=== Disable XML-RPC ===
Contributors: snehalpancholi
Tags: security, xmlrpc, pingback, xml-rpc, disable
Requires at least: 6.0
Tested up to: 6.7
Requires PHP: 8.1
Stable tag: 1.0.0
License: GPL-2.0+
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Disable WordPress XML-RPC entirely or block only pingbacks. Removes X-Pingback header, RSD link, and WLW manifest. Supports IP allowlist for trusted sources.

== Description ==

Disable XML-RPC gives you precise control over WordPress's XML-RPC interface, which is a common attack vector for brute-force and DDoS amplification attacks.

**Features:**

* Disable all XML-RPC with a single toggle (recommended for most sites)
* Or disable pingbacks only while keeping other XML-RPC methods active
* Remove `X-Pingback` HTTP response header
* Remove RSD (Really Simple Discovery) link from HTML head
* Remove Windows Live Writer manifest link from HTML head
* IP allowlist: specific IPs can still use XML-RPC even when it is disabled

== Installation ==

1. Upload the `disable-xmlrpc` folder to `/wp-content/plugins/`
2. Activate the plugin through the 'Plugins' menu
3. Go to Settings → Disable XML-RPC and configure your preferences

== Frequently Asked Questions ==

= I use Jetpack. Will this break it? =
Jetpack uses XML-RPC for some features. Add the Jetpack server IP to the allowlist, or use "Disable pingbacks only" mode instead of disabling all XML-RPC.

= What is the X-Pingback header? =
It announces the XML-RPC endpoint URL in HTTP headers. Removing it makes your site slightly harder to fingerprint as WordPress.

== Changelog ==

= 1.0.0 =
* Initial release.

== Upgrade Notice ==

= 1.0.0 =
Initial release.
