WP General Security: Site Booster Module
WP General Security module allows you to control core WordPress features that, if left as is, may represent a security threat or a vulnerability that can be exploited.
By disabling WordPress core features you don't need or use, you're enhancing your website's security and tailoring WordPress to fit you exact needs.
To enable WP General Security features, toggle to enable the module.
Enable (or disable) any option you would like to use, then save changes at the bottom of the module page.
Available WP General Security options include:
- Disable XML-RPC,
- Disable REST API for Logged Out Users,
- Disable REST API Link Tag,
- Disable REST API in HTTP Headers.
Disable XML-RPC
Disable XML-RPC option allows you to disable WordPress XML-RPC functionality on your website.
XML-RPC in WordPress is used to enable you to post content on your website using many popular weblog clients or the email option.
However, the XML-RPC functionality is also one of the most misused options and thus represents a security issue that opens the door for various attacks, such as brute force, DoS and DDoS.
If you're not using any form of remote publishing on your website, you can disable this feature.
Disabling XML-RPC also disables pingbacks and trackbacks.
Disable REST API for Logged Out Users
Disable REST API for Logged Out Users option enables you to restrict access to the REST API functionality and make it available only registered and logged-in users. This increases the security of your website and hides all sensitive information from malicious users and bots.
Your website can reveal lots of information.
For example, using a different browser and in incognito mode, type in your website's URL and append the following to the URL: /wp-json/wp/v2/
Basically, the entire URL would now look like this: https://yourwebsite's-url.com/wp-json/wp/v2/
See what information is available about all users, menus, posts, pages, products... everything, as displayed in the image below.
While this information is essential for your entire website's functionality, it's not essential to be publicly available. Likewise, restricting access to REST API will not influence your website's functionality towards non-registered or non-logged in users and site visitors.
When the Disable Rest API for Logged Out Users option is enabled, anyone logged out or unregistered will receive an error message informing them they do not have permission to access the information.
Disable REST API Link Tag
Disable REST API Link Tag option enables you to remove the REST API link tag from your website's <head> element and source code.
WordPress REST API is a service that provides an interface for applications (themes, plugins or third-party software) to interact with your WordPress site by sending and receiving data as JSON objects.
Removing the REST API link tag from your website's source code can boost security by not disclosing the information that your website's functionality relies on REST API functionality:
In most cases, removing the REST API links from the HTML `<head>`does not break the core functionality of your WordPress site or the REST API itself. These links simply _advertise_ the presence and location of the REST API:
- The link in the <head> (<link rel="https://api.w.org/" href="...">) is largely informational for browsers or tools scanning the page.
However, there is a small chance that certain themes or plugins might rely on these advertised links for front-end scripts or discovery purposes. If so, removing them _might_ affect their functionality.
But in a typical setup, most WordPress sites will continue to function normally, and the REST API will still be available at its usual /wp-json endpoint regardless of whether these links are present.
The REST API link tag looks like this: <link rel="https://api.w.org/" ... />
The Rest API link tag can be viewed when inspecting any page on your website or viewing the source code using the available browser options.
Disable REST API in HTTP Headers
Disable REST API in HTTP Headers enables you to remove the REST API link from your pages' HTTP header.
WordPress REST API provides an interface for applications (themes, plugins or third-party software) to interact with your WordPress site by sending and receiving data as JSON objects.
Removing the REST API link in HTTP headers can boost security by not disclosing the information that your website's functionality relies on Rest API functionality:
In most cases, removing the REST API links from the HTTP headers does not break the core functionality of your WordPress site or the REST API itself. These links simply _advertise_ the presence and location of the REST API:
- The Link: header (Link: <https://example.com/wp-json/>; rel="https://api.w.org/") is similarly there to let clients know where the REST endpoint is located.
However, there is a small chance that certain themes or plugins might rely on these advertised links for front-end scripts or discovery purposes. If so, removing them _might_ affect their functionality.
But in a typical setup, most WordPress sites will continue to function normally, and the REST API will still be available at its usual /wp-json endpoint regardless of whether these links are present.
The REST API link in HTTP header looks like this: < ... rel="https://api.w.org/>
The REST API link can be viewed when using the browser inspector via the Networks tab, by refreshing the page then checking the first entry on the list, which is usually the current website's page URL.
Found an error in this doc or believe it needs improvement?
Send us a prepurchase ticket, include the URL of the page, and add suggestions and more details about how we can make things better for you.
That's it!
Boost your WordPress website on all levels with OceanWP and Ocean Site Booster.