Disable XML-RPC by default

[ottok]

Due to low usage and high risk, the time would be right to start shutting down the XML-RPC service by default on all new sites. Do it either via Nginx config rule or via the Seravo Plugin.

Also check if the JSON API user listing should be restricted by default as well.

[k1sul1]

Username isn't a secret, so I wouldn't tamper with /wp-json/wp/v2/users.

Just enforce strong passwords and rate limit logins?

[ottok]

Just enforce strong passwords and rate limit logins?

Already done. What's next?

[k1sul1]

Force 2FA for administrators?

[ottok]

Related commit: dc35228

[ottok]

You can run this on your site to activate the settings:

wp-seravo-plugin-update
wp option set seravo-disable-xml-rpc on
wp option set seravo-disable-json-user-enumeration on
wp option set seravo-disable-get-author-enumeration on

[ottok]

Our plan is to have the settings above enabled on all new sites via the Seravo Plugin.

[JoosuaKoskinen]

Made a pull request about disabling XML-RPC by default: Seravo/seravo-plugin#319

[ottok]

Closed via 32e12f8