REST API Shield & XML-RPC Blocker
This plugin is designed to fundamentally strengthen the security of your WordPress site.
By default, WordPress exposes REST API endpoints like the user list (/wp/v2/users) even to unauthenticated users (anonymous users). This poses a risk of information leakage and can serve as a stepping stone for brute-force attacks by enabling username enumeration.
Using this plugin, you can finely adjust the following security settings from the “Settings” -> “General” page in the administration area.
Key Security Features
REST API Anonymous Access Restriction:
-
Core endpoints (such as users, comments, media) and broad routes added by plugins can be specified as a blacklist.
-
Routes necessary for blog display (such as wp/v2/posts) can be specified as a whitelist to exempt them from restrictions.
-
Configure the HTTP status code (e.g., 403 Forbidden) and a custom error message to return upon access denial, preventing attackers from gaining insight into your site structure.
Complete XML-RPC Blocking:
-
Completely disable the XML-RPC functionality (xmlrpc.php) at the core WordPress level.
-
When an attacker attempts access, the plugin responds with a specified HTTP status code and a custom error message, deceptively denying access.
This plugin is highly recommended for all WordPress sites that require enhanced security.