Deny all for xmlrcp.php returning 404 instead of 403
Hello,
I am trying to return a 403 when someone access the xmlrpc.php file of my wordpress installation. For example, the following URL should return 403:
For that, I tried 2 approaches using "require all denied" and rewrite module:
# Disallow xmlrpc
<Files "xmlrpc.php">
Require all denied
</Files>
<IfModule rewrite_module>
RewriteEngine On
RewriteRule ^xmlrpc\.php$ - [F,L]
</IfModule>
I added that code in a file disallow-xmlrcp.conf in the following directory:
/etc/apache2/conf.d/userdata
I also tried to add that code in the WHM include editor, in the "Pre Main Include".
But still when I access the URL, I get a wordpress 404 not found page.
How can I instruct the web server not to load wordpress at all and return a 403 access denied?
-
Hello, thanks for your reply.
It kind of help because I realized the webserver is denying the connection,because I can see these lines in the "Latest web server error log messages":
AH01797: client denied by server configuration: /home/XXXX/public_html/xmlrpc.phpBut I still do not understand why wordpress loads at all. I want not only to block these requests, but also to prevent wordpress to load in order to save CPU.
Any help in understanding what's happening would be really appreciated.
Thanks
0 -
Just tell it to use Apache built in default error documents.
In WHM --> Apache Configuration, under Pre Main Virtual Include --> All Versions I have:
# START XML RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
allow from 127.0.0.1
#AUTOMATTIC jetpack etc
allow from 192.0.64.0/18
errordocument 401 default
errordocument 403 default
errordocument 404 default
errordocument 411 default
</Files>
# FINISH XML RPC BLOCKINGyou really want this in Pre Virtualhost Include --> All Versions
And this will use the default errordocument response from Apache (bulit in).
In my case, if I browse a site that actually contains an xmlrpc.php file ( https://www.mysite.com/xmlrpc.php ), it will generate the built-in Apache 403 response (403 Forbidden).
And I will see it in /usr/local/apache/logs/error_log as:
[Wed Jul 24 06:14:30.992886 2024] [access_compat:error] [pid 2773745:tid 2773746] [remote xx.xx.xxx.xxx:54703] AH01797: client denied by server configuration: /home/myaccount/public_html/mysite.com/xmlrpc.php
NOTE: Yes, I'm using the old style Order / Deny from all rather than the new Required All. But you can convert if you want.
1 -
You are the best man, it works as expected now. I used the new apache syntax "Required All" that I paste here for those having the same problem
<Files xmlrpc.php>
<RequireAny>
Require all denied
Require ip 127.0.0.1
#AUTOMATTIC jetpack etc
Require ip 192.0.64.0/18
</RequireAny>
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 411 default
</Files>1 -
You're welcome. And since you showed the updated way using Require, I'm going to switch to using that. I was just too lazy to figure out the "new way".
The key issue that you really had was that when you did not specify an errordocument, it will assume the default of 404 (and of course Wordpress sites always hijack 404 requests and process them through Wordpress / PHP). So, adding errordocuments like 401 or 403 with "default" , you can have Apache generate an appropriate minimal non-PHP processed response.
0 -
I understand what you mean, thank you man.
Be careful because I updated my last post, I changed <RequireAll> for <RequireAny> since if I use RequireAll then even localhost and jetbackup will be blocked. Using requireAny here is the correct way.
<RequireAll>
Require all denied -> always false
Require ip 127.0.0.1 -> false
#AUTOMATTIC jetpack etc
Require ip 192.0.64.0/18 -> true
</RequireAll>
Overall result: False (no access permitted)<RequireAny>
Require all denied -> always false
Require ip 127.0.0.1 -> false
#AUTOMATTIC jetpack etc
Require ip 192.0.64.0/18 -> true
</RequireAny>
Overall result: True (access permitted)Have a nice day
1 -
Will do. Thanks!
0
Please sign in to leave a comment.
Comments
7 comments