Disable XML-RPC – Dashboard Control

• XML-RPC Control Dashboard provides WordPress administrators with a way of quickly toggling on/off the XML-RPC functionality.
• On initial installation and activation, XML-RPC will be disabled,
• It displays the current enabled/disabled status in the dashboard, helping users avoid leaving access on unnecessarily.
• It features XML-RPC rate limiting functionality, providing some protection to users while XML-RPC is on.
• Rate limiting is on by default, but can be turned off. Note that it’s not perfect security however, and we recommend XML-RPC is disabled after use.

Why Control XML-RPC?

XML-RPC is a WordPress feature that allows remote access to your site. While useful for legitimate applications like mobile apps and remote publishing, it’s frequently exploited for:

• Brute force password attacks
• DDoS amplification attacks via pingbacks
• Spam distribution
• Resource exhaustion

Rate Limiting Protection

When enabled, the plugin automatically limits:

• Failed Authentication – Maximum 5 failed login attempts per hour per IP
• High-Risk Methods – Limits on pingback.ping, system.multicall, and other abuse-prone methods
• IP Validation – Prevents IP spoofing by validating addresses and processing proxy headers correctly

Privacy

This plugin does not collect, store, or transmit any user data outside your WordPress installation. All rate limiting data is stored temporarily using WordPress transients and is automatically cleaned up.

Additional Information

Support

For support, feature requests, or bug reports, please visit the plugin’s support forum.

Contributing

Feedback is welcomed.

Security

If you discover a security vulnerability, please report it responsibly via the WordPress security team or directly to the plugin author.