Block / prevent XML RPC (Wordpress) on whole server

anton1982

Verified User
Joined
Jun 12, 2016
Messages
43
From time to time my server is 'attacked' by accessing/using the xmlrpc.php from WordPress. When I check the server load 50 or more connections to different Wordpress sites are attacked causing a very high server load. Can anyone tell me how to prevent this on server level?
 
can you edit apache (or nginx) httpd templates and add (for apache)
Code:
<Files xmlrpc.php>
Order Deny,AllowDeny from all
</Files>
or

Code:
<FilesMatch "^(xmlrpc\.php)">
Order Deny,AllowDeny from all
</FilesMatch>




or for nginx
Code:
server {
    location = /xmlrpc.php {
        deny all;
    }
}

or...
https://geektnt.com/how-to-disable-xmlrpc-php.html

6. Block on entire server
If you have one server or VPS with tens of hundreds of WordPress installations (like me) any of the solutions above will take time to implement. So the best thing to do is to block access to xmlrpc.php file on Apache level, simply by adding this to httpd.conf file:
Code:
[TABLE]
[TR]
[TD="class: code"]<FilesMatch "^(xmlrpc\.php)">

Order Deny,Allow

Deny from all

</FilesMatch>

[/TD]
[/TR]
[/TABLE]
Or even better adding this code (that also blocks wp-trackback.php and also prevent’s trackback hacking attempts).

Code:
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">

Order Deny,Allow

Deny from all

</FilesMatch>
 
Back
Top