[wordpress.org...]

Hi lorax,
What do you think of the following to avoid adding another plugin

# protect xmlrpc
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>

I'm not a htaccess guru so I can't say for sure if that will protect it or not. If it works, go for it.

I just did it, so far so good
seems to work fine.

You got me to thinking. I decided to try:

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

but it didn't work - at least I don't think it did. I still get "XML-RPC server accepts POST requests only."

Does not look like my version?

No but it should work as well. My theory is the file is denied to everyone. But... ;)

Is anything blocking your script exec?
As far as I can tell I have no more calls to xmlrpc.
I made a precise note of day and #hits
will look at it again tomorrow and keep you posted.

As per my logs it is confirmed, no more access to it.
If I tried to access it I receive a 403.

Excellent! Thanks for the update!

lorax -

do you have AllowOverride All set?

Also, you may have an Allow rule that allows that. Like in CSS, in Apache access rules, the last rule wins. So try

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

If set up that way, Apache should process all Allow rules followed by all Deny rules. Since you've explicitly set a Deny from all, that should win.

Order: [httpd.apache.org...]

Overrides: [httpd.apache.org...]

Thanks ergo. I'm away for the weekend but will take a look. I hadn't thought of that - I'm on the edge of my knowledge here... :)

Yeah, I say that so glibly like it comes to me like breathing, but I always forget the order of operations for access rules and looked at the docs to verify that I had that right before I posted.

I never made the CSS analogy before, so maybe this time I'll remember! So simple, but I always forget because I just don't need it very often.