توضیحات
XML-RPC Settings
Configure XML-RPC methods to increase the security of your website:
Build-in features could be used for malicious purposes and cannot be disabled by default.
- Disable GET access
- XML-RPC API only responds to POST requests. Direct GET access is not needed and can be used to fingerprint websites and use them as XML-RPC zombies in later attacks.
- Disable system.multicall
- system.multicall method can be misused for amplification attacks.
- Disable system.listMethods
- system.listMethods method can be used for verifying attack scope.
Prevent malicious actors from enumerating usernames and credentials.
- Disable authenticated methods
- Methods requiring authentication, such as wp.getUsersBlogs, are often used to brute-force your passwords.
Pingbacks are a helpful feature to discover back-links to your posts but can be misused for DDoS attacks or allow fingerprinting your WP version.
- Disable pingbacks
- Pingbacks are generally safe, but are often used for DDoS attacks via system.multicall.
- Remove X-Pingback header
- If you decide to disable pingbacks, it’s a good practice to remove the X-Pingback header return by your posts.
- Hide WordPress version when verifying pingbacks
- Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
- Hide WordPress version when sending pingbacks
- Pingbacks’ user-agent can reveal your exact WordPress version, even when hidden by other plugins.
Unnecessary XML-RPC API, leave enabled if you are not sure.
- Disable Demo API
- Remove demo.sayHello and demo.addTwoNumbers methods, as they are not needed.
- Disable Blogger API
- WordPress supports the Blogger XML-RPC API methods.
- Disable MetaWeblog API
- WordPress supports the metaWeblog XML-RPC API.
- Disable MovableType API
- WordPress supports the MovableType XML-RPC API.
If you are using some integrations or WP mobile applications, it might be a good idea to allow XML-RPC only to specific IPs.
- Allow XML-RPC only for
- IP comma separated eg. 192.168.10.242, 192.168.10.241
It is possible to hide a message between the allowed methods when system.listMethods is called (not recommended).
- Add message to XML-RPC methods
- We are hiring! Check jobs.yourdomains.com
عکسهای صفحه
The settings page is highly configurable, with a deep set of options available for each feature.
نصب
Secure your website using the following steps to install XML-RPC Settings:
- Install XML-RPC Settings automatically or by uploading the ZIP file.
- Activate the XML-RPC Settings through the ‘Plugins’ menu in WordPress. XML-RPC Settings is now activated.
- Go to the Settings >> XML-RPC Settings and configure the plugin based on your needs.
سوالات متداول
-
How does XML-RPC Settings protect sites from attackers?
-
The XML-RPC Settings plugin allows you to configure XML-RPC methods to increase the security of your website. For example, you can easily disable Pingback methods, which might be misused by attacks to launch DDoS attacks.
نقد و بررسیها
نقد و بررسیای برای این افزونه یافت نشد.
توسعه دهندگان و همکاران
“XML-RPC Settings” نرم افزار متن باز است. افراد زیر در این افزونه مشارکت کردهاند.
مشارکت کنندگان
ترجمه “XML-RPC Settings” به زبان شما.
علاقه مند به توسعه هستید؟
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
گزارش تغییرات
1.2.1 – October 05, 2021
- Fix callback function to register settings
1.2 – October 05, 2021
- Add
xmlrpc_settings_prefix to function names to be unique
1.1 – October 03, 2021
- Updated readme.txt and fixed grammar
1.0
- An initial release