=== Disable XML-RPC - Dashboard Control === Contributors: aph5 Tags: xmlrpc, security, rate-limiting, dashboard Requires at least: 5.0 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 1.0.1 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Quickly toggle XML-RPC on/off from your dashboard. Perfect for temporarily enabling access for mobile apps, then securing your site again. == Description == * XML-RPC Control Dashboard provides WordPress administrators with a way of quickly toggling on/off the XML-RPC functionality. * On initial installation and activation, XML-RPC will be disabled, * It displays the current enabled/disabled status in the dashboard, helping users avoid leaving access on unnecessarily. * It features XML-RPC rate limiting functionality, providing some protection to users while XML-RPC is on. * Rate limiting is on by default, but can be turned off. Note that it's not perfect security however, and we recommend XML-RPC is disabled after use. = Why Control XML-RPC? = XML-RPC is a WordPress feature that allows remote access to your site. While useful for legitimate applications like mobile apps and remote publishing, it's frequently exploited for: * Brute force password attacks * DDoS amplification attacks via pingbacks * Spam distribution * Resource exhaustion = Rate Limiting Protection = When enabled, the plugin automatically limits: * **Failed Authentication** - Maximum 5 failed login attempts per hour per IP * **High-Risk Methods** - Limits on pingback.ping, system.multicall, and other abuse-prone methods * **IP Validation** - Prevents IP spoofing by validating addresses and processing proxy headers correctly = Privacy = This plugin does not collect, store, or transmit any user data outside your WordPress installation. All rate limiting data is stored temporarily using WordPress transients and is automatically cleaned up. == Installation == 1. Upload the `xml-rpc-control-dashboard` folder to the `/wp-content/plugins/` directory 2. Activate the plugin through the 'Plugins' menu in WordPress 3. View the dashboard widget on your main admin page or navigate to Settings > XML-RPC Control 4. Toggle XML-RPC on/off as needed and configure rate limiting == Frequently Asked Questions == = Will this break my mobile app or remote publishing tools? = If you use WordPress mobile apps or remote publishing tools (like blog editors), you'll need to keep XML-RPC enabled. The rate limiting feature provides an additional layer of defense against common automated attacks, though we still recommend disabling XML-RPC when not actively needed. = What happens when XML-RPC is disabled? = When disabled, all XML-RPC requests will be blocked. This means: * No remote publishing * No WordPress mobile app access * No pingbacks/trackbacks * Jetpack and similar plugins may have reduced functionality = What is the default state when I activate the plugin? = XML-RPC is blocked by default. If a user unblocks it, then XML-RPC rate limiting is enabled by default, but can be disabled in settings. = How does the rate limiting work? = Rate limiting tracks requests per IP address using WordPress transients (temporary data). It limits failed authentication attempts and high-risk methods to 5 per hour. This prevents basic automated attacks while allowing normal use. = Can rate limiting be relied upon? = We don't recommend users rely on rate limiting to secure their server. Rate limiting provides basic protection against automated attacks but has known limitations in high-concurrency scenarios. When XML-RPC is not needed, we recommend disabling it. = Does this plugin work with caching? = Yes, the plugin works with all caching solutions. Rate limiting hooks into WordPress core authentication and XML-RPC systems, which execute before cached pages are served. = Is this compatible with Jetpack and similar plugins? = Yes, when XML-RPC is enabled, Jetpack and other plugins that rely on XML-RPC will continue to function normally. The rate limiting protects against abuse while allowing legitimate traffic. == Screenshots == 1. Dashboard widget showing XML-RPC blocked 2. Dashboard widget showing XML-RPC enabled 3. Settings page with enable/disable XML-RPC 4. Settings page with Rate limiting enable/disable == Changelog == = 1.0.1 = * Changed plugin name to "Disable XML-RPC - Dashboard Control" for improved search visibility * No functional changes = 1.0.0 = * Initial release * Dashboard widget with quick toggle * Settings page under Settings > XML-RPC Control * Optional rate limiting for failed auth and high-risk methods * Secure by default (XML-RPC disabled on activation) == Upgrade Notice == = 1.0.1 = Plugin renamed to "Disable XML-RPC - Dashboard Control" for better search visibility. No functional changes. = 1.0.0 = Initial release. Provides security management for WordPress XML-RPC interface. == Additional Information == = Support = For support, feature requests, or bug reports, please visit the plugin's support forum. = Contributing = Feedback is welcomed. = Security = If you discover a security vulnerability, please report it responsibly via the WordPress security team or directly to the plugin author.