A single-file WordPress plugin for fine-grained control over XML-RPC and REST API endpoints. Toggle XML-RPC globally or per-user role, disable specific REST routes, and log blocked requests for security monitoring.

• XML-RPC Control: Disable XML-RPC globally or restrict by user roles
• REST API Management: Require authentication for REST API access
• Role-Based Permissions: Fine-grained access control per user role
• Route Blocking: Disable specific REST API endpoints
• Request Logging: Track and monitor blocked requests
• Security Focused: Protect your WordPress site from unauthorized API access
• Single File Architecture: All code in one PHP file for simplicity
• WPCS Compliant: Follows WordPress Coding Standards
• Translation Ready: i18n/l10n support
• Admin Dashboard: User-friendly settings interface with tabbed layout

1. Upload the plugin to your WordPress plugins directory
2. Activate the plugin through the WordPress admin panel
3. Configure settings at Settings > XML-RPC Manager
4. Enable logging (optional) to monitor blocked requests

1. Download class-yt-xml-rpc-access-manager.php
2. Upload to /wp-content/plugins/yt-xml-rpc-access-manager/
3. Activate through the WordPress 'Plugins' menu
4. Configure via Settings > XML-RPC Manager

class-yt-xml-rpc-access-manager.php    # Main plugin file
assets/css/yt-xml-rpc-access-manager-admin.css    # Admin styles
assets/js/yt-xml-rpc-access-manager-admin.js    # Admin scripts
README.md                              # This file

YT_XML_RPC_ACCESS_MANAGER_VERSION  // Plugin version number
YT_XML_RPC_ACCESS_MANAGER_BASENAME // Plugin base name
YT_XML_RPC_ACCESS_MANAGER_PATH     // Plugin directory path
YT_XML_RPC_ACCESS_MANAGER_URL      // Plugin directory URL

• get_instance() - Singleton instance retrieval
• __construct() - Initialize plugin and load options
• xram_init_hooks() - Register WordPress hooks
• xram_load_textdomain() - Load translations

• xram_add_admin_menu() - Add settings page to admin menu
• xram_register_settings() - Register plugin settings and fields
• xram_sanitize_options() - Sanitize user input
• xram_render_settings_page() - Display tabbed settings interface
• xram_render_logs_tab() - Display request logs
• xram_admin_enqueue_scripts() - Load admin CSS/JS
• xram_add_action_links() - Add settings link to plugins page

• xram_control_xmlrpc() - Control XML-RPC access globally and by role
• xram_filter_xmlrpc_methods() - Filter available XML-RPC methods
• xram_control_rest_api() - Control REST API access and authentication
• xram_filter_rest_endpoints() - Remove disabled REST routes

• xram_log_blocked_request() - Log blocked XML-RPC and REST requests
• xram_log_xmlrpc_call() - Hook for XML-RPC call logging
• xram_ajax_clear_logs() - Clear all request logs
• xram_ajax_export_logs() - Export logs to CSV format

• xram_get_option() - Get option value with default
• activate() - Run on plugin activation
• deactivate() - Run on plugin deactivation
• yt_xml_rpc_access_manager_uninstall() - Run on plugin deletion

1. Go to Settings > XML-RPC Manager
2. Check "Disable XML-RPC completely"
3. Save changes

This blocks all XML-RPC requests, overriding any role permissions.

1. Go to Settings > XML-RPC Manager
2. Uncheck "Disable XML-RPC completely"
3. Select user roles allowed to use XML-RPC (e.g., Administrator, Editor)
4. Save changes

Only selected roles will have XML-RPC access.

1. Go to Settings > XML-RPC Manager
2. Switch to "REST API Settings" section
3. Check "Disable REST API for non-authenticated users"
4. Select allowed user roles
5. Save changes

1. Go to Settings > XML-RPC Manager
2. Find "Disabled Routes" field
3. Enter routes to block (one per line):

   /wp/v2/users
   /wp/v2/users/(?P<id>[\d]+)
   

4. Save changes

1. Go to Settings > XML-RPC Manager
2. Check "Log blocked requests" in Logging Settings
3. Save changes
4. View logs in "Request Logs" tab

1. Go to Request Logs tab
2. Click "Export CSV" button
3. CSV file will be downloaded automatically

// Get plugin instance
$plugin = YT_XML_RPC_Access_Manager::get_instance();

// Check if XML-RPC is disabled
$xmlrpc_disabled = $plugin->xram_get_option( 'disable_xmlrpc', false );

// Get allowed roles
$allowed_roles = $plugin->xram_get_option( 'xmlrpc_allowed_roles', array() );

• Disable XML-RPC: Completely blocks all XML-RPC requests
• Allowed User Roles: Select which roles can use XML-RPC (Administrator, Editor, Author, etc.)

• Disable REST API: Requires authentication for all REST API requests
• Allowed User Roles: Select which authenticated roles can use REST API
• Disabled Routes: List of REST API routes to block (one per line)

• Enable Logging: Keep a log of blocked XML-RPC and REST API requests (last 500 entries)

✅ Already Implemented:

• Direct file access prevention
• Capability checks (current_user_can('manage_options'))
• Input sanitization (sanitize_text_field(), sanitize_key())
• Output escaping (esc_html(), esc_attr(), esc_url())
• AJAX nonce verification
• Role-based access control
• IP address logging for security monitoring

⚠️ Recommendations:

• Enable logging to monitor unauthorized access attempts
• Regularly review logs for suspicious activity
• Disable XML-RPC if you don't use third-party apps
• Restrict REST API access to authenticated users only
• Block sensitive REST routes like /wp/v2/users
• Keep the plugin updated

• Disable XML-RPC completely
• Disable REST API for non-authenticated users
• Block /wp/v2/users endpoint
• Enable logging

• Keep XML-RPC enabled for Administrator role only
• Allow REST API for authenticated users
• Enable logging to monitor usage

• Allow public REST API access
• Block sensitive routes (users, settings)
• Enable logging for security monitoring

• Enable all access
• Enable logging to debug API requests
• Export logs for analysis

1. Ensure "Disable XML-RPC" is checked
2. Clear WordPress cache
3. Check for conflicting plugins
4. Verify plugin is activated

1. Check if "Disable REST API" is enabled
2. Verify user is logged in
3. Check user role permissions
4. Review allowed roles list

1. Ensure "Enable Logging" is checked
2. Save settings after enabling
3. Trigger a blocked request to test
4. Check WordPress database options table

1. Verify user has manage_options capability
2. Check for JavaScript errors in browser console
3. Disable other plugins temporarily
4. Check file permissions

1. Test thoroughly: Test with different user roles and scenarios
2. Monitor logs: Enable logging during initial setup
3. Start restrictive: Begin with stricter settings, then relax as needed
4. Document changes: Keep track of disabled routes for maintenance
5. Regular reviews: Periodically review logs and settings
6. Backup first: Always backup before making security changes

• Plugin activates without errors
• Settings page displays correctly
• All settings save properly
• XML-RPC can be disabled globally
• Role-based XML-RPC access works
• REST API authentication works
• Specific REST routes can be blocked
• Request logging works correctly
• Logs can be viewed in admin
• Logs can be exported to CSV
• Logs can be cleared
• Plugin deactivates cleanly
• Plugin uninstalls and removes all data
• No PHP warnings or notices
• Compatible with latest WordPress version
• Works with PHP 7.4+
• Settings link appears on plugins page
• Tab switching works in admin interface
• AJAX operations work correctly

Run PHP_CodeSniffer with WordPress standards:

phpcs --standard=WordPress class-yt-xml-rpc-access-manager.php

• Minimal overhead: Hooks only fire when API requests are made
• Efficient logging: Automatically limits to last 500 entries
• Cached options: Plugin options loaded once per request
• No database queries on frontend: Only admin interface queries database

• WordPress: 5.8 or higher
• PHP: 7.4 or higher
• Multisite: Compatible (network activation not required)
• Page Builders: Compatible with all major page builders
• Themes: Theme-independent

GPL v2 or later

Built following WordPress Plugin Handbook and WPCS guidelines.

For issues, feature requests, or contributions:

• GitHub Repository
• Author Website

For WordPress security best practices, visit:

• WordPress Plugin Handbook
• WordPress Coding Standards
• WordPress REST API Handbook
• WordPress XML-RPC Support

• Initial release
• XML-RPC global disable
• XML-RPC role-based access control
• REST API authentication requirements
• REST API role-based access control
• REST API route blocking
• Request logging system
• CSV log export
• Tabbed admin interface
• Translation ready