Welcome to WebmasterWorld Guest from 54.159.190.106

Forum Moderators: rogerd

Message Too Old, No Replies

Remove XMLRPC

Do I need a plugin

   
4:01 pm on Apr 28, 2014 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Recently I got a few K calls to XMLRPC
I do not use any tools from any smartphone to work on the site, so I rather disable it.
but since 3.5 the rem option is gone with the wind!
There is on WP.ord a plugin to disable xmlrpc.
Should I go for it?
Thanks
7:58 pm on Apr 28, 2014 (gmt 0)
8:26 pm on Apr 28, 2014 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Hi lorax,
What do you think of the following to avoid adding another plugin

# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>
12:29 pm on Apr 29, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I'm not a htaccess guru so I can't say for sure if that will protect it or not. If it works, go for it.
1:37 pm on Apr 29, 2014 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I just did it, so far so good
seems to work fine.
3:32 pm on Apr 29, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



You got me to thinking. I decided to try:


<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>


but it didn't work - at least I don't think it did. I still get "XML-RPC server accepts POST requests only."
3:58 pm on Apr 29, 2014 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Does not look like my version?
12:07 pm on Apr 30, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



No but it should work as well. My theory is the file is denied to everyone. But... ;)
1:59 pm on Apr 30, 2014 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Is anything blocking your script exec?
As far as I can tell I have no more calls to xmlrpc.
I made a precise note of day and #hits
will look at it again tomorrow and keep you posted.
4:22 pm on May 1, 2014 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



As per my logs it is confirmed, no more access to it.
If I tried to access it I receive a 403.
5:19 pm on May 1, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Excellent! Thanks for the update!
3:06 am on May 23, 2014 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



lorax -

do you have AllowOverride All set?

Also, you may have an Allow rule that allows that. Like in CSS, in Apache access rules, the last rule wins. So try

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

If set up that way, Apache should process all Allow rules followed by all Deny rules. Since you've explicitly set a Deny from all, that should win.
3:06 am on May 23, 2014 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Order: [httpd.apache.org...]

Overrides: [httpd.apache.org...]
12:26 pm on May 23, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Thanks ergo. I'm away for the weekend but will take a look. I hadn't thought of that - I'm on the edge of my knowledge here... :)
2:05 pm on May 23, 2014 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Yeah, I say that so glibly like it comes to me like breathing, but I always forget the order of operations for access rules and looked at the docs to verify that I had that right before I posted.

I never made the CSS analogy before, so maybe this time I'll remember! So simple, but I always forget because I just don't need it very often.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month