{"id":275786,"date":"2026-01-24T05:16:19","date_gmt":"2026-01-24T05:16:19","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/xml-rpc-control-dashboard\/"},"modified":"2026-01-24T05:56:40","modified_gmt":"2026-01-24T05:56:40","slug":"xml-rpc-control-dashboard","status":"publish","type":"plugin","link":"https:\/\/azb.wordpress.org\/plugins\/xml-rpc-control-dashboard\/","author":13667033,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.0.1","stable_tag":"1.0.1","tested":"6.9.4","requires":"5.0","requires_php":"7.4","requires_plugins":null,"header_name":"Disable XML-RPC - Dashboard Control","header_author":"aph5","header_description":"Comprehensive XML-RPC security management with dashboard widget, automated monitoring, email alerts, and intelligent rate limiting.","assets_banners_color":"596979","last_updated":"2026-01-24 05:56:40","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":0,"downloads":138,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"aph5","date":"2026-01-24 05:14:54"},"1.0.1":{"tag":"1.0.1","author":"aph5","date":"2026-01-24 05:56:40"}},"upgrade_notice":{"1.0.1":"<p>Plugin renamed to &quot;Disable XML-RPC - Dashboard Control&quot; for better search visibility. No functional changes.<\/p>","1.0.0":"<p>Initial release. Provides security management for WordPress XML-RPC interface.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3445967,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3445967,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3445967,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3445967,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.0.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3445967,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3445967,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3445967,"resolution":"3","location":"assets","locale":""},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3445967,"resolution":"4","location":"assets","locale":""}},"screenshots":{"1":"Dashboard widget showing XML-RPC blocked","2":"Dashboard widget showing XML-RPC enabled","3":"Settings page with enable\/disable XML-RPC","4":"Settings page with Rate limiting enable\/disable"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[434,232610,600,14731],"plugin_category":[54],"plugin_contributors":[254585],"plugin_business_model":[],"class_list":["post-275786","plugin","type-plugin","status-publish","hentry","plugin_tags-dashboard","plugin_tags-rate-limiting","plugin_tags-security","plugin_tags-xmlrpc","plugin_category-security-and-spam-protection","plugin_contributors-aph5","plugin_committers-aph5"],"banners":{"banner":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/banner-772x250.png?rev=3445967","banner_2x":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/banner-1544x500.png?rev=3445967","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/icon-128x128.png?rev=3445967","icon_2x":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/icon-256x256.png?rev=3445967","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/screenshot-1.png?rev=3445967","caption":"Dashboard widget showing XML-RPC blocked"},{"src":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/screenshot-2.png?rev=3445967","caption":"Dashboard widget showing XML-RPC enabled"},{"src":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/screenshot-3.png?rev=3445967","caption":"Settings page with enable\/disable XML-RPC"},{"src":"https:\/\/ps.w.org\/xml-rpc-control-dashboard\/assets\/screenshot-4.png?rev=3445967","caption":"Settings page with Rate limiting enable\/disable"}],"raw_content":"<!--section=description-->\n<ul>\n<li>XML-RPC Control Dashboard provides WordPress administrators with a way of quickly toggling on\/off the XML-RPC functionality.<\/li>\n<li>On initial installation and activation, XML-RPC will be disabled,<\/li>\n<li>It displays the current enabled\/disabled status in the dashboard, helping users avoid leaving access on unnecessarily.<\/li>\n<li>It features XML-RPC rate limiting functionality, providing some protection to users while XML-RPC is on.<\/li>\n<li>Rate limiting is on by default, but can be turned off. Note that it's not perfect security however, and we recommend XML-RPC is disabled after use.<\/li>\n<\/ul>\n\n<h4>Why Control XML-RPC?<\/h4>\n\n<p>XML-RPC is a WordPress feature that allows remote access to your site. While useful for legitimate applications like mobile apps and remote publishing, it's frequently exploited for:<\/p>\n\n<ul>\n<li>Brute force password attacks<\/li>\n<li>DDoS amplification attacks via pingbacks<\/li>\n<li>Spam distribution<\/li>\n<li>Resource exhaustion<\/li>\n<\/ul>\n\n<h4>Rate Limiting Protection<\/h4>\n\n<p>When enabled, the plugin automatically limits:<\/p>\n\n<ul>\n<li><strong>Failed Authentication<\/strong> - Maximum 5 failed login attempts per hour per IP<\/li>\n<li><strong>High-Risk Methods<\/strong> - Limits on pingback.ping, system.multicall, and other abuse-prone methods<\/li>\n<li><strong>IP Validation<\/strong> - Prevents IP spoofing by validating addresses and processing proxy headers correctly<\/li>\n<\/ul>\n\n<h4>Privacy<\/h4>\n\n<p>This plugin does not collect, store, or transmit any user data outside your WordPress installation. All rate limiting data is stored temporarily using WordPress transients and is automatically cleaned up.<\/p>\n\n<h3>Additional Information<\/h3>\n\n<h4>Support<\/h4>\n\n<p>For support, feature requests, or bug reports, please visit the plugin's support forum.<\/p>\n\n<h4>Contributing<\/h4>\n\n<p>Feedback is welcomed.<\/p>\n\n<h4>Security<\/h4>\n\n<p>If you discover a security vulnerability, please report it responsibly via the WordPress security team or directly to the plugin author.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>xml-rpc-control-dashboard<\/code> folder to the <code>\/wp-content\/plugins\/<\/code> directory<\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<li>View the dashboard widget on your main admin page or navigate to Settings &gt; XML-RPC Control<\/li>\n<li>Toggle XML-RPC on\/off as needed and configure rate limiting<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"will%20this%20break%20my%20mobile%20app%20or%20remote%20publishing%20tools%3F\"><h3>Will this break my mobile app or remote publishing tools?<\/h3><\/dt>\n<dd><p>If you use WordPress mobile apps or remote publishing tools (like blog editors), you'll need to keep XML-RPC enabled. The rate limiting feature provides an additional layer of defense against common automated attacks, though we still recommend disabling XML-RPC when not actively needed.<\/p><\/dd>\n<dt id=\"what%20happens%20when%20xml-rpc%20is%20disabled%3F\"><h3>What happens when XML-RPC is disabled?<\/h3><\/dt>\n<dd><p>When disabled, all XML-RPC requests will be blocked. This means:<\/p>\n\n<ul>\n<li>No remote publishing<\/li>\n<li>No WordPress mobile app access<\/li>\n<li>No pingbacks\/trackbacks<\/li>\n<li>Jetpack and similar plugins may have reduced functionality<\/li>\n<\/ul><\/dd>\n<dt id=\"what%20is%20the%20default%20state%20when%20i%20activate%20the%20plugin%3F\"><h3>What is the default state when I activate the plugin?<\/h3><\/dt>\n<dd><p>XML-RPC is blocked by default. If a user unblocks it, then XML-RPC rate limiting is enabled by default, but can be disabled in settings.<\/p><\/dd>\n<dt id=\"how%20does%20the%20rate%20limiting%20work%3F\"><h3>How does the rate limiting work?<\/h3><\/dt>\n<dd><p>Rate limiting tracks requests per IP address using WordPress transients (temporary data). It limits failed authentication attempts and high-risk methods to 5 per hour. This prevents basic automated attacks while allowing normal use.<\/p><\/dd>\n<dt id=\"can%20rate%20limiting%20be%20relied%20upon%3F\"><h3>Can rate limiting be relied upon?<\/h3><\/dt>\n<dd><p>We don't recommend users rely on rate limiting to secure their server. Rate limiting provides basic protection against automated attacks but has known limitations in high-concurrency scenarios. When XML-RPC is not needed, we recommend disabling it.<\/p><\/dd>\n<dt id=\"does%20this%20plugin%20work%20with%20caching%3F\"><h3>Does this plugin work with caching?<\/h3><\/dt>\n<dd><p>Yes, the plugin works with all caching solutions. Rate limiting hooks into WordPress core authentication and XML-RPC systems, which execute before cached pages are served.<\/p><\/dd>\n<dt id=\"is%20this%20compatible%20with%20jetpack%20and%20similar%20plugins%3F\"><h3>Is this compatible with Jetpack and similar plugins?<\/h3><\/dt>\n<dd><p>Yes, when XML-RPC is enabled, Jetpack and other plugins that rely on XML-RPC will continue to function normally. The rate limiting protects against abuse while allowing legitimate traffic.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Changed plugin name to \"Disable XML-RPC - Dashboard Control\" for improved search visibility<\/li>\n<li>No functional changes<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>Dashboard widget with quick toggle<\/li>\n<li>Settings page under Settings &gt; XML-RPC Control<\/li>\n<li>Optional rate limiting for failed auth and high-risk methods<\/li>\n<li>Secure by default (XML-RPC disabled on activation)<\/li>\n<\/ul>","raw_excerpt":"Quickly toggle XML-RPC on\/off from your dashboard. Perfect for temporarily enabling access for mobile apps, then securing your site again.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/275786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=275786"}],"author":[{"embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/aph5"}],"wp:attachment":[{"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=275786"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=275786"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=275786"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=275786"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=275786"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/azb.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=275786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}