The xmlrpc.php was used to provide a means to craft blog posts for WordPress offline, then connect and upload them at another time. This feature is being implemented into the WordPress API, and may soon be phased out entirely.
Security plugins may report attacks on this file, or high visits to the file may be seen.
This article explains the process of blocking or disabling the xmlrpc.php file with .htaccess.
Related Articles
Install and Configure Heartbeat Control
Disable xmlrpc.php While Allowing JetPack
TIP: You may need to clear the NGINX cache if it is in use after these modifications.
- Log into cPanel
- Navigate to File Manager, located in the Files section
- Locate the site's document root
- Edit the .htaccess
- Add the following to the top of the .htaccess file
## Begin XMLRPC Attack Mitigation
NOTE: This accounts for Jetpack which is usually the only legitimate thing that would need to access xmlrpc.php.
RewriteEngine On
ErrorDocument 416 "Invalid Request"
RewriteCond %{THE_REQUEST} "^POST /xmlrpc.php"
RewriteCond %{HTTP_USER_AGENT} !^Jetpack\ by\ WordPress\.com [NC]
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt?:\ Comodo\ DCV?$
RewriteRule .* - [R=416,L] - Press Save and close the file
Disable xmlrpc.php Completely
- Log into cPanel
- Navigate to File Manager, located in the Files section
- Locate the site's document root
- Edit the .htaccess
- Add the following to the top of the .htaccess file
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?domain\.com [NC]
RewriteCond %{REQUEST_URI} xmlrpc.php$
RewriteRule (.*) - [F,L]REPLACE: domain\.com with the domain affected. Be sure to leave the back slash before the period.
- Press Save and close the file
Comments
0 comments
Article is closed for comments.