<b>XML-RPC Disable + Verify SOP</b>
Disabling the toggle isn't enough — confirm the endpoint is actually dead.
— Step 1: Block <code>/xmlrpc.php</code> at the web server, not just via plugin. Plugins load too late to stop floods.
— Step 2: Verify: <code>curl -I https://site.com/xmlrpc.php</code> must return 403 or 404, never 405.
— Step 3: Test the amplification vector: a POST with <code>system.multicall</code> must be rejected before PHP runs.
— Step 4: Confirm Jetpack or mobile app isn't silently broken if you still need them — allowlist by IP instead.
— Step 5: Re-check after every WordPress core update; updates can restore the file.
Do this on every site you don't explicitly need pingbacks on.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>XML-RPC Disable + Verify SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.