want to block user agents with just a hypen at a apache level, not htaccess

I am trying to block access to wp-login.php and xmlrpc.php for all sites on a web server. I want to do this at apache level, not htaccess.

I have a file in conf.d of apache with the following, but when do a CURL test it still shows the page.

Read More
<Files ~ "^(wp-login|xmlrpc).php">
        order allow,deny
        allow from all
        SetEnvIf User-Agent - bad_user
        Deny from env=bad_user 
</Files>

anybody know what i have wrong?

Related posts

1 comment

  1. thanks to @nidhi for the assistance. The answer here is to use the following in an apache conf.d file to be:

    SetEnvIf User-Agent "^-$" bad_user
    SetEnvIf User-Agent "^$" bad_user
    <Files ~ "^(wp-login|xmlrpc).php">
            order allow,deny
            allow from all
            Deny from env=bad_user
    </Files>
    

    The code will block any user agent that is blank or just a hyphen (-) that is trying to access wp-login.php or xmlrpc.php
    make sure you name the file something like zzzz_blockua.conf so that apache loads it last.

    This will help reduce the load on your server as bots hitting those pages don’t take up php/mysql processes and apache just returns a 403 error.

    It affects all sites on the server, so if you have a shared hosting server, you don’t need to use htaccess for each site

Comments are closed.