I recently noticed an increase in unauthorized attempts to access the /xmlrpc.php endpoint of the company WordPress blog. Although the attempts seem to have been unsuccessful, we did decide to limit access to the endpoint to requests originating from the company networks and VPN nodes. The following are some steps you can take if you are facing a similar situation.
Edit the blog .htaccess file:
vi /var/www/html/style-blog/style-blog/.htaccess
Add or update the following:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 50.111.111.111 allow from 127.0.0.1 </Files>
This blocks access to xmlrpc.php from all hosts except localhost and 50.111.111.111 (the fictitious IP address for the San Francisco Office).
To grant access to a host, simply white-list the host's IP address using the `allow from` directive. The Apache daemon may have to be restarted for the changes to take effect:
sudo /etc/init.d/httpd restart
To test whether it works access http://blog.mycompany.com/xmlrpc.php . The following cURL command can be used to check XML-RPC access is:
curl http://blog.mycompany.com/xmlrpc.php
You should see the following message accessed from a machine whose public IP address is white-listed:
"XML-RPC server accepts POST requests only."
You should see the following output when accessed from a machine whose public IP address is NOT white-listed:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /xmlrpc.php on this server.</p> <hr> <address>Apache/2.2.31 (Amazon) Server at blog.weddingtonway.com Port 80</address> </body></html>
