How to disable XML-RPC from Linux command-line in a total way?

I read near the end of this guide regarding utilizing SSHguard to protect WordPress from Brute force attacks that after configuring SSHguard the relevant way, one must:

disable XML-RPC by blocking all remote access to /xmlrpc.php in your web server configuration.

  • I don't use XML-RPC in any of my websites.

  • I use Nginx as my web server.

I'm not sure what is the best way to totally block XML-RPC. Nginx conf for each site? WP-CLI operation per site?

What is the common way to do so?

Topic xml-rpc ssh wp-cli command-line security Wordpress

Category Web

1
answered at

Here's a better way to handle it on NginX (and how my employer does it). This actually returns a "Forbidden" message.

location /xmlrpc.php { return 403; }

Anyone that says it's not a security risk is blithely unaware of the hacks that started happening with Wordpress 4.7.2 (It might be a 4.5x release), where there was an actual exploitable risk in Wordpress because of how xmlrpc.php requests were not properly being sanitized.

Realistically, the only time anyone should not disable access to xmlrpc.php is if they're using the Jetpack plugin from Wordpress.com.

1
answered at

On nginx, to block access to the xmlrpc.php file, add this location block to the server block of your configuration file:

location ~ ^/(xmlrpc\.php) {
  deny all;
}

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.