7

Block XML RPC in WordPress using CloudFlare’s firewall

 2 years ago
source link: https://www.stevefenton.co.uk/2021/10/block-xml-rpc-in-wordpress-using-cloudflares-firewall/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Block XML RPC in WordPress using CloudFlare’s firewall

There is a long-standing brute-force issue with the WordPress /xmlrpc.php file. You can (and probably should) switch this off in your website using an .htaccess rule. This stops the requests, but uses up your server resources to check and reject them. If you have Cloudflare, you can stop them at the firewall, which means your web server doesn’t even get hit for the request.

So, once you’ve changed your .htaccess to include this…

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

You should also set up a Cloudflare firewall rule like this:

  1. Rule Name: Block XML RPC (xmlrpc.php)
  2. Field: URI Path
  3. Operator: contains
  4. Value: xmlrpc.php
  5. Then…: Block

Or, using the expression editor, enter (http.request.uri.path contains "xmlrpc.php")

Hit “DEPLOY” to set your rule live and then test it using the following:

/xmlrpc.php

//xmlrpc.php

This second item is a common attempt to get around blocking rules.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK