So, have you try to type this at WordPress URL Bar: https://some.wordpress.site/wp-json and find out the XML syntax all over the page?
Some say it was a feature, some say it was a backdoor. If you own a WordPress site with XML-RPC enabled, do not be scared. It is normal. It is a functioning XML-RPC call. But if you want to shut it off, do the following.
- Edit .htaccess. Add the next line:
Redirect 301 /xmlrpc.php https://www.google.com - Edit /wp-content/themes/your_theme/functions.php with the following code:
add_filter( 'rest_authentication_errors', function( $result ) {
// If a previous authentication check was applied,
// pass that result along without modification.
if ( true === $result || is_wp_error( $result ) ) {
return $result;
}
// No authentication has been performed yet.
// Return an error if user is not logged in.
if ( ! is_user_logged_in() ) {
return new WP_Error(
'rest_not_logged_in',
__( 'You are not currently logged in.' ),
array( 'status' => 401 )
);
}
// Our custom authentication check should have no effect
// on logged-in requests
return $result;
});
Taken from:
1. https://www.shellhacks.com/wordpress-disable-rest-api-restrict-access/
2. https://wpdynamic.com/wordpress-developer/wordpress-code-snippets/how-to-disable-the-wordpress-json-rest-api-without-plugin/
3. https://www.greengeeks.com/tutorials/how-to-enable-and-disable-xmlrpc-php-in-wordpress-and-why/
