How to protect Apache web server(w/ cPanel/DirectAdmin) from XMLRPC attacks

In a previous article, we detailed How to protect WordPress from XML-RPC attacks. The article was written for website owners. We received questions on how to use this method to protect all the websites on an Apache web server.

On both cPanel and DirectAdmin servers running Apache, the file that we will use is /home/.htaccess Edit or create this file and add the blocking rule:

# content of the file /home/.htaccess
<Files "xmlrpc.php">
Require all denied
</Files>

With this rule, access to all xmlrpc.php files will be blocked regardless of their location.


Let’s consider the situation where you want to permit access to xmlrpc.php files for a user.

For cPanel, edit/create the file /home/USERNAME/.htaccess and add the lines:

<Files "xmlrpc.php">
Require all granted
</Files>

For DirectAdmin, edit/create the file /home/USERNAME/domains/.htaccess and add the lines:

<Files "xmlrpc.php">
Require all granted
</Files>

Now, requests to the xmlrpc.php files from the USERNAME’s sites will be permitted.

To verify, just access the file in your web browser – https://example.com/xmlrpc.php . If access is permitted, you will see:

XML-RPC server accepts POST requests only.
server

Links:
Wikipedia XML-RPC
WordPress XML-RPC codex

Leave a Reply