Blocking sites requesting xmlrpc.php

  • Resolved lrnarasimhan

    (@lrnarasimhan)


    4 years, 7 months ago

    Wordfence 7.4.10, Free edition user, WF firewall enabled.

    I would like to auto block the dozens of sites requesting xmlrpc.php as reported by Live Traffic.

    Steps I have tried: Under the “Immediately block IPs that access these URLs” panel, I have entered/xmlrpc.php, /xmlrpc*, xmlrpc.php, xmlrpc*, and assorted other combinations with and without the ‘/’. Then, I make sure to Save the changes.

    I am not sure where xmlrpc would be and since there is no path specified in the Live Traffic, I’ve been assuming it lives under ‘/’ or to leave the path unspecified.

    Result: Wordfence continues to report the attempts and I periodically block them manually. I would appreciate any advice on how to do this automatically.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @lrnarasimhan and thanks for reaching out to us!

    Wordfence doesn’t specifically block the xmlrpc.php files. It will only Two-Factor authentication attempts via xmlrpc.php if the Disable XML-RPC authentication feature is enabled in Login Security. If you wish to completely block attempts to it you can either use a different plugin or by adding the code below to your htaccess file.

    # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

    I have also seen people request for this file to be blocked at the server level as well due to a large amount of brute force attacks on this file.

    Let me know if this helps!

    Thanks!

    • This reply was modified 4 years, 7 months ago by WFAdam.
    Thread Starter lrnarasimhan

    (@lrnarasimhan)

    Thank you. I have just enabled the Disable XML-RPC authentication. Looking more closely at the logs, every request for xmlrpc.php is preceded by an access to wp-login.php.

    If I understand correctly, the .htaccess modification will return some kind of error message to the requesting bot but that IP address can still request the page again. If I want to autoban that IP, I will need to do that with some other tool besides Wordfence and .htaccess?

    Thread Starter lrnarasimhan

    (@lrnarasimhan)

    Followup question:

    I have added the commands to .htaccess.

    I’ve also created a /misc/ folder in public_html, put an empty file in it, and set up robots.txt to disallow access to this directory.

    I’ve set up a redirect for all requests to xmlrpc.php to point to the empty file in misc/

    I’ve placed /misc/* in the Immediately Block box.

    Expected behavior: xmlrpc.php requests get sent to /misc, WF would then block that IP address automatically. The robots.txt will prevent well-behaved crawlers from getting trapped.

    Observed behavior: When I test accessing https://{mydomain.com}/xmlrpc.php from a sacrificial IP address, I get shown a blank file vs. getting placed on the blocklist.

    • This reply was modified 4 years, 7 months ago by lrnarasimhan.
    Plugin Support WFAdam

    (@wfadam)

    Hello @lrnarasimhan

    If you do a few google searches you will find some more information on blocking files via htaccess file. The code would depend on the version of apache you are running on your server. Just after some research on my end, I have found that you might get a blank page as a result but you can add code to your htaccess file to direct them to a 403 error if you wanted.

    Let me know if this helps!

    Thanks for posting your results!

    Thread Starter lrnarasimhan

    (@lrnarasimhan)

    I took out the additions to the Immediately Block box a few hours ago.

    This morning, some IPs are showing the red block icon when they access xmlrpc.php while others are not.

    I’ll read more about .htaccess and see how to prevent these sites from connecting.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Blocking sites requesting xmlrpc.php’ is closed to new replies.

Tags