-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdisable-xml-rpc.php
113 lines (102 loc) · 3.69 KB
/
disable-xml-rpc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
<?php
/*
Plugin Name: Disable XML-RPC
Plugin URI: https://www.littlebizzy.com/plugins/disable-xml-rpc
Description: Disables all XML-RPC functions
Version: 2.0.2
Requires PHP: 7.0
Author: LittleBizzy
Author URI: https://www.littlebizzy.com
License: GPLv3
License URI: http://www.gnu.org/licenses/gpl-3.0.html
GitHub Plugin URI: littlebizzy/disable-xml-rpc
Primary Branch: master
*/
// prevent direct access
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
// disable wordpress.org updates for this plugin
add_filter( 'gu_override_dot_org', function( $overrides ) {
$overrides[] = 'disable-xml-rpc/disable-xml-rpc.php';
return $overrides;
}, 999 );
// Disable XML-RPC API completely
add_filter('xmlrpc_enabled', '__return_false');
// Immediately terminate any XML-RPC requests
add_action('xmlrpc_call', function() {
header('HTTP/1.1 403 Forbidden');
exit;
});
// Remove RSD (Really Simple Discovery) link from the head
remove_action('wp_head', 'rsd_link');
// Disable pingbacks and trackbacks by default
add_filter('pre_option_default_ping_status', '__return_zero');
add_filter('pre_option_default_pingback_flag', '__return_zero');
// Hide pingback and trackback options on the Discussion settings page
add_action('admin_enqueue_scripts', function ($hook) {
if ($hook === 'options-discussion.php') {
wp_add_inline_style('dashboard', '
.form-table td label[for="default_pingback_flag"],
.form-table td label[for="default_pingback_flag"] + br,
.form-table td label[for="default_ping_status"],
.form-table td label[for="default_ping_status"] + br {
display: none;
}
');
}
});
// Remove X-Pingback header to obscure XML-RPC URL
add_filter('wp_headers', function ($headers) {
unset($headers['X-Pingback']);
return $headers;
});
// Disable all XML-RPC methods related to authentication, content, taxonomy, and comments
add_filter('xmlrpc_methods', function ($methods) {
// Disable all XML-RPC methods that could expose user information or provide entry points
unset($methods['pingback.ping']);
unset($methods['pingback.extensions.getPingbacks']);
unset($methods['wp.getUsersBlogs']);
unset($methods['wp.getAuthors']);
unset($methods['wp.getProfile']);
unset($methods['wp.getUser']);
unset($methods['wp.getUsers']);
unset($methods['wp.newPost']);
unset($methods['wp.newPage']);
unset($methods['wp.editPost']);
unset($methods['wp.editPage']);
unset($methods['wp.deletePost']);
unset($methods['wp.deletePage']);
unset($methods['wp.getPost']);
unset($methods['wp.getPage']);
unset($methods['wp.getPosts']);
unset($methods['wp.getPages']);
unset($methods['wp.getMediaItem']);
unset($methods['wp.getMediaLibrary']);
unset($methods['wp.getRevisions']);
unset($methods['wp.restoreRevision']);
unset($methods['wp.getCategories']);
unset($methods['wp.getTags']);
unset($methods['wp.getTaxonomies']);
unset($methods['wp.getTerms']);
unset($methods['wp.newTerm']);
unset($methods['wp.editTerm']);
unset($methods['wp.deleteTerm']);
unset($methods['wp.getComment']);
unset($methods['wp.getComments']);
unset($methods['wp.newComment']);
unset($methods['wp.editComment']);
unset($methods['wp.deleteComment']);
unset($methods['wp.getCommentCount']);
unset($methods['wp.getCommentStatus']);
unset($methods['wp.getCommentTypes']);
return $methods;
});
// Disable direct access to xmlrpc.php file
add_action('init', function () {
if (isset($_SERVER['SCRIPT_FILENAME']) && basename($_SERVER['SCRIPT_FILENAME']) === 'xmlrpc.php') {
header('HTTP/1.1 403 Forbidden');
exit;
}
}, 1);
// Ref: ChatGPT