giantpeach / wp-sane-defaults

WordPress mu-plugin that fixes common insecure and annoying defaults.

Maintainers

Package info

github.com/Giant-Peach-Design/wp-sane-defaults

Type:wordpress-muplugin

pkg:composer/giantpeach/wp-sane-defaults

Statistics

Security

Aikido package health analysis

dev-main 2026-03-04 14:56 UTC

Requires

php: >=8.0

Requires (Dev)

None

Suggests

None

Provides

None

Conflicts

None

Replaces

None

MIT 409c46e626ced98688902dc86ad184b7852e2b04

Giant Peach

dev-main

This package is auto-updated.

Last update: 2026-03-04 14:57:12 UTC

README

WordPress mu-plugin that fixes common insecure and annoying defaults.

What it does

Security:

Disables the Users REST API endpoint for unauthenticated requests
Disables XML-RPC entirely
Removes the X-Pingback header
Disables file editing via the admin
Obscures login error messages to prevent user enumeration
Disables author archives (redirects to homepage)
Removes WordPress version from scripts, styles, and meta tags

Performance/Cleanup:

Removes emoji scripts and styles
Removes oEmbed discovery links
Removes DNS prefetch for s.w.org
Only loads comment-reply JS when actually needed
Removes unnecessary meta tags (generator, WLW manifest, RSD link, shortlink, REST API link, feed links)
Disables self-pingbacks
Hides update nags for non-admin users

Installation

Drop wp-sane-defaults.php into wp-content/mu-plugins/.

Requirements

PHP 8.0+
WordPress 6.0+