Title: Disable XML-RPC-API Author: Amin Nazemi Published: 2020 年 10 月 1 日 Last modified: 2026 年 2 月 4 日 --- 搜尋外掛 ![](https://ps.w.org/disable-xml-rpc-api/assets/banner-772x250.jpg?rev=2391445) ![](https://ps.w.org/disable-xml-rpc-api/assets/icon-256x256.png?rev=2391445) # Disable XML-RPC-API 由 [Amin Nazemi](https://profiles.wordpress.org/aminnz/) 開發 [下載](https://downloads.wordpress.org/plugin/disable-xml-rpc-api.zip) * [詳細資料](https://tw.wordpress.org/plugins/disable-xml-rpc-api/#description) * [使用者評論](https://tw.wordpress.org/plugins/disable-xml-rpc-api/#reviews) * [安裝方式](https://tw.wordpress.org/plugins/disable-xml-rpc-api/#installation) * [開發資訊](https://tw.wordpress.org/plugins/disable-xml-rpc-api/#developers) [技術支援](https://wordpress.org/support/plugin/disable-xml-rpc-api/) ## 外掛說明 Protect your website from xmlrpc brute-force attacks,DOS and DDOS attacks, this plugin disables the XML-RPC and trackbacks-pingbacks on your WordPress website. **PLUGIN FEATURES** (These are options you can enable or disable each one) * Disable access to xmlrpc.php file using .httacess file * Automatically change htaccess file permission to read-only (0444) * Disable X-pingback to minimize CPU usage * Disable selected methods from XML-RPC * Remove pingback-ping link from header * Disable trackbacks and pingbacks to avoid spammers and hackers * Rename XML-RPC slug to whatever you want * Black list IPs for XML-RPC * White list IPs for XML-RPC * Some options to speed-up your wordpress website * Disable JSON REST API * Hide WordPress Version * Disable built-in WordPress file editor * Disable wlw manifest * And some other options **What is XMLRPC** XML-RPC, or XML Remote Procedure Call is a protocol which uses XML to encode its calls and HTTP as a transport mechanism. Beginning in WordPress 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. For various reasons, site owners may wish to disable this functionality. This plugin provides an easy way to do so. **Why you should disable XML-RPC** _Xmlrpc has two main weaknesses_ * Brute force attacks: Attackers try to login to WordPress using xmlrpc.php with as many username/password combinations as they can enter. A method within xmlrpc. php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. Daniel Cid at Sucuri described it well in October 2015: “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.” * Denial of Service Attacks via Pingback: Back in 2013, attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” according to Gur Schatz at Incapsula. “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.” ## 螢幕擷圖 * [[ * [[ ## 安裝方式 1. Upload the disable-xml-rpc directory to the `/wp-content/plugins/` directory in your WordPress installation 2. Activate the plugin through the ‘Plugins’ menu in WordPress 3. XML-RPC-API is now disabled! To re-enable XML-RPC, just deactivate the plugin through the ‘Plugins’ menu. ## 常見問題集 ### Is there an admin interface for this plugin? Yes, You can find the “XML-RPC Security” in your admin menu. ### How do I know if the plugin is working? There are three easy methods for checking if XML-RPC is off: 1. Easiest way is going to this url: http://yourdomain/xmlrpc.php enter your domain name instead of‘ yourdomain’ if you see “Access forbidden!” or “403 error” it’s working. 2. First, try using an XML-RPC client, like the official WordPress mobile apps. The WordPress mobile app should tell you that “XML-RPC services are disabled on this site” if the plugin is activated. 3. Or you can try the XML-RPC Validator, written by Danilo Ercoli of the Automattic Mobile Team – the tool is available at [http://xmlrpc.eritreo.it/](http://xmlrpc.eritreo.it/) with a blog post about it at [http://daniloercoli.com/2012/05/15/wordpress-xml-rpc-endpoint-validator/](http://daniloercoli.com/2012/05/15/wordpress-xml-rpc-endpoint-validator/). Keep in mind that you want the validator to fail and tell you that XML-RPC services are disabled. ### Something doesn’t seem to be working correctly If the plugin is activated, but XML-RPC appears to still be working … OR … the plugin is deactivated, but XML-RPC is not working, then it’s possible that another plugin or theme function is affecting the plugin functions. ## 使用者評論 ![](https://secure.gravatar.com/avatar/a503fce55f8539e0f49308c4b55deba2b569ab86d1501c4e2d0c462753fb397b? s=60&d=retro&r=g) ### 󠀁[does what it should](https://wordpress.org/support/topic/does-what-it-should-120/)󠁿 [bugscout](https://profiles.wordpress.org/bugscout/) 2025 年 9 月 11 日 i tried 3 plugins, this does what it should 🙂 ![](https://secure.gravatar.com/avatar/506830d793b2594e4eb6d953099bbc5f498e413ded892571f9140688b0165853? s=60&d=retro&r=g) ### 󠀁[Harmful](https://wordpress.org/support/topic/harmful-2/)󠁿 [firafiki](https://profiles.wordpress.org/firafiki/) 2025 年 8 月 19 日 1 則留言 Website crashed error 500 server. All php files was modified. But i’m not sure who dumb person downloaded at my company website. 4 days to settled all the issues. ![](https://secure.gravatar.com/avatar/b84a7f503938e0b3ce9ecd8844c7f5d37695ed548dccee66d9f32f475ad8744c? s=60&d=retro&r=g) ### 󠀁[Error](https://wordpress.org/support/topic/error-1818/)󠁿 [elmo2000](https://profiles.wordpress.org/elmo2000/) 2023 年 8 月 14 日 3 則留言 My whole site crashed . 500 server error. (.htacces failure) Unistalled, found another solution.  ![](https://secure.gravatar.com/avatar/3ab21d3d2a4a7fab793eab0f0d081db4e40d72a9007c7ce35ae3c87bd0b93839? s=60&d=retro&r=g) ### 󠀁[Hotlinking](https://wordpress.org/support/topic/hotlinking-6/)󠁿 [ajaxy12](https://profiles.wordpress.org/ajaxy12/) 2023 年 6 月 9 日 1 則留言 Could you please add capability to exclude spesific domain names from Disable Hotlinking and Leaching of Your Content section? We want to show some of our content on other webiste via iframe ![](https://secure.gravatar.com/avatar/1872c7f1d7ba2ed1c3a3c42a5693b581394d72016765f593b6cae5f4a6ceceae? s=60&d=retro&r=g) ### 󠀁[DO NOT INSTALL THIS! **PHP BACKDOOR**](https://wordpress.org/support/topic/do-not-install-this-php-backdoor/)󠁿 [ben2358723823567](https://profiles.wordpress.org/ben2358723823567/) 2023 年 5 月 29 日 2 則留言 WARNING! This extension will sneakily inject obfuscated yanz backdoor PHP scripts in your document root and will hijack your Wordpress site. THREE of my customers websites were hacked this week and the ONLY extension that they all have in common that recently got installed is Disable XML-RPC-API. They literally have nothing else in common and they don’t know each other nor use the same theme nor even the same Wordpress release. BE WARNED. ![](https://secure.gravatar.com/avatar/ced2bb119020507743dd333c4ec36617f4967e6b5ec4cf13fa622d401b01ee03? s=60&d=retro&r=g) ### 󠀁[Spammy admin notices. Bye Bye.](https://wordpress.org/support/topic/spammy-admin-notices-bye-bye/)󠁿 [jaywalker999](https://profiles.wordpress.org/jaywalker999/) 2023 年 2 月 13 日 Any plugin that shoves global notices on every admin page to cross promote their other plugins, can have a one star review and get uninstalled. Bye. [ 閱讀全部 42 則使用者評論 ](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/) ## 參與者及開發者 以下人員參與了開源軟體〈Disable XML-RPC-API〉的開發相關工作。 參與者 * [ Amin Nazemi ](https://profiles.wordpress.org/aminnz/) * [ Neatma ](https://profiles.wordpress.org/neatmarketing/) 〈Disable XML-RPC-API〉外掛目前已有 4 個本地化語言版本。 感謝[全部譯者](https://translate.wordpress.org/projects/wp-plugins/disable-xml-rpc-api/contributors) 為這個外掛做出的貢獻。 [將〈Disable XML-RPC-API〉外掛本地化為台灣繁體中文版](https://translate.wordpress.org/projects/wp-plugins/disable-xml-rpc-api) ### 對開發相關資訊感興趣? 任何人均可[瀏覽程式碼](https://plugins.trac.wordpress.org/browser/disable-xml-rpc-api/)、 查看 [SVN 存放庫](https://plugins.svn.wordpress.org/disable-xml-rpc-api/),或透過 [RSS](https://plugins.trac.wordpress.org/log/disable-xml-rpc-api/?limit=100&mode=stop_on_copy&format=rss) 訂閱[開發記錄](https://plugins.trac.wordpress.org/log/disable-xml-rpc-api/)。 ## 變更記錄 #### 1.0.0 * Initial release #### 1.0.1 * Fix bugs #### 1.0.5 * Remove pingback link tag in header * Add ability to fix htaccess file permission #### 1.0.6 * Fix warnings for htaccess permission #### 1.0.7 * Fix blank page when using W3 Total Cache and some other cache plugins #### 1.0.8 * Fix code conflict with Autoptimize plugin #### 1.0.9 * WordPress 5.7 compatible * Fix some issues #### 2.0.0 * Fix code conflict with some other plugin * Fix hiding data in WooCommerce Product Tabs #### 2.1.0 *Major Update *Add “XML-RPC Security”settings menu *Add some new features *Fix plugin deactivation bug #### 2.1.1 * Add new feature fix hotlinks * Change notif timing #### 2.1.2 * Add an option to disable auto change htaccess permission * Fix “DISALLOW_FILE_EDIT” warning * WordPress 5.8 compatibility #### 2.1.3 * Fix compatibility issue with WordPress 5.9 * Fix htaccess cleaning function #### 2.1.4 * Fix some minor bugs * Refactor the entire codes * Add a fallback function for situations htaccess is not working #### 2.1.4.2 * Hotfix for error on update #### 2.1.4.3 * Hotfix for error on removing v metadata #### 2.1.4.4 * Fix warning undefined variable $htaccess_code when disable hotlink fix is off * Fix warning Undefined array key “plugins” on PHP 8+ #### 2.1.4.5 * Fix removing vpingback header issue in the last major update * Update tested up to wp 6.1 #### 2.1.4.7 * Fix issues on vuninstallation hook * Minor improvements on admin review notification #### 2.1.4.8 * Fix bug v wp reset API option #### 2.1.4.9 * Update Jetpack default whitelist IPs * Fix bug with update actions function * Keep enabling WP RSS in default settings * Test with WordPress 6.3 and update tested up to #### 2.1.5 * Hotfix for .htaccess error and disabling the admin notices #### 2.1.6 * Clean Up the plugin codes (remove unnecessary codes) * Add VaultPress IPs to JetPack allowlist * Test compatibility with WordPress 6.6.1 #### 2.1.7 * Improve disable xmlrpc fallback method * Test compatibility with WordPress 6.7.1 ## 中繼資料 * 版本 **2.1.7** * 最後更新 **4 個月前** * 啟用安裝數 **100,000+** * WordPress 版本需求 ** 5.0 或更新版本 ** * 已測試相容的 WordPress 版本 **6.9.4** * 語言 * [Czech](https://cs.wordpress.org/plugins/disable-xml-rpc-api/)、[Dutch](https://nl.wordpress.org/plugins/disable-xml-rpc-api/)、 [English (US)](https://wordpress.org/plugins/disable-xml-rpc-api/)、[Russian](https://ru.wordpress.org/plugins/disable-xml-rpc-api/)、 及 [Swedish](https://sv.wordpress.org/plugins/disable-xml-rpc-api/). * [將這個外掛本地化為你的母語版本](https://translate.wordpress.org/projects/wp-plugins/disable-xml-rpc-api) * 標籤: * [disable xml-rpc](https://tw.wordpress.org/plugins/tags/disable-xml-rpc/)[disable xmlrpc](https://tw.wordpress.org/plugins/tags/disable-xmlrpc/) [pingback](https://tw.wordpress.org/plugins/tags/pingback/)[xmlrpc](https://tw.wordpress.org/plugins/tags/xmlrpc/) * [進階檢視](https://tw.wordpress.org/plugins/disable-xml-rpc-api/advanced/) ## 評分 4.1 星,滿分為 5 星 * [ 32 個 5 星使用者評論 ](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/?filter=5) * [ 0 個 4 星使用者評論 ](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/?filter=4) * [ 1 個 3 星使用者評論 ](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/?filter=3) * [ 2 個 2 星使用者評論 ](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/?filter=2) * [ 7 個 1 星使用者評論 ](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/#new-post) [查看全部使用者評論](https://wordpress.org/support/plugin/disable-xml-rpc-api/reviews/) ## 參與者 * [ Amin Nazemi ](https://profiles.wordpress.org/aminnz/) * [ Neatma ](https://profiles.wordpress.org/neatmarketing/) ## 技術支援 使用者可在技術支援論壇提出意見反應或使用問題。 [檢視技術支援論壇](https://wordpress.org/support/plugin/disable-xml-rpc-api/) ## 贊助 想要支援這個外掛的發展嗎? [ 贊助這個外掛 ](http://neatma.com/wpsg-plugin)