Title: Disable XML-RPC &#8211; Dashboard Control
Author: aph5
Published: <strong>24 janvier 2026</strong>
Last modified: 1 juillet 2026

---

Recherche d’extensions

![](https://ps.w.org/xml-rpc-control-dashboard/assets/banner-772x250.png?rev=3445967)

![](https://ps.w.org/xml-rpc-control-dashboard/assets/icon-256x256.png?rev=3445967)

# Disable XML-RPC – Dashboard Control

 Par [aph5](https://profiles.wordpress.org/aph5/)

[Télécharger](https://downloads.wordpress.org/plugin/xml-rpc-control-dashboard.1.0.3.zip)

 * [Détails](https://fr.wordpress.org/plugins/xml-rpc-control-dashboard/#description)
 * [Avis](https://fr.wordpress.org/plugins/xml-rpc-control-dashboard/#reviews)
 *  [Installation](https://fr.wordpress.org/plugins/xml-rpc-control-dashboard/#installation)
 * [Développement](https://fr.wordpress.org/plugins/xml-rpc-control-dashboard/#developers)

 [Support](https://wordpress.org/support/plugin/xml-rpc-control-dashboard/)

## Description

 * This plugin allows you to quickly toggle on/off XML-RPC functionality from the
   Dashboard
 * On initial installation and activation, XML-RPC will be disabled,
 * It displays the current enabled/disabled status in the dashboard, helping users
   avoid leaving access on unnecessarily.
 * It features XML-RPC rate limiting functionality, providing some protection to
   users while XML-RPC is on.
 * Rate limiting is on by default, but can be turned off. Note that it’s not perfect
   security however, and we recommend XML-RPC is disabled after use.

#### Why Control XML-RPC?

XML-RPC is a WordPress feature that allows remote access to your site. While useful
for legitimate applications like mobile apps and remote publishing, it’s frequently
exploited for:

 * Brute force password attacks
 * DDoS amplification attacks via pingbacks
 * Spam distribution
 * Resource exhaustion

#### Rate Limiting Protection

When enabled, the plugin automatically limits:

 * **Failed Authentication** – Maximum 5 failed login attempts per hour per IP
 * **High-Risk Methods** – Limits on pingback.ping, system.multicall, and other 
   abuse-prone methods
 * **IP Validation** – Validates addresses and processes proxy headers correctly.
   Sites where the client connects directly are protected against IP spoofing automatically;
   sites behind a reverse proxy or CDN can declare their proxies via the `xmlrpc_control_trusted_proxies`
   filter so forwarded headers are only trusted from those addresses

#### Privacy

This plugin does not collect, store, or transmit any user data outside your WordPress
installation. All rate limiting data is stored temporarily using WordPress transients
and is automatically cleaned up.

### Additional Information

#### Support

For support, feature requests, or bug reports, please visit the plugin’s support
forum.

#### Contributing

Feedback is welcomed.

#### Security

If you discover a security vulnerability, please report it responsibly via the WordPress
security team or directly to the plugin author.

## Captures d’écrans

[⌊Dashboard widget showing XML-RPC blocked⌉⌊Dashboard widget showing XML-RPC blocked⌉[

Dashboard widget showing XML-RPC blocked

[⌊Dashboard widget showing XML-RPC enabled⌉⌊Dashboard widget showing XML-RPC enabled⌉[

Dashboard widget showing XML-RPC enabled

[⌊Settings page with enable/disable XML-RPC⌉⌊Settings page with enable/disable XML-
RPC⌉[

Settings page with enable/disable XML-RPC

[⌊Settings page with Rate limiting enable/disable⌉⌊Settings page with Rate limiting
enable/disable⌉[

Settings page with Rate limiting enable/disable

## Installation

 1. Upload the `xml-rpc-control-dashboard` folder to the `/wp-content/plugins/` directory
 2. Activate the plugin through the ‘Plugins’ menu in WordPress
 3. View the dashboard widget on your main admin page or navigate to Settings > XML-
    RPC Control
 4. Toggle XML-RPC on/off as needed and configure rate limiting

## FAQ

### Will this break my mobile app or remote publishing tools?

If you use WordPress mobile apps or remote publishing tools (like blog editors),
you’ll need to keep XML-RPC enabled. The rate limiting feature provides an additional
layer of defense against common automated attacks, though we still recommend disabling
XML-RPC when not actively needed.

### What happens when XML-RPC is disabled?

When disabled, every request to xmlrpc.php is terminated early with a 403 fault –
including unauthenticated helper methods like system.listMethods. This means:

 * No remote publishing
 * No WordPress mobile app access
 * No pingbacks/trackbacks
 * No XML-RPC method discovery or fingerprinting
 * Jetpack and similar plugins may have reduced functionality

### What is the default state when I activate the plugin?

XML-RPC is blocked by default. If a user unblocks it, then XML-RPC rate limiting
is enabled by default, but can be disabled in settings.

### How does the rate limiting work?

Rate limiting tracks requests per IP address using WordPress transients (temporary
data). It limits failed authentication attempts and high-risk methods to 5 per hour.
This prevents basic automated attacks while allowing normal use.

### Can rate limiting be relied upon?

We don’t recommend users rely on rate limiting to secure their server. Rate limiting
provides basic protection against automated attacks but has known limitations in
high-concurrency scenarios. When XML-RPC is not needed, we recommend disabling it.

### Does this plugin work with caching?

Yes, the plugin works with all caching solutions. Rate limiting hooks into WordPress
core authentication and XML-RPC systems, which execute before cached pages are served.

### Is this compatible with Jetpack and similar plugins?

Yes, when XML-RPC is enabled, Jetpack and other plugins that rely on XML-RPC will
continue to function normally. The rate limiting protects against abuse while allowing
legitimate traffic.

## Avis

Il n’y a aucun avis pour cette extension.

## Contributeurs/contributrices & développeurs/développeuses

« Disable XML-RPC – Dashboard Control » est un logiciel libre. Les personnes suivantes
ont contribué à cette extension.

Contributeurs

 *   [ aph5 ](https://profiles.wordpress.org/aph5/)

[Traduisez « Disable XML-RPC – Dashboard Control » dans votre langue.](https://translate.wordpress.org/projects/wp-plugins/xml-rpc-control-dashboard)

### Le développement vous intéresse ?

[Parcourir le code](https://plugins.trac.wordpress.org/browser/xml-rpc-control-dashboard/),
consulter le [SVN dépôt](https://plugins.svn.wordpress.org/xml-rpc-control-dashboard/),
ou s’inscrire au [journal de développement](https://plugins.trac.wordpress.org/log/xml-rpc-control-dashboard/)
par [RSS](https://plugins.trac.wordpress.org/log/xml-rpc-control-dashboard/?limit=100&mode=stop_on_copy&format=rss).

## Journal des modifications

#### 1.0.3

 * Fixed: « Blocked » mode now terminates every XML-RPC request early with a 403
   fault. Previously, unauthenticated methods that bypass WordPress’s xmlrpc_enabled
   gate (demo.sayHello, system.listMethods, system.getCapabilities, system.multicall
   and some mt.* methods) remained callable while XML-RPC was blocked, allowing 
   method discovery and fingerprinting.
 * Fixed: the plugin description no longer mentions automated monitoring or email
   alerts, which were never shipped features.
 * Improved: documentation now accurately describes IP spoofing protection – automatic
   for directly connected sites, and via the xmlrpc_control_trusted_proxies filter
   for sites behind a proxy or CDN.

#### 1.0.2

 * Fixed: the failed-authentication rate limiter now returns a proper WP_Error when
   an IP is over the limit. Previously it returned an IXR_Error from the authenticate
   filter, which WordPress core does not recognise as an authentication failure,
   so over-limit requests were not blocked correctly.
 * Fixed: high-risk method rate limiting (pingback.ping, system.multicall, etc.)
   now actually blocks calls once the limit is reached. The previous version counted
   calls but could not reject them, because the underlying WordPress hook ignores
   return values. Enforcement now runs through the xmlrpc_methods filter.
 * Fixed: when XML-RPC is set to « Blocked », unauthenticated pingback methods are
   now removed from the dispatch table. Previously the WordPress xmlrpc_enabled 
   filter left pingbacks callable, so blocking was incomplete.
 * Fixed: uninstall now correctly removes the plugin’s rate-limiting transients.
   A LIKE-pattern escaping bug previously left these rows behind.
 * Removed an OPTIMIZE TABLE call from uninstall (discouraged and unnecessary).
 * Added: optional trusted-proxy support via the xmlrpc_control_trusted_proxies 
   filter (accepts IPs and CIDR ranges). When set, forwarded headers are only trusted
   from declared proxies, hardening client IP detection against X-Forwarded-For 
   spoofing.
 * Improved: client IP detection now handles bracketed IPv6 proxy values with a 
   port (e.g. [2001:db8::1]:443).
 * Internal: moved static inline styles out of PHP markup into the stylesheet, per
   WordPress.org guidelines; removed an unused setting registration and an unused
   localized nonce.

#### 1.0.1

 * Changed plugin name to « Disable XML-RPC – Dashboard Control » for improved search
   visibility
 * No functional changes

#### 1.0.0

 * Initial release
 * Dashboard widget with quick toggle
 * Settings page under Settings > XML-RPC Control
 * Optional rate limiting for failed auth and high-risk methods
 * Secure by default (XML-RPC disabled on activation)

## Méta

 *  Version **1.0.3**
 *  Dernière mise à jour **il y a 8 heures**
 *  Installations actives **Moins de 10**
 *  Version de WordPress ** 5.0 ou plus **
 *  Testé jusqu’à **7.0**
 *  Version de PHP ** 7.4 ou plus **
 *  Langue
 * [English (US)](https://wordpress.org/plugins/xml-rpc-control-dashboard/)
 * Étiquettes
 * [dashboard](https://fr.wordpress.org/plugins/tags/dashboard/)[rate limiting](https://fr.wordpress.org/plugins/tags/rate-limiting/)
   [security](https://fr.wordpress.org/plugins/tags/security/)[xmlrpc](https://fr.wordpress.org/plugins/tags/xmlrpc/)
 *  [Vue avancée](https://fr.wordpress.org/plugins/xml-rpc-control-dashboard/advanced/)

## Évaluations

Aucun avis n’a encore été envoyé.

[Your review](https://wordpress.org/support/plugin/xml-rpc-control-dashboard/reviews/#new-post)

[Voir tous les avis](https://wordpress.org/support/plugin/xml-rpc-control-dashboard/reviews/)

## Contributeurs

 *   [ aph5 ](https://profiles.wordpress.org/aph5/)

## Support

Quelque chose à dire ? Besoin d’aide ?

 [Voir le forum de support](https://wordpress.org/support/plugin/xml-rpc-control-dashboard/)