462,{"type":144,"name":161,"callback":162,"file":137,"line":163},"wp_headers","xmlrpc_settings_disable_xmlrpc_header",467,{"type":144,"name":165,"callback":166,"file":137,"line":167},"http_request_args","xmlrpc_settings_disable_xmlrpc_verify_agent",472,{"type":144,"name":165,"callback":169,"file":137,"line":170},"xmlrpc_settings_disable_xmlrpc_send_agent",477,{"type":144,"name":145,"callback":172,"file":137,"line":173},"xmlrpc_settings_disable_xmlrpc_demo",482,{"type":144,"name":145,"callback":175,"file":137,"line":176},"xmlrpc_settings_disable_xmlrpc_blogger",487,{"type":144,"name":145,"callback":178,"file":137,"line":179},"xmlrpc_settings_disable_xmlrpc_metaweblog",492,{"type":144,"name":145,"callback":181,"file":137,"line":182},"xmlrpc_settings_disable_xmlrpc_movabletype",497,{"type":144,"name":145,"callback":184,"file":137,"line":185},"xmlrpc_settings_xmlrpc_allowed_ip",502,{"type":144,"name":145,"callback":187,"file":137,"line":188},"xmlrpc_settings_xmlrpc_methods_message",507,{"type":134,"name":190,"callback":191,"file":137,"line":192},"init","xmlrpc_settings_disable_xmlrpc_onpage_load",513,[],[],[],[],{"dangerousFunctions":198,"sqlUsage":199,"outputEscaping":201,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":30,"bundledLibraries":203},[],{"prepared":13,"raw":13,"locations":200},[],{"escaped":11,"rawEcho":13,"locations":202},[],[],[],{"summary":206,"deductions":207},"The \"xml-rpc-settings\" plugin v1.2.1 demonstrates a strong security posture based on the provided static analysis. The absence of any identified dangerous functions, SQL queries without prepared statements, unescaped output, file operations, external HTTP requests, or unhandled taint flows is commendable.  Furthermore, the plugin effectively utilizes capability checks to secure its entry points.  The lack of any recorded vulnerabilities in its history, including critical or high-severity issues, further reinforces its apparent safety.  However, the absence of any identified entry points (AJAX, REST API, shortcodes, cron events) means there are no explicit mechanisms for the plugin to interact with the WordPress environment or user input, which could be interpreted as either a sign of a very focused and secure plugin or potentially a plugin with limited functionality where security concerns are less likely to arise.\n\nWhile the plugin exhibits excellent security hygiene in its code and a clean vulnerability history, the complete lack of any attack surface is unusual. This could indicate a plugin that is purely for configuration within the WordPress dashboard without any front-end or back-end processing that would typically expose it to common attack vectors. Without any identified entry points, it's difficult to assess potential risks associated with how it might handle data or interact with other parts of WordPress if such interactions were to be implemented. Therefore, while the current analysis shows a very secure plugin, the complete absence of an attack surface warrants a note of caution, as it might limit the scope of the analysis or suggest a very specific, non-interactive use case.",[208,210],{"reason":209,"points":103},"No identified entry points for analysis",{"reason":211,"points":103},"No nonce checks identified","2026-03-16T22:32:56.347Z",{"wat":214,"direct":219},{"assetPaths":215,"generatorPatterns":216,"scriptPaths":217,"versionParams":218},[],[],[],[],{"cssClasses":220,"htmlComments":221,"htmlAttributes":229,"restEndpoints":244,"jsGlobals":245,"shortcodeOutput":246},[],[222,223,222,224,222,225,222,226,222,227,222,228],"\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F\u002F","\u002F\u002F Disable GET access:","\u002F\u002F Disable system.multicall:","\u002F\u002F Disable system.listMethods:","\u002F\u002F Disable authenticated methods:","\u002F\u002F Disable pingbacks:","\u002F\u002F Remove X-Pingback header:",[230,231,232,233,234,235,236,237,238,239,240,241,242,243],"name=\"allow_disallow_get_access\"","name=\"allow_disallow_multicall\"","name=\"allow_disallow_listmethods\"","name=\"allow_disallow_auth\"","name=\"allow_disallow_pingbacks\"","name=\"allow_disallow_header\"","name=\"allow_disallow_verify_agent\"","name=\"allow_disallow_send_agent\"","name=\"allow_disallow_demo\"","name=\"allow_disallow_blogger\"","name=\"allow_disallow_metaweblog\"","name=\"allow_disallow_movabletype\"","name=\"allowed_ip\"","name=\"methods_message\"",[],[],[]]