Describe the Bug 🐞
The "Disable XML-RPC" option, located in the FlyWP Helper Plugin settings (wp-admin > FlyWP > Optimizations), is non-functional. Although the toggle is enabled by default, it fails to block public access to the xmlrpc.php endpoint. This leaves the site vulnerable to common security threats that target this file, such as brute-force login attempts and DDoS attacks, despite the user believing the feature is active.
Steps to Reproduce
- On a WordPress site with the FlyWP Helper Plugin installed, navigate to the WordPress admin dashboard.
- Go to FlyWP > Optimizations.
- Confirm that the "Disable XML-RPC" toggle is switched on (it is enabled by default).
- In a new browser tab or using a tool like
curl, attempt to access the XML-RPC endpoint by navigating to https://your-domain.com/xmlrpc.php.
- Observe the response. The page will load and display the message: "XML-RPC server accepts POST requests only." This confirms the endpoint is still active and accessible.
Expected Behavior ✅
When the "Disable XML-RPC" option is enabled in the plugin settings, any attempt to access the xmlrpc.php file should be completely blocked. The server should return an error, such as a 403 Forbidden, 404 Not Found, or a custom "Access Denied" message, preventing any interaction with the endpoint.
Actual Behavior ❌
The xmlrpc.php endpoint remains fully accessible to the public. It responds as it normally would on a site where it is not disabled, indicating that the plugin's setting has no effect.
Environment
- Plugin: FlyWP Helper Plugin (within a WordPress installation)
- FlyWP Version: PROD
Describe the Bug 🐞
The "Disable XML-RPC" option, located in the FlyWP Helper Plugin settings (wp-admin > FlyWP > Optimizations), is non-functional. Although the toggle is enabled by default, it fails to block public access to the
xmlrpc.phpendpoint. This leaves the site vulnerable to common security threats that target this file, such as brute-force login attempts and DDoS attacks, despite the user believing the feature is active.Steps to Reproduce
curl, attempt to access the XML-RPC endpoint by navigating tohttps://your-domain.com/xmlrpc.php.Expected Behavior ✅
When the "Disable XML-RPC" option is enabled in the plugin settings, any attempt to access the
xmlrpc.phpfile should be completely blocked. The server should return an error, such as a 403 Forbidden, 404 Not Found, or a custom "Access Denied" message, preventing any interaction with the endpoint.Actual Behavior ❌
The
xmlrpc.phpendpoint remains fully accessible to the public. It responds as it normally would on a site where it is not disabled, indicating that the plugin's setting has no effect.Environment