Skip to main content

Deny all for xmlrcp.php returning 404 instead of 403

Comments

7 comments

  • Alejandro Tagalos

    Hello, thanks for your reply.

     

    It kind of help because I realized the webserver is denying the connection,because I can see these lines in the "Latest web server error log messages":



    AH01797: client denied by server configuration: /home/XXXX/public_html/xmlrpc.php



    But I still do not understand why wordpress loads at all. I want not only to block these requests, but also to prevent wordpress to load in order to save CPU.

     

    Any help in understanding what's happening would be really appreciated.

    Thanks

    0
  • mtindor

    Just tell it to use Apache built in default error documents.

    In WHM --> Apache Configuration, under Pre Main Virtual Include --> All Versions I have:

    # START XML RPC BLOCKING
    <Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    allow from 127.0.0.1
    #AUTOMATTIC jetpack etc
    allow from 192.0.64.0/18
    errordocument 401 default
    errordocument 403 default
    errordocument 404 default
    errordocument 411 default
    </Files>
    # FINISH XML RPC BLOCKING

    you really want this in Pre Virtualhost Include --> All Versions

    And this will use the default errordocument response from Apache (bulit in).

    In my case, if I browse a site that actually contains an xmlrpc.php file ( https://www.mysite.com/xmlrpc.php ), it will generate the built-in Apache 403 response (403 Forbidden).

    And I will see it in /usr/local/apache/logs/error_log as:

    [Wed Jul 24 06:14:30.992886 2024] [access_compat:error] [pid 2773745:tid 2773746] [remote xx.xx.xxx.xxx:54703] AH01797: client denied by server configuration: /home/myaccount/public_html/mysite.com/xmlrpc.php

     

    NOTE:  Yes, I'm using the old style Order / Deny from all rather than the new Required All.  But you can convert if you want.

    1
  • Alejandro Tagalos

    You are the best man, it works as expected now. I used the new apache syntax "Required All" that I paste here for those having the same problem

        <Files xmlrpc.php>
          <RequireAny>
                Require all denied
                Require ip 127.0.0.1
                #AUTOMATTIC jetpack etc
                Require ip 192.0.64.0/18
          </RequireAny>
            ErrorDocument 401 default
            ErrorDocument 403 default
            ErrorDocument 404 default
            ErrorDocument 411 default
        </Files>

    1
  • mtindor

    You're welcome.  And since you showed the updated way using Require, I'm going to switch to using that.  I was just too lazy to figure out the "new way".

    The key issue that you really had was that when you did not specify an errordocument, it will assume  the default of 404 (and of course Wordpress sites always hijack 404 requests and process them through Wordpress / PHP).    So, adding errordocuments like 401 or 403 with "default" ,  you can have Apache generate an appropriate minimal non-PHP processed response.

     

    0
  • Alejandro Tagalos

    I understand what you mean, thank you man.

     

    Be careful because I updated my last post, I changed <RequireAll> for <RequireAny> since if I use RequireAll then even localhost and jetbackup will be blocked. Using requireAny here is the correct way.

     

           <RequireAll>
            Require all denied -> always false
              Require ip 127.0.0.1 -> false
                #AUTOMATTIC jetpack etc
              Require ip 192.0.64.0/18 -> true
        </RequireAll>

    Overall result: False (no access permitted)
           <RequireAny>
              Require all denied -> always false
              Require ip 127.0.0.1 -> false
                #AUTOMATTIC jetpack etc
              Require ip 192.0.64.0/18 -> true
          </RequireAny>

    Overall result: True (access permitted)

     

    Have a nice day

    1
  • mtindor

    Will do.  Thanks!

    0

Please sign in to leave a comment.