Block access to all occurrences of xmlrpc.php using CSF

gschaefer

Registered
Jun 11, 2019
3
1
3
Scotts Head, NSW
cPanel Access Level
Root Administrator
i host over 20 Wordpress websites on my VPS and would like to find a way to easily deny access to all occurrences of xmlrpc.php using CSF

I can manually disable it for each site but everytime Wordpress is updated it puts the file back again.

Can anyone suggest a way to do this with CSF?
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
I think using modsec would be a superior solution to your dilemma.
You might find a number of useful articles and code examples by searching for the string "modsec xmlrpc" in your favorite search engine.

You may be able to implement a regex in LFD (a component of CSF)
There is an interesting discussion on the CSF forum detailing how to achieve this. (Search for "Blocking Wordpress Login and xmlprc attacks with LFD" in the CSF forums.)
 
Last edited:
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
modsec would definitely be the correct avenue for this.

Another really simple solution is just to deny access to the file in the .htaccess:

Code:
<Files "xmlrpc.php">
Require all denied
</Files>
 
  • Like
Reactions: A Hartonian

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I use a pre-main global include (WHM -> Service Configuration -> Apache Configuration -> Pre-Main Include -> All Versions) to block xmlrpc server-wide:
Code:
<IfModule mod_alias.c>
  RedirectMatch 301 /xmlrpc.php http://127.0.0.1/
</IfModule>
So far, it seems to be working well with my WordPress sites. I'm not sure if it would be more/less efficient than using CSF or mod_security, though it's really easy to implement, and you only have to add it in one place to affect all accounts. Maybe @cPanelLauren's code snippet would work in the Include Editor as well?
 
  • Like
Reactions: cPanelLauren

garconcn

Well-Known Member
Oct 29, 2009
164
15
68
I add follows to Apache Global Pre Virutalhost Includes:

<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
# Whitelist Jetpack IPs (you can remove/replace all the Allow lines)
Allow from 192.0.64.0/18
Allow from 122.248.245.244
Allow from 54.217.201.243
Allow from 54.232.116.4
Allow from 209.15.0.0/16
Allow from 66.155.0.0/17
Allow from 64.34.206.0/24
Allow from 185.64.140.0/22
Allow from 198.181.116.0/22
Allow from 76.74.248.128/25
Allow from 76.74.255.0/25
Deny from all
</FilesMatch>

To whitelist for one domain, do this(replace the CPANELID and DOMAINNAME)

mkdir -p /etc/apache2/conf.d/userdata/std/2_4/CPANELID/DOMAINNAME
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/CPANELID/DOMAINNAME

Create a file allowxmlrpc.conf in each above dir:

<FilesMatch "^(xmlrpc\.php)">
Allow from all
</FilesMatch>

Rebuild and restart Apache:

/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd
 
  • Like
Reactions: cPanelLauren