trellis-disable-xml-rpc
trellis-disable-xml-rpc copied to clipboard
ItinerisLtd
Disable WordPress XML RPC on Trellis sites
trellis-disable-xml-rpc
Disable WordPress XML-RPC on Trellis sites.
- Goal
- Why disable WordPress XML-RPC?
- Requirements
- Installation
- Known Issues
- Incompatible Plugins
- FAQs
- Can I use this on managed hosting?
- It looks awesome. Where can I find some more goodies like this?
- This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?
- Testing
- Syntax Check
- Author Information
- Feedback
- Change log
- License
Goal
Deny all requests to WordPress XML-RPC (i.e: /wp/xmlrpc.php) by Nginx.
Why disable WordPress XML-RPC?
- Kinsta: What is WordPress XML-RPC and How To Stop an Attack
- WPMU DEV: XML-RPC and Why It’s Time to Remove it for WordPress Security
- Sucuri: New Brute Force Attacks Exploiting XMLRPC in WordPress
- Incapsula: WordPress Default Leaves Millions of Sites Exploitable for DDoS Attacks
- LittleBizzy: How (And Why) To Disable WordPress XML-RPC
Requirements
- Trellis 17c26fc or later
- Ansible v2.6 or later
Installation
Add this role to requirements.yml:
# requirements.yml
- src: https://github.com/ItinerisLtd/trellis-disable-xml-rpc
version: 0.2.0 # Check for latest version!
Run the command:
➜ ansible-galaxy install -r requirements.yml --force
Add the role into dev.yml and server.yml, immediately after role: wordpress-setup:
roles:
# Some other Trellis roles ...
- { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] }
- { role: trellis-disable-xml-rpc, tags: [nginx, wordpress, wordpress-setup] }
# Some other Trellis roles ...
Then, re-provision as usual:
# https://roots.io/trellis/docs/local-development-setup/
➜ vagrant reload --provision
# https://roots.io/trellis/docs/remote-server-setup/
➜ ansible-playbook server.yml -e env=<environment>
Known Issues
Incompatible Plugins
Unfortunately, some plugins still relying on WordPress XML-RPC:
FAQs
Can I use this on managed hosting?
No, you can't use this on managed hosting such as Kinsta or WP Engine.
You can disable WordPress XML-RPC by filters:
- xmlrpc_enabled - The name is misleading!
- xmlrpc_methods
- xmlrpc_element_limit
Or, just use our plugin - itineris-disable-xml-rpc
It looks awesome. Where can I find some more goodies like this?
- Articles on Itineris' blog
- More projects on Itineris' GitHub profile
- Follow @itineris_ltd and @TangRufus on Twitter
- Hire Itineris to build your next awesome site
This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?
Thanks! Glad you like it. It's important to make my boss know somebody is using this project. Instead of giving reviews on wp.org, consider:
- tweet something good with mentioning @itineris_ltd
- star this Github repo
- watch this Github repo
- write blog posts
- submit pull requests
- hire Itineris
Testing
Syntax Check
➜ ansible-playbook -i 'localhost,' --syntax-check tests/test.yml
Author Information
trellis-disable-xml-rpc is a Itineris Limited project created by Tang Rufus.
Special thanks to the Roots team whose Trellis make this project possible.
Full list of contributors can be found here.
Feedback
Please provide feedback! We want to make this library useful in as many projects as possible. Please submit an issue and point out what you do and don't like, or fork the project and make suggestions. No issue is too small.
Change log
Please see CHANGELOG for more information on what has changed recently.
License
trellis-disable-xml-rpc is released under the MIT License.
ItinerisLtd