How to block access to xmlrpc.php for ALL USERS using OpenLitespeed ?

R

remics

Verified User
Joined
Aug 6, 2019
Messages
61

How to block access to xmlrpc.php file?

Hello I use this code in httpd.conf to block access to xmlrpc.php file that kills many wordpress based websites every day ;-) Order Deny,Allow Deny from all Is it possible to add a rewrite rule to block access to some files like xmlrpc.php? If you use wordpress and security plugins please...
forum.openlitespeed.org

How could I generate a virtual host to apply this setting for ALL USERS?
 
I don't know how openlitespeed token, so you need to find it yourself

this solution for apache

If you want to place some coding into <virtualhost> tag
I reply about how to put to custom template file on this link

OSCP Must Staple

It's an old but still not common feature, but I guess it will grow popularity in future - OSCP Must Staple is an additional instruction bundled inside the TLS certificate which instructs the browser that the server MUST send an OSCP Stapling information. Question: Is there a way to implement...
forum.directadmin.com forum.directadmin.com

add this to "CUSTOM3" token
Code: 
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>

and do some rewrite_confs
Code: 
cd /usr/local/directadmin/custombuild
./build rewrite_confs



###UPDATE FOR OpenLiteSpeed Token

Version 1.58.0 | Directadmin Docs

DirectAdmin Knowledge Base
www.directadmin.com
 
Last edited:
I understand this should be super simple for most people but I created this thread with the goal of asking what are the exact steps I need to take as I really couldn't understand the documentation.

The title is well written and I believe this is a common use case so I hope someone is available to help me and others with this problem.
 
I don't know OLS. But it looks like the same as in apache, only other files.
Look at this:

Forbid serverwide access to xmlrpc.php

@Zeiter: Can you tell me what I did wrong? To block acces for the complete server I created the .pre files mentioned in the feature page. Then I added this: Order allow,deny Deny from all ErrorDocument 403 "Sorry, you are not allowed to view this...
forum.directadmin.com forum.directadmin.com
related to this:

Version 1.53.3 | Directadmin Docs

DirectAdmin Knowledge Base
www.directadmin.com

Seems to me it's for OLS the same, just you have to use the CUSTOM.1.post or CUSTOM.7.post if I'm not mistaken.
 
remics said:

How to block access to xmlrpc.php file?

Hello I use this code in httpd.conf to block access to xmlrpc.php file that kills many wordpress based websites every day ;-) Order Deny,Allow Deny from all Is it possible to add a rewrite rule to block access to some files like xmlrpc.php? If you use wordpress and security plugins please...
forum.openlitespeed.org

How could I generate a virtual host to apply this setting for ALL USERS?
Click to expand...
If you follow these instructions it will add a rewrite rule into all user VHost files to block access to xmlrpc.

Code: 
cd /usr/local/directadmin/data/templates/custom/
touch cust_openlitespeed.CUSTOM.5.pre
chown diradmin:diradmin cust_openlitespeed.CUSTOM.5.pre
nano /usr/local/directadmin/data/templates/custom/cust_openlitespeed.CUSTOM.5.pre

Then inside the CUSTOM.5.pre file you can paste the following RewriteRule.

Code: 
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteRule ^(.*)$ - [F,L,NC]

If you wanted to take this a bit further and block access to more files system wide and apply to each VHost you can add as many filenames to list as you want.
Code: 
RewriteCond %{REQUEST_URI} ^(.*)?readme\.html(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?readme\.txt(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-trackback\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?license\.txt(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-config\.php(.*)$
RewriteRule ^(.*)$ - [F,L,NC]
 
LeonDynamic said:
If you follow these instructions it will add a rewrite rule into all user VHost files to block access to xmlrpc.

Code: 
cd /usr/local/directadmin/data/templates/custom/
touch cust_openlitespeed.CUSTOM.5.pre
chown diradmin:diradmin cust_openlitespeed.CUSTOM.5.pre
nano /usr/local/directadmin/data/templates/custom/cust_openlitespeed.CUSTOM.5.pre

Then inside the CUSTOM.5.pre file you can paste the following RewriteRule.

Code: 
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteRule ^(.*)$ - [F,L,NC]

If you wanted to take this a bit further and block access to more files system wide and apply to each VHost you can add as many filenames to list as you want.
Code: 
RewriteCond %{REQUEST_URI} ^(.*)?readme\.html(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?readme\.txt(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-trackback\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?license\.txt(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-config\.php(.*)$
RewriteRule ^(.*)$ - [F,L,NC]
Click to expand...

Thank you so much!

I hope it helps other people as well as helping me.

However, when executing the above commands I had the problem of all pages being blocked with error 403 (forbidden). I don't know what I did wrong but here are the exact steps I took:

Code: 
vim /usr/local/directadmin/data/templates/custom/cust_openlitespeed.CUSTOM.5.pre

put the following content in this file:
Code: 
RewriteRule ^/(xmlrpc|wp-trackback)\.php - [F,L,NC]
(no BREAK LINE, please)

Code: 
cd /usr/local/directadmin/custombuild
./build rewrite_confs

Reference Link: https://openlitespeed.org/kb/customization-hooks-in-directadmin/
 
Last edited:
remics said:
Thank you so much!

I hope it helps other people as well as helping me. I've followed all the steps here and actually confirmed that it works, however after creating these files the next step is to run the following commands:
Code: 
cd /usr/local/directadmin/custombuild
./build rewrite_confs
Click to expand...
Thanks @remics for adding the rewrite config command forgot to add that to my reply.

Also, have a look here https://www.vpsbasics.com/cp/ there are quite a few tutorials for OLS with DirectAdmin
 
You must log in or register to reply here.
Back
Top