Retriev3r
9/13/2017 - 5:37 PM

Block all XMLRPC requests and allow only Jetpack (Wordpress.com) + also working with your website behind Cloudflare.

Block all XMLRPC requests and allow only Jetpack (Wordpress.com) + also working with your website behind Cloudflare.

	# XML-RPC deaktivieren - Sicherheit > Einstellungen > WordPress-Optimierungen > XML-RPC
	<files xmlrpc.php>
			Order deny,allow
			Deny from all

	   # Whitelist Jetpack / Automattic CIDR IP Address Blocks
	   # http://whois.arin.net/rest/org/AUTOM-93/nets
			Allow from 2620:115:C000::/40
			Allow from 76.74.255.0/25
			Allow from 76.74.248.128/25
			Allow from 198.181.116.0/24
			Allow from 192.0.64.0/18
			Allow from 64.34.206.0/24
			Allow from 66.155.105.128/26
			Allow from 2001:1978:1E00:3::/64
			Allow from 69.90.253.0/24
			#Allow from MY_OWN_IP_ADDRESS
	</files>
/*
Plugin Name: Disable XML-RPC Pingback
Description: Stops abuse of your site's Pingback method from XML-RPC by simply removing it. While you can use the rest of XML-RPC methods.
Author: Samuel Aguilera
*/
add_filter( 'xmlrpc_methods', 'sar_block_xmlrpc_attacks' );

function sar_block_xmlrpc_attacks( $methods ) {
   unset( $methods['pingback.ping'] );
   unset( $methods['pingback.extensions.getPingbacks'] );
   return $methods;
}

add_filter( 'wp_headers', 'sar_remove_x_pingback_header' );

function sar_remove_x_pingback_header( $headers ) {
   unset( $headers['X-Pingback'] );
   return $headers;
}

# https://developer.wordpress.org/reference/hooks/xmlrpc_enabled/
add_filter( 'xmlrpc_enabled', '__return_false' );