.htaccess configure to allow Jetpack only

Howdy,

You would setup the .htaccess like this:

<FilesMatch "xmlrpc\.php$">
order deny,allow
 deny from all
 allow from 1.2.3.4
 allow from 5.6.7.8
</FilesMatch>

replacing 1.2.3.4 with the IP addresses listed at https://whois.arin.net/rest/org/AUTOM-93/nets

You can list IP groups, e.g. 1.2.3. would allow any 1.2.3.* address through, etc.

Overall, we don’t suggest this approach since our IP block will change over time, changing the possible IP addresses and this would prevent any of the mobile apps or other desktop clients from working.

Alternatively, Jetpack requests are routed to /xmlrpc.php?for=jetpack , so matching that string and allowing that is another option. Jetpack has protocols in place to only accept incoming requests that have been signed by our servers.

Sorry, but the specifics of Apache server language is not something I’ve mastered as of yet. I do know if you put in the wrong stuff, it can slam the server.

Since the IP approach is essentially a time bomb, I looked at going with your other suggestion.

Since I couldn’t be sure that I could just “swap out” the url string for the IPs in the code I included first or in your IP example, I thought I’d better find some kind of matching code that looked close to what you were suggesting so it was properly configured.

I couldn’t find anything anywhere after spending an hour Googling my fingers off.

I tried something that was sort of close here: https://perishablepress.com/wordpress-xmlrpc-pingback-vulnerability/, but that was apparently not the right way to go:
# protect xmlrpc

<IfModule mod_alias.c>
	Redirect 301 /xmlrpc.php https://dbandrmarketing.com/xmlrpc.php?for=jetpack
</IfModule>

Here’s what I got back from Jetpack:
Your website needs to be publicly accessible to use Jetpack: site_inaccessible

Error Details: The Jetpack server was unable to communicate with your site https://example.com [IXR -32300: transport error: http_request_failed Too many redirects.]

For now, I’ve had to use the code provided with my host. I’m really concerned about leaving xlmrpc WIDE open like this. PLEASE, is there a known working code example for those of us who aren’t proficient in the language?

Thanks

Generally speaking, XML-RPC isn’t insecure, so there isn’t anything wrong with leaving it enabled. It’s running on the vast majority of WordPress sites and as long as other solid security practices are being used (e.g. using a secure password, keeping WordPress and plugins updated, using a reliable hosting provider, etc). In addition to Jetpack, it is required to use any of the WordPress mobile apps.

I’m not well enough versed with .htaccess rules to provide an code example.

Here’s the IP information for the jetpack site.

# host jetpack.wordpress.com
jetpack.wordpress.com has address 192.0.82.250
jetpack.wordpress.com has address 192.0.83.250

I added this to my .htaccess for one of my sites and it worked great:

<FilesMatch "xmlrpc\.php$">
Allow from 192.0.82.250
</FilesMatch>

Hi,

Please note that those IPs are strictly for jetpack.wordpress.com (any reason to not allow 192.0.83.250 too?) and aren’t the only IPs that contact your site as part of the Jetpack connection.

You’ll likely see issues crop from limiting it to only that one IP address.

I left out the 2nd IP address by pure accident.

It would be nice if there was a specific IP block for jetpack servers that we could add to an ACL rather than having to open up a site to your entire network for a couple of features in one plugin. Maybe that’s something Jetpack could add to an htaccess file for us in the future?

I just tested the IPs that come up for jetpack.wordpress.com and gave it a shot on an internal use site that nobody else uses other than me.

I probably should have added a mileage may vary disclaimer for other site admins.