homepage Welcome to WebmasterWorld Guest from 54.211.180.175
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

    
Remove XMLRPC
Do I need a plugin
henry0




msg:4666542
 4:01 pm on Apr 28, 2014 (gmt 0)

Recently I got a few K calls to XMLRPC
I do not use any tools from any smartphone to work on the site, so I rather disable it.
but since 3.5 the rem option is gone with the wind!
There is on WP.ord a plugin to disable xmlrpc.
Should I go for it?
Thanks

 

lorax




msg:4666600
 7:58 pm on Apr 28, 2014 (gmt 0)

https://wordpress.org/plugins/disable-xml-rpc/

henry0




msg:4666602
 8:26 pm on Apr 28, 2014 (gmt 0)

Hi lorax,
What do you think of the following to avoid adding another plugin

# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>

lorax




msg:4666855
 12:29 pm on Apr 29, 2014 (gmt 0)

I'm not a htaccess guru so I can't say for sure if that will protect it or not. If it works, go for it.

henry0




msg:4666883
 1:37 pm on Apr 29, 2014 (gmt 0)

I just did it, so far so good
seems to work fine.

lorax




msg:4666918
 3:32 pm on Apr 29, 2014 (gmt 0)

You got me to thinking. I decided to try:


<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>


but it didn't work - at least I don't think it did. I still get "XML-RPC server accepts POST requests only."

henry0




msg:4666924
 3:58 pm on Apr 29, 2014 (gmt 0)

Does not look like my version?

lorax




msg:4667188
 12:07 pm on Apr 30, 2014 (gmt 0)

No but it should work as well. My theory is the file is denied to everyone. But... ;)

henry0




msg:4667226
 1:59 pm on Apr 30, 2014 (gmt 0)

Is anything blocking your script exec?
As far as I can tell I have no more calls to xmlrpc.
I made a precise note of day and #hits
will look at it again tomorrow and keep you posted.

henry0




msg:4667529
 4:22 pm on May 1, 2014 (gmt 0)

As per my logs it is confirmed, no more access to it.
If I tried to access it I receive a 403.

lorax




msg:4667646
 5:19 pm on May 1, 2014 (gmt 0)

Excellent! Thanks for the update!

ergophobe




msg:4673737
 3:06 am on May 23, 2014 (gmt 0)

lorax -

do you have AllowOverride All set?

Also, you may have an Allow rule that allows that. Like in CSS, in Apache access rules, the last rule wins. So try

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

If set up that way, Apache should process all Allow rules followed by all Deny rules. Since you've explicitly set a Deny from all, that should win.

ergophobe




msg:4673738
 3:06 am on May 23, 2014 (gmt 0)

Order: [httpd.apache.org...]

Overrides: [httpd.apache.org...]

lorax




msg:4673901
 12:26 pm on May 23, 2014 (gmt 0)

Thanks ergo. I'm away for the weekend but will take a look. I hadn't thought of that - I'm on the edge of my knowledge here... :)

ergophobe




msg:4673938
 2:05 pm on May 23, 2014 (gmt 0)

Yeah, I say that so glibly like it comes to me like breathing, but I always forget the order of operations for access rules and looked at the docs to verify that I had that right before I posted.

I never made the CSS analogy before, so maybe this time I'll remember! So simple, but I always forget because I just don't need it very often.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved