Join Log in
Score:0
dctech avatar Server

Block access to xmlrpc symlink file with htaccess

th flag
dctech

I have a WordPress site I am versioning with the help of symbolic links on an Apache/2.4.52 (Ubuntu) server with Nginx as a reverse proxy.

The directory structure is as follows:

example.com
  wp-admin -> symbolic to different directory
  wp-content
  wp-includes -> symbolic to different directory
  .htaccess
  wp-config.php
  ...
  wp-load.php -> symbolic to different directory
  xmlrpc.php -> symbolic to different directory
  ...
  ...

Here is the contents of my htaccess file:

# BEGIN Feed redirect
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule ^(.*/)?feed(/rss|/rss2|/atom|/rdf)?/?$ /$1 [R=301,NC,L]
RewriteCond %{QUERY_STRING} (?|&)feed=
RewriteRule (.*) $1/? [R=301,NC,L]
</IfModule>
# END Feed redirect


# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

# BEGIN block author scans

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

# END block author scans

Right now users are able to access xmlrpc.php directly by going to www.example.com/xmlrpc.php, they are not able to do this with wp-load.php or the other symbolic links.

I would like to make it so that I can prevent users from accessing xmlrpc.php directly either by restricting read access or creating a redirect.

I have tried adding RewriteCond %{REQUEST_FILENAME} !-l within the WordPress block of the htaccess file but with no success.
I also tried adding a redirect: Redirect 301 /xmlrpc.php https//www.example.com/.
I have also tried adding the following to the htaccess file:

 # Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

I have successfully created a redirect for other urls like /about/ but nothing works for xmlrpc.php

I have done research on this but none of the solutions seem to work for me, which leads me to believe it is related to being a symlink.

Here is a summary of the request:
I would like to make it so that I can prevent users from accessing xmlrpc.php
I would like to do this via htaccess if possible
I don't want to move the xmlrpc.php or change any directory structure.
I don't want to edit the contents of xmlrpc.php.
I don't want to add another htaccess file to the directory that xmlrpc.php is a child of.

72
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.