Support » Plugin: WPScan - WordPress Security Scanner » XML-RPC Partly Disabled

  • Resolved cjohnson86

    (@cjohnson86)


    Hey folks,

    Love the wpscan plugin. Recently I started getting notifications that “The XML-RPC interface is partly disabled, but still allows unauthenticated requests.”. However I had a plugin in place to disable XML-RPC. I tried using the xml-rpc validator at https://xmlrpc.eritreo.it/ to manually verify and it comes back with a 405 error. I tried several other plugins and still wpscan is reporting that its “partly disabled”. What do I need to do to fully disable it? Or maybe there’s a way to ignore/suppress/mark this alert as a false positive since I’m fairly sure XML-RPC is disabled and doesn’t represent a risk on this site?

    Thanks – let me know if I can clarify things any further.

    • This topic was modified 3 years, 3 months ago by cjohnson86.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor ethicalhack3r

    (@ethicalhack3r)

    Hi,

    Yea, a lot of plugins that claim to disable XML-RPC only disable unauthenticated calls, but still allow authenticated ones.

    The best way to disable XML-RPC is by configuring a rule at the web server level to return a 404 code when the xmlrpc.php file is accessed.

    An alternative is to just delete the xmlrpc.php file but it may be put back on subsequent WordPress updates.

    You can ignore the issue in the “Ignore vulnerabilities” pane on the right of the report page.

    I hope that helps.

    Thanks,
    Ryan

    How exactly can this be ignored? I am sick of receiving email every day about this “vulnerability”. In plugin settings I can ignore everything except for this one. There is just no option to disable this check.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘XML-RPC Partly Disabled’ is closed to new replies.