Title: REST API Shield & XML-RPC Blocker Author: teamredfox Published: October 13, 2025 Last modified: November 5, 2025 --- Search plugins ![](https://s.w.org/plugins/geopattern-icon/rest-api-shield-xml-rpc-blocker.svg) # REST API Shield & XML-RPC Blocker By [teamredfox](https://profiles.wordpress.org/teamredfox/) [Download](https://downloads.wordpress.org/plugin/rest-api-shield-xml-rpc-blocker.1.0.zip) * [Details](https://wordpress.org/plugins/rest-api-shield-xml-rpc-blocker/#description) * [Reviews](https://wordpress.org/plugins/rest-api-shield-xml-rpc-blocker/#reviews) * [Installation](https://wordpress.org/plugins/rest-api-shield-xml-rpc-blocker/#installation) * [Development](https://wordpress.org/plugins/rest-api-shield-xml-rpc-blocker/#developers) [Support](https://wordpress.org/support/plugin/rest-api-shield-xml-rpc-blocker/) ## Description This plugin is designed to fundamentally strengthen the security of your WordPress site. By default, WordPress exposes REST API endpoints like the user list (/wp/v2/users) even to unauthenticated users (anonymous users). This poses a risk of information leakage and can serve as a stepping stone for brute-force attacks by enabling username enumeration. Using this plugin, you can finely adjust the following security settings from the“ Settings” -> “General” page in the administration area. Key Security Features ### REST API Anonymous Access Restriction: * Core endpoints (such as users, comments, media) and broad routes added by plugins can be specified as a blacklist. * Routes necessary for blog display (such as wp/v2/posts) can be specified as a whitelist to exempt them from restrictions. * Configure the HTTP status code (e.g., 403 Forbidden) and a custom error message to return upon access denial, preventing attackers from gaining insight into your site structure. ### Complete XML-RPC Blocking: * Completely disable the XML-RPC functionality (xmlrpc.php) at the core WordPress level. * When an attacker attempts access, the plugin responds with a specified HTTP status code and a custom error message, deceptively denying access. This plugin is highly recommended for all WordPress sites that require enhanced security. ## Screenshots [⌊The 'API Security Settings' section added to the 'Settings' -> 'General' page in the admin area.⌉⌊The 'API Security Settings' section added to the 'Settings' - > 'General' page in the admin area.⌉[ The ‘API Security Settings’ section added to the ‘Settings’ -> ‘General’ page in the admin area. [⌊REST API route Blacklist configuration screen.⌉⌊REST API route Blacklist configuration screen.⌉[ REST API route Blacklist configuration screen. [⌊XML-RPC complete blocking and custom response settings.⌉⌊XML-RPC complete blocking and custom response settings.⌉[ XML-RPC complete blocking and custom response settings. ## Installation 1. Download the ZIP file and go to the WordPress admin menu “Plugins” > “Add New” > “Upload Plugin” to install it. 2. OR, unzip the downloaded file and upload the contents to the /wp-content/plugins/ directory. 3. Activate “REST API Shield & XML-RPC Blocker” in the WordPress admin menu “Plugins”. 4. Navigate to the “API Security Settings” section at the bottom of the “Settings” > “General” page to adjust your configuration. ## FAQ ### Why is it necessary to restrict anonymous access to the REST API? Some REST API endpoints publish sensitive information that can be exploited by attackers, such as user display names and media details. Restricting anonymous access prevents the risk of this information leaking externally. ### Will blocking the REST API affect theme or plugin functionality? There is a possibility it could cause issues. Specifically, if a theme or plugin uses the REST API to load dynamic content for logged-out visitors (e.g., contact forms, dynamic widgets), that functionality might be blocked. In such cases, please add the relevant API route to the Whitelist (Allowed Routes). ### Should I disable XML-RPC? In most cases, we strongly recommend disabling it. XML-RPC was primarily used for remote publishing (e.g., older mobile apps), but the REST API is now the standard. Since xmlrpc.php is a prime target for brute-force attacks, you should disable it if you do not require remote publishing. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “REST API Shield & XML-RPC Blocker” is open source software. The following people have contributed to this plugin. Contributors * [ teamredfox ](https://profiles.wordpress.org/teamredfox/) [Translate “REST API Shield & XML-RPC Blocker” into your language.](https://translate.wordpress.org/projects/wp-plugins/rest-api-shield-xml-rpc-blocker) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/rest-api-shield-xml-rpc-blocker/), check out the [SVN repository](https://plugins.svn.wordpress.org/rest-api-shield-xml-rpc-blocker/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/rest-api-shield-xml-rpc-blocker/) by [RSS](https://plugins.trac.wordpress.org/log/rest-api-shield-xml-rpc-blocker/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.0.0 * Initial Release. * Added XML-RPC enable/disable and custom response configuration features. * Added REST API anonymous access restriction feature (Blacklist/Whitelist). * Added configuration for custom error messages and HTTP status codes. ## Meta * Version **1.0** * Last updated **7 months ago** * Active installations **10+** * WordPress version ** 6.8 or higher ** * Tested up to **6.8.5** * PHP version ** 7.4 or higher ** * [Advanced View](https://wordpress.org/plugins/rest-api-shield-xml-rpc-blocker/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/rest-api-shield-xml-rpc-blocker/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/rest-api-shield-xml-rpc-blocker/reviews/) ## Contributors * [ teamredfox ](https://profiles.wordpress.org/teamredfox/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/rest-api-shield-xml-rpc-blocker/)