I am trying to block access to wp-login.php and xmlrpc.php for all sites on a web server. I want to do this at apache level, not htaccess.
I have a file in conf.d of apache with the following, but when do a CURL test it still shows the page.
<Files ~ "^(wp-login|xmlrpc).php">
order allow,deny
allow from all
SetEnvIf User-Agent - bad_user
Deny from env=bad_user
</Files>
anybody know what i have wrong?
thanks to @nidhi for the assistance. The answer here is to use the following in an apache conf.d file to be:
The code will block any user agent that is blank or just a hyphen (-) that is trying to access wp-login.php or xmlrpc.php
make sure you name the file something like zzzz_blockua.conf so that apache loads it last.
This will help reduce the load on your server as bots hitting those pages don’t take up php/mysql processes and apache just returns a 403 error.
It affects all sites on the server, so if you have a shared hosting server, you don’t need to use htaccess for each site