Block XMLRPC entirely

[edjeavons]

At the moment we are using the xmlrpc_enabled filter to disable XML-RPC methods requiring authentication but ideally there would be an option to disable access to xmlrpc.php entirely so it can't be used for any purpose (inc. bruteforcing credentials).

[edjeavons]

We have seen Search Console reporting 403 responses on /xmlrpc.php as a site error, which misleads website owners.

Perhaps we can look into discouraging robots on this path, or else give another HTTP response that doesn't have the this side affect.

[DanielHudson2]

Encountered XMLRPC being exploited for attempts to access authenticated methods, used the following to completely disable it: add_filter('wp_xmlrpc_server_class', 'disable_wp_xmlrpc'); function disable_wp_xmlrpc($data) { exit('You dont have permission to access this file'); }