Good morning Marcus,
I just did some quick testing on a clean installation of WordPress 3.6.1 and the plugin still functions as designed. I see no indication that the filter is no longer valid. If you have documentation stating otherwise, I’d love to see it.
There are certainly various ways to accomplish the goal of blocking XML-RPC. I created this very basic plugin as a way for someone to easily disable it from within WordPress, using the filter that was exposed in core starting with WP 3.5.
Apologies, I didn’t look into the issue in detail. I simply switched the plugin on and saw that XML-RPC was still reachable. I only got as far as the “XML-RPC server accepts POST requests only” message, while I think the xmlrpc_enabled filter is checked further down the line.
There are indeed plenty of ways to block XML-RPC, and there’s no reason why your plugin should have to limit itself to just one of them. Here’s some code (go ahead and use it for free) for blocking that file with WordPress’ .htaccess, using activation hooks to make sure it’s applied with the plugin.
add_filter('mod_rewrite_rules', 'noxmlrpc_mod_rewrite_rules');
function noxmlrpc_mod_rewrite_rules($rules) {
$insert = "RewriteRule xmlrpc\.php$ - [F,L]";
$rules = preg_replace('!RewriteRule!', "$insert\n\nRewriteRule", $rules, 1);
return $rules;
}
register_activation_hook(__FILE__, 'noxmlrpc_htaccess_activate');
function noxmlrpc_htaccess_activate() {
flush_rewrite_rules(true);
}
register_deactivation_hook(__FILE__, 'noxmlrpc_htaccess_deactivate');
function noxmlrpc_htaccess_deactivate() {
remove_filter('mod_rewrite_rules', 'noxmlrpc_mod_rewrite_rules');
flush_rewrite_rules(true);
}
Marcus and/or Phil,
As of now, March 2014, in your opinion, is the plugin “Disable XML-RPC” working properly (as is) or are there modifications needed in order to have it fully block XML-RPC?
Can you explain?
Gary
It might cause problems blocking it completely. I tried it with HTACCESS a while ago and it caused problems because some plugins and services still need it:
The latest update of WordPress should help:
http://wptavern.com/recent-update-to-wordfence-security-breaks-wordpress-mobile-apps
The best course of action is to update to WordPress 3.8.2 if you haven’t already done so. Also upgrade Akismet to the latest version. Both software updates address the Denial of Service attack associated with pingbacks without having to disable XML-RPC entirely.
Gary – I apologize for the delay here. I didn’t receive the notification that you had posted a comment.
The plugin is still doing what it was designed to do – disable the XML-RPC API in the same way that the old option in Settings used to do. As mentioned in the WPTavern article that Christine mentions (http://wptavern.com/recent-update-to-wordfence-security-breaks-wordpress-mobile-apps), this does not disable pingbacks. Unfortunately, a few sites have mistakenly mentioned recently that it is effecting in stopping the pingback DDoS attacks. Until I read the WPTavern article just now, I didn’t realize that Network Solutions had said this.
The main reason that I was interested in creating this very simple plugin was for a couple of cases (and they are admittedly rare cases) where the site owner did not want the mobile applications to be able to access the site and post to it. The option could just as easily be added to the theme’s functions.php file, but I decided to create a quick plugin to easily to quickly add it to other sites regardless of the theme, if needed. I figured that I would release it when 3.5 came out, in case anyone else had similar use cases.
As was mentioned in the WPTavern article, updating Akismet and updating WordPress core to 3.8.2 is the best bet for thwarting the DDos. As well as disabling pingbacks in the settings and for all of your existing posts, if you don’t need or want pingbacks.
