Welcome to WebmasterWorld Guest from 54.145.13.215

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

Remove XMLRPC

Do I need a plugin

     
4:01 pm on Apr 28, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4388
votes: 2


Recently I got a few K calls to XMLRPC
I do not use any tools from any smartphone to work on the site, so I rather disable it.
but since 3.5 the rem option is gone with the wind!
There is on WP.ord a plugin to disable xmlrpc.
Should I go for it?
Thanks
7:58 pm on Apr 28, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0

8:26 pm on Apr 28, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4388
votes: 2


Hi lorax,
What do you think of the following to avoid adding another plugin

# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>
12:29 pm on Apr 29, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


I'm not a htaccess guru so I can't say for sure if that will protect it or not. If it works, go for it.
1:37 pm on Apr 29, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4388
votes: 2


I just did it, so far so good
seems to work fine.
3:32 pm on Apr 29, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


You got me to thinking. I decided to try:


<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>


but it didn't work - at least I don't think it did. I still get "XML-RPC server accepts POST requests only."
3:58 pm on Apr 29, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4388
votes: 2


Does not look like my version?
12:07 pm on Apr 30, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


No but it should work as well. My theory is the file is denied to everyone. But... ;)
1:59 pm on Apr 30, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4388
votes: 2


Is anything blocking your script exec?
As far as I can tell I have no more calls to xmlrpc.
I made a precise note of day and #hits
will look at it again tomorrow and keep you posted.
4:22 pm on May 1, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4388
votes: 2


As per my logs it is confirmed, no more access to it.
If I tried to access it I receive a 403.
5:19 pm on May 1, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Excellent! Thanks for the update!
3:06 am on May 23, 2014 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 102


lorax -

do you have AllowOverride All set?

Also, you may have an Allow rule that allows that. Like in CSS, in Apache access rules, the last rule wins. So try

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

If set up that way, Apache should process all Allow rules followed by all Deny rules. Since you've explicitly set a Deny from all, that should win.
3:06 am on May 23, 2014 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 102


Order: [httpd.apache.org...]

Overrides: [httpd.apache.org...]
12:26 pm on May 23, 2014 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
posts:7575
votes: 0


Thanks ergo. I'm away for the weekend but will take a look. I hadn't thought of that - I'm on the edge of my knowledge here... :)
2:05 pm on May 23, 2014 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 102


Yeah, I say that so glibly like it comes to me like breathing, but I always forget the order of operations for access rules and looked at the docs to verify that I had that right before I posted.

I never made the CSS analogy before, so maybe this time I'll remember! So simple, but I always forget because I just don't need it very often.