Enjoying these plugins? ☕ Buy me a coffee to support ongoing development.

XML-RPC Access Manager

A single-file WordPress plugin for fine-grained control over XML-RPC and REST API endpoints. Toggle XML-RPC globally or per-user role, disable specific REST routes, and log blocked requests for security monitoring.

v1.0.0 Updated 1 month ago
View Plugin

YT XML-RPC Access Manager

A single-file WordPress plugin for fine-grained control over XML-RPC and REST API endpoints. Toggle XML-RPC globally or per-user role, disable specific REST routes, and log blocked requests for security monitoring.

Features

  • XML-RPC Control: Disable XML-RPC globally or restrict by user roles
  • REST API Management: Require authentication for REST API access
  • Role-Based Permissions: Fine-grained access control per user role
  • Route Blocking: Disable specific REST API endpoints
  • Request Logging: Track and monitor blocked requests
  • Security Focused: Protect your WordPress site from unauthorized API access
  • Single File Architecture: All code in one PHP file for simplicity
  • WPCS Compliant: Follows WordPress Coding Standards
  • Translation Ready: i18n/l10n support
  • Admin Dashboard: User-friendly settings interface with tabbed layout

Quick Start

  1. Upload the plugin to your WordPress plugins directory
  2. Activate the plugin through the WordPress admin panel
  3. Configure settings at Settings > XML-RPC Manager
  4. Enable logging (optional) to monitor blocked requests

Installation

  1. Download class-yt-xml-rpc-access-manager.php
  2. Upload to /wp-content/plugins/yt-xml-rpc-access-manager/
  3. Activate through the WordPress 'Plugins' menu
  4. Configure via Settings > XML-RPC Manager

File Structure

class-yt-xml-rpc-access-manager.php    # Main plugin file
assets/css/yt-xml-rpc-access-manager-admin.css    # Admin styles
assets/js/yt-xml-rpc-access-manager-admin.js    # Admin scripts
README.md                              # This file

Plugin Architecture

Constants Defined

YT_XML_RPC_ACCESS_MANAGER_VERSION  // Plugin version number
YT_XML_RPC_ACCESS_MANAGER_BASENAME // Plugin base name
YT_XML_RPC_ACCESS_MANAGER_PATH     // Plugin directory path
YT_XML_RPC_ACCESS_MANAGER_URL      // Plugin directory URL

Main Class Methods

Core Methods

  • get_instance() - Singleton instance retrieval
  • __construct() - Initialize plugin and load options
  • xram_init_hooks() - Register WordPress hooks
  • xram_load_textdomain() - Load translations

Admin Methods

  • xram_add_admin_menu() - Add settings page to admin menu
  • xram_register_settings() - Register plugin settings and fields
  • xram_sanitize_options() - Sanitize user input
  • xram_render_settings_page() - Display tabbed settings interface
  • xram_render_logs_tab() - Display request logs
  • xram_admin_enqueue_scripts() - Load admin CSS/JS
  • xram_add_action_links() - Add settings link to plugins page

Security Control Methods

  • xram_control_xmlrpc() - Control XML-RPC access globally and by role
  • xram_filter_xmlrpc_methods() - Filter available XML-RPC methods
  • xram_control_rest_api() - Control REST API access and authentication
  • xram_filter_rest_endpoints() - Remove disabled REST routes

Logging Methods

  • xram_log_blocked_request() - Log blocked XML-RPC and REST requests
  • xram_log_xmlrpc_call() - Hook for XML-RPC call logging
  • xram_ajax_clear_logs() - Clear all request logs
  • xram_ajax_export_logs() - Export logs to CSV format

Utility Methods

  • xram_get_option() - Get option value with default
  • activate() - Run on plugin activation
  • deactivate() - Run on plugin deactivation
  • yt_xml_rpc_access_manager_uninstall() - Run on plugin deletion

Usage Examples

Disable XML-RPC Completely

  1. Go to Settings > XML-RPC Manager
  2. Check "Disable XML-RPC completely"
  3. Save changes

This blocks all XML-RPC requests, overriding any role permissions.

Allow XML-RPC for Specific Roles

  1. Go to Settings > XML-RPC Manager
  2. Uncheck "Disable XML-RPC completely"
  3. Select user roles allowed to use XML-RPC (e.g., Administrator, Editor)
  4. Save changes

Only selected roles will have XML-RPC access.

Restrict REST API Access

  1. Go to Settings > XML-RPC Manager
  2. Switch to "REST API Settings" section
  3. Check "Disable REST API for non-authenticated users"
  4. Select allowed user roles
  5. Save changes

Block Specific REST API Routes

  1. Go to Settings > XML-RPC Manager
  2. Find "Disabled Routes" field
  3. Enter routes to block (one per line): 
    /wp/v2/users
/wp/v2/users/(?P<id>[d]+)
  4. Save changes

Enable Request Logging

  1. Go to Settings > XML-RPC Manager
  2. Check "Log blocked requests" in Logging Settings
  3. Save changes
  4. View logs in "Request Logs" tab

Export Logs

  1. Go to Request Logs tab
  2. Click "Export CSV" button
  3. CSV file will be downloaded automatically

Programmatic Access

// Get plugin instance
$plugin = YT_XML_RPC_Access_Manager::get_instance();

// Check if XML-RPC is disabled
$xmlrpc_disabled = $plugin->xram_get_option( 'disable_xmlrpc', false );

// Get allowed roles
$allowed_roles = $plugin->xram_get_option( 'xmlrpc_allowed_roles', array() );

Configuration Options

XML-RPC Settings

  • Disable XML-RPC: Completely blocks all XML-RPC requests
  • Allowed User Roles: Select which roles can use XML-RPC (Administrator, Editor, Author, etc.)

REST API Settings

  • Disable REST API: Requires authentication for all REST API requests
  • Allowed User Roles: Select which authenticated roles can use REST API
  • Disabled Routes: List of REST API routes to block (one per line)

Logging Settings

  • Enable Logging: Keep a log of blocked XML-RPC and REST API requests (last 500 entries)

Security Best Practices

Already Implemented:

  • Direct file access prevention
  • Capability checks (current_user_can('manage_options'))
  • Input sanitization (sanitize_text_field(), sanitize_key())
  • Output escaping (esc_html(), esc_attr(), esc_url())
  • AJAX nonce verification
  • Role-based access control
  • IP address logging for security monitoring

⚠️ Recommendations:

  • Enable logging to monitor unauthorized access attempts
  • Regularly review logs for suspicious activity
  • Disable XML-RPC if you don't use third-party apps
  • Restrict REST API access to authenticated users only
  • Block sensitive REST routes like /wp/v2/users
  • Keep the plugin updated

Use Cases

1. Complete Security Lockdown

  • Disable XML-RPC completely
  • Disable REST API for non-authenticated users
  • Block /wp/v2/users endpoint
  • Enable logging

2. Allow Mobile App Access

  • Keep XML-RPC enabled for Administrator role only
  • Allow REST API for authenticated users
  • Enable logging to monitor usage

3. Public REST API with Restrictions

  • Allow public REST API access
  • Block sensitive routes (users, settings)
  • Enable logging for security monitoring

4. Development Environment

  • Enable all access
  • Enable logging to debug API requests
  • Export logs for analysis

Troubleshooting

XML-RPC Still Accessible

  1. Ensure "Disable XML-RPC" is checked
  2. Clear WordPress cache
  3. Check for conflicting plugins
  4. Verify plugin is activated

REST API Returns 401 Error

  1. Check if "Disable REST API" is enabled
  2. Verify user is logged in
  3. Check user role permissions
  4. Review allowed roles list

Logs Not Recording

  1. Ensure "Enable Logging" is checked
  2. Save settings after enabling
  3. Trigger a blocked request to test
  4. Check WordPress database options table

Settings Not Saving

  1. Verify user has manage_options capability
  2. Check for JavaScript errors in browser console
  3. Disable other plugins temporarily
  4. Check file permissions

Development Tips

  1. Test thoroughly: Test with different user roles and scenarios
  2. Monitor logs: Enable logging during initial setup
  3. Start restrictive: Begin with stricter settings, then relax as needed
  4. Document changes: Keep track of disabled routes for maintenance
  5. Regular reviews: Periodically review logs and settings
  6. Backup first: Always backup before making security changes

Testing Checklist

  • [ ] Plugin activates without errors
  • [ ] Settings page displays correctly
  • [ ] All settings save properly
  • [ ] XML-RPC can be disabled globally
  • [ ] Role-based XML-RPC access works
  • [ ] REST API authentication works
  • [ ] Specific REST routes can be blocked
  • [ ] Request logging works correctly
  • [ ] Logs can be viewed in admin
  • [ ] Logs can be exported to CSV
  • [ ] Logs can be cleared
  • [ ] Plugin deactivates cleanly
  • [ ] Plugin uninstalls and removes all data
  • [ ] No PHP warnings or notices
  • [ ] Compatible with latest WordPress version
  • [ ] Works with PHP 7.4+
  • [ ] Settings link appears on plugins page
  • [ ] Tab switching works in admin interface
  • [ ] AJAX operations work correctly

WPCS Validation

Run PHP_CodeSniffer with WordPress standards:

phpcs --standard=WordPress class-yt-xml-rpc-access-manager.php

Performance

  • Minimal overhead: Hooks only fire when API requests are made
  • Efficient logging: Automatically limits to last 500 entries
  • Cached options: Plugin options loaded once per request
  • No database queries on frontend: Only admin interface queries database

Compatibility

  • WordPress: 5.8 or higher
  • PHP: 7.4 or higher
  • Multisite: Compatible (network activation not required)
  • Page Builders: Compatible with all major page builders
  • Themes: Theme-independent

License

GPL v2 or later

Credits

Built following WordPress Plugin Handbook and WPCS guidelines.

Support

For issues, feature requests, or contributions:

Resources

For WordPress security best practices, visit:

Changelog

1.0.0

  • Initial release
  • XML-RPC global disable
  • XML-RPC role-based access control
  • REST API authentication requirements
  • REST API role-based access control
  • REST API route blocking
  • Request logging system
  • CSV log export
  • Tabbed admin interface
  • Translation ready

Related Plugins