That looks great, but only disables any XML-RPC methods that require authentication, like publishing posts, editing, deleting, and so forth. It does not disable methods where authentication is not required, like reading, pingbacks, and other custom endpoints. So the above one-liner doesn’t completely disable XML-RPC, but is useful in helping to lock things down.
To disable XML-RPC methods that do not require authentication.
Please Login or Register to see this code
This technique disables all XML-RPC functionality by passing an empty array via the filter hook. This can be further simplified by using the WordPress function, . For example:xmlrpc_methods__return_empty_array()
Please Login or Register to see this code
That one line takes care of disabling all XML-RPC functionality. The only other sort of related thing is the header, which WordPress includes automatically. So if XML-RPC is disabled, it makes sense also to disable the header, because pingbacks require XML-RPC in order to work. This will do it:X-Pingback
Please Login or Register to see this code
