Block access to all occurrences of xmlrpc.php using CSF

gschaefer

• December 03, 2019 13:39

i host over 20 Wordpress websites on my VPS and would like to find a way to easily deny access to all occurrences of xmlrpc.php using CSF I can manually disable it for each site but everytime Wordpress is updated it puts the file back again. Can anyone suggest a way to do this with CSF?

• 

  rpvw

  • December 04, 2019 13:47

  I think using modsec would be a superior solution to your dilemma. You might find a number of useful articles and code examples by searching for the string "modsec xmlrpc" in your favorite search engine. You may be able to implement a regex in LFD (a component of CSF) There is an interesting discussion on the CSF forum detailing how to achieve this. (Search for "Blocking Wordpress Login and xmlprc attacks with LFD" in the

  0
• 

  cPanelLauren

  • December 04, 2019 22:18

  modsec would definitely be the correct avenue for this. Another really simple solution is just to deny access to the file in the .htaccess: Require all denied
  

  0
• 

  linux4me2

  • December 06, 2019 18:23

  I use a pre-main global include (WHM -> Service Configuration -> Apache Configuration -> Pre-Main Include -> All Versions) to block xmlrpc server-wide: RedirectMatch 301 /xmlrpc.php http://127.0.0.1/
  So far, it seems to be working well with my WordPress sites. I'm not sure if it would be more/less efficient than using CSF or mod_security, though it's really easy to implement, and you only have to add it in one place to affect all accounts. Maybe @cPanelLauren's code snippet would work in the Include Editor as well?

  0
• 

  garconcn

  • December 06, 2019 18:36

  I add follows to Apache Global Pre Virutalhost Includes: Order Deny,Allow # Whitelist Jetpack IPs (you can remove/replace all the Allow lines) Allow from 192.0.64.0/18 Allow from 122.248.245.244 Allow from 54.217.201.243 Allow from 54.232.116.4 Allow from 209.15.0.0/16 Allow from 66.155.0.0/17 Allow from 64.34.206.0/24 Allow from 185.64.140.0/22 Allow from 198.181.116.0/22 Allow from 76.74.248.128/25 Allow from 76.74.255.0/25 Deny from all To whitelist for one domain, do this(replace the CPANELID and DOMAINNAME) mkdir -p /etc/apache2/conf.d/userdata/std/2_4/CPANELID/DOMAINNAME mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/CPANELID/DOMAINNAME Create a file allowxmlrpc.conf in each above dir: Allow from all Rebuild and restart Apache: /scripts/rebuildhttpdconf /scripts/restartsrv_httpd

  0

Please sign in to leave a comment.