# Security

Harden a WordPress application: block XML-RPC, block PHP execution in uploads, and verify core file checksums.

Requires the WordPress Toolkit add-on.


# Toggle XML-RPC

Block or allow xmlrpc.php at the web server level.

# HTTP Request:

PATCH https://api.serveravatar.com/organizations/{organization}/servers/{server}/applications/{application}/wordpress-toolkit/xmlrpc/toggle

# Parameter:

Parameter Required Type Description
action Yes String enable to block XML-RPC; disable to allow

# Toggle PHP Execution in Uploads

Block or allow PHP execution under wp-content/uploads.

# HTTP Request:

PATCH https://api.serveravatar.com/organizations/{organization}/servers/{server}/applications/{application}/wordpress-toolkit/php-execution-upload-directory/toggle

# Parameter:

Parameter Required Type Description
action Yes String enable to block PHP in uploads; disable to allow

# Verify Core Checksums

Compare installed WordPress core files against official release checksums.

# HTTP Request:

GET https://api.serveravatar.com/organizations/{organization}/servers/{server}/applications/{application}/wordpress-toolkit/checksums/verify

# Curl Request Example:

curl --request GET \
  --url "https://api.serveravatar.com/organizations/5/servers/15/applications/93/wordpress-toolkit/checksums/verify" \
  --header 'content-type: application/json' \
  --header 'Authorization: <YOUR API TOKEN>'

# Response:

# Successful Response

  • 200 (Ok)
{
  "response": {
    "output": "",
    "status": "success"
  }
}

The response object lists files that do not match official checksums, if any.

Last Updated: 5/19/2026, 11:40:55 AM