XML-RPC Guardian is the comprehensive WordPress security solution specifically designed to protect your website from XML-RPC-based attacks while maintaining essential functionality for legitimate services like Jetpack and mobile applications.
Stop Devastating Security Threats
XML-RPC attacks represent one of the most dangerous vulnerabilities in WordPress, with attackers exploiting the xmlrpc.php file to launch brute force attacks that can bypass traditional security measures. The system.multicall method allows attackers to test hundreds of password combinations with just a few HTTP requests, making traditional rate limiting ineffective.
Intelligent Protection Without Breaking Functionality
Unlike simple XML-RPC disable plugins, XML-RPC Guardian uses intelligent filtering to maintain compatibility with Jetpack, WordPress mobile apps, and other legitimate services while blocking malicious requests. Our smart detection automatically preserves methods needed by your existing plugins and services.
Enterprise-Grade Security Features

• Advanced Method Filtering: Blocks dangerous methods like pingback.ping and system.multicall while preserving safe functionality
• IP Access Control: Comprehensive allowlisting and blocklisting with CIDR support for precise network control
• Rate Limiting Protection: Configurable per-IP throttling prevents brute force amplification attacks
• Application Password Enforcement: Forces secure authentication methods to protect account passwords
• Real-time Monitoring: Security logging tracks all blocked requests and potential threats ###/ulol###
• Default Mode: Removes high-risk methods while maintaining WordPress functionality
• Allowlist Mode: Maximum security - only specifically approved methods are permitted
• Blocklist Mode: Flexible protection - blocks only methods you specify as dangerous Why Choose XML-RPC Guardian? ✅ Works with Jetpack - Maintains full Jetpack functionality with compatibility mode

XML-RPC Guardian

Stop Devastating Security Threats: XML-RPC attacks represent one of the most dangerous vulnerabilities in WordPress, with attackers exploiting the xmlrpc.php file to launch brute force amplification attacks that bypass traditional security measures.

Intelligent Protection Without Breaking Functionality: Unlike simple XML-RPC disable plugins, XML-RPC Guardian uses intelligent filtering to preserve Jetpack, mobile apps, and other services while blocking malicious requests.

Enterprise-Grade Security Features

• Advanced Method Filtering: Blocks pingback.ping, system.multicall, and other high-risk methods.
• IP Access Control: Allowlist and blocklist with IPv4/IPv6 CIDR support and proxy awareness.
• Rate Limiting Protection: Per-IP throttling (10–1000 requests per 60–3600s) with retry-after headers.
• Application Password Enforcement: Forces use of WordPress application passwords for XML-RPC.
• Real-time Monitoring: Detailed security logging of blocked requests and events.

Three Security Modes

1. Default Mode: Safe removals only—blocks high-risk methods, allows others.
2. Allowlist Mode: Strict—only specified methods permitted.
3. Blocklist Mode: Flexible—only specified methods blocked.

Why Choose XML-RPC Guardian?

• ✅ Jetpack Compatibility – Maintains full Jetpack functionality.
• ✅ Mobile App Support – Pre-configured profiles for WordPress mobile apps.
• ✅ Zero Configuration – Secure defaults out of the box.
• ✅ Professional Logging – Detailed logs for compliance.
• ✅ Expert Support – Comprehensive documentation and updates.

Feature List

🔒 Core Security Protection

• Pingback.ping & getPingbacks removal
• system.multicall brute force mitigation
• Real-time XML-RPC method filtering
• Configurable demo/test method blocking
• Application Password enforcement

⚙️ Flexible Configuration Options

• Three security modes: Default, Allowlist, Blocklist
• Custom allowlist/blocklist method lists
• IP allowlisting/denylisting with CIDR
• Per-IP rate limiting & time window control
• Automatic cleanup via WordPress transients

🔄 Smart Compatibility Features

• Automatic Jetpack detection & method preservation
• Pre-configured mobile app profiles (wp., metaWeblog, blogger)
• Proxy-header awareness (X-Forwarded-For, Cloudflare)
• Non-destructive updates
• WordPress hook & filter integration

📊 Monitoring & Management

• Block event logging with PHP error log integration
• Admin interface under Settings → XML-RPC Guardian
• Visual status badge
• Graceful error handling & proper HTTP status codes
• Optimized algorithms for minimal overhead

🌐 Professional Features

• Full internationalization support with POT file
• Object-oriented code architecture
• Comprehensive README, inline help, user tips
• Security best practices: sanitization, capability checks
• Uninstall hook cleans all settings & data

WordPress Versions

• Minimum: 5.8+
• Tested: 6.0, 6.1, 6.2, 6.3, 6.4, 6.6, 6.8, 6.8.2
• Future: Compatible with upcoming releases

PHP Versions

• Minimum: 7.4
• Recommended: 8.0+
• Tested: 7.4, 8.0, 8.1, 8.2, 8.3

🚀 Quick Start

Installation

1. Upload the plugin files to /wp-content/plugins/xmlrpc-guardian/
2. Activate the plugin through the 'Plugins' menu in WordPress
3. Configure settings under Settings → XML-RPC Guardian