54
Disable XML-RPC-API
It blocks attackers but might accidentally lock you out of your own site.
HealthyDeclining
54/100
It provides simple XML-RPC protection but causes site crashes and leaves messy code behind.
Active installs
~150,000
our estimate · wp.org shows 100k+
Rating
4.2★
43 ratings
Trend · vs a year ago
-43%
Declining fast
329 → 187 installs/day
What to watch out for
- MINORdownloads down 43% vs a year ago
Downloads over time
real new installs per day · release spikes shown separately from the trend2025-04-302025-08-082025-11-162026-02-232026-06-03
organicrelease spikerelease tailorganic trend · 14d rolling median
Declining fast · -43% in the last year
329/day a year ago→187/day today
Reviews
what people actually sayDisable XML-RPC-API has a deeply divided reputation — some users find it a simple, effective solution, but serious recurring complaints about site crashes, persistent .htaccess pollution after removal, intrusive upsell notices, and at least one alarming security allegation make it a risky choice.
What people like
- +Works as advertised for disabling XML-RPC with no configuration needed×4
- +Saves users from manually editing .htaccess themselves×2
- +Support team described as prompt and responsive
Common complaints
- −Causes 500 server errors and full site crashes on activation×3
- −Leaves junk/residual code in .htaccess and other files after deactivation or deletion, requiring manual cleanup×3
- −Injects persistent, unskippable admin notices advertising an unrelated plugin (WP Security Guard) with no reliable way to permanently dismiss them×2
- −One reviewer alleges the plugin injects obfuscated backdoor PHP scripts and was linked to site hijackings across multiple unrelated customer sites
- −Reported to slow down the website and dashboard noticeably, even persisting after the plugin is removed×2
- −Plugin reportedly cannot be deleted through the WordPress dashboard, requiring FTP or cPanel access
Review trustReviews look organic
- 4.06★Verified rating — drops from 4.20★ once one-shot reviewers are removed
- 21%One-shot reviewers — most reviewers are active community members
Reviews per month · 5★ vs lower
2023-08-192025-01-102026-06-04
5★ reviews1–4★ reviews
All-time ratings · 43 total
Latest reviews · 43 analyzed
- 2026-05-30★★★★★Good Jobmehditabbakh
- 2025-09-11★★★★★does what it shouldbugscout
- 2025-08-29★★★★★Harmfulfirafiki
- 2023-11-10★★★★★Hotlinkingajaxy121-shot
- 2023-08-16★★★★★Errorelmo2000
- 2023-05-30★★★★★DO NOT INSTALL THIS! **PHP BACKDOOR**ben2358723823567
- 2023-02-13★★★★★Spammy admin notices. Bye Bye.jaywalker999
- 2023-01-10★★★★★Uses your WP to advertise in admin panelsebastienvercammen
- 2022-12-19★★★★★Dangerasmod2a1-shot
- 2022-12-01★★★★★cannot deletehomewise1
Releases
recent versions from WordPress.org SVNFor developers & the curious
the raw signals behind the grade — none of this is on the friendly summary aboveDownload signals
Baselines are computed on organic days only — release spikes and their tails are excluded, so they're not inflated by the auto-update wave.
184
Baseline · median of last 7 organic days
170
Prior 7-day baseline
155
Floor · 25th percentile over 14 days
165
Latest day · 2026-06-03(organic)
+8.2%
Week-over-week organic trend
Review signals
Concentration and drive-by metrics drive the review-burst and fake-review flags. 30–40% solo reviewers is normal; we only flag the extremes.
20%
Max month share · biggest single 30-day window
2.45
Distribution CV · <0.6 even, >1.5 bursty
77%
5★ share in analyzed sample
21%
Solo reviewers · only this one wp.org activity
—
Volume velocity · last 6mo vs prior 6mo
4.16 → 4.06★
Sample avg · raw → solo-filtered