Firewall: API & XML-RPC options explanations
The WordPress API & XML-RPC options purpose is to lockdown certain core WordPress system features.
Recommendation: This depends on your usage and needs for certain WordPress functions and features.
The WordPress API & XML-RPC options explanations
Option: Disable XML-RPC
This option's purpose is to protect you against any possible XML-RPC brute force login attacks.
In this blog post here we explain
- what XML-RPC system is
- what it lets you do
- why you might want to disable it and how
Important: If this option is disabled, you should be aware of the certain implications.
If you want to completely turn off the whole XML-RPC system, click to disable this option.
How to check and confirm XML-RPC functionality is disabled?
There is a very simple website provided to help you confirm that your XML-RPC is disabled.
- Go to: http://xmlrpc.eritreo.it/
- Enter your WordPress site URL in the ‘Address’ field
- Click the ‘Check’ button.
You should receive a response page detailing how your XML-RPC server isn’t available.
To learn more about the XML-RPC system, read the blog article here.
Option: Disable Anonymous Rest API
This option helps you to disable anonymous access to the REST API.
In most cases, REST APIs should be accessed only by authorized parties (users or apps). You can choose to completely disable anonymous access to the REST API.
Important: Enabling this option may break plugins that use the REST API for your site visitors.
For more information about the REST API integration for Shield Security, read this blog article here.
Option: Rest API Exclusions
You can add custom exclusions (namespaces) to the anonymous REST API block.
Some plugins (e.g. Contact Form 7) use the REST API anonymously so you need to provide exclusions for them to work correctly.
- contact-form-7 - Contact Form 7
- tribe - The Events Calendar
- jetpack - JetPack
- woocommerce - WooCommerce
- wpstatistics - WP Statistics