Why can’t I block access to files with .htaccess ( order not allowed here)?

0 Views

I’ve tried everything. I read other how to threads here and elsewhere. I have the following in my apache2 site configuration file: 

 <Directory  /var/www/html/site_root/>
   AllowOverride All
 </Directory>

</VirtualHost>

There is no other occurence of “AllowOverride” in the site conf file so it’s not a case of something earlier in the file overriding this (don’t even know if that’s possible). I also tried ‘/var/www/html/site_root’.

Read More

If I try either of the following (or both) in my /var/www/html/site_root/.htaccess file: 

<Files .htaccess>
  Order Allow,Deny
  Deny from all
</Files>

<Files "xmlrpc.php">
   Order Allow,Deny
   Deny from all
</Files>

I get 520s and the whole site is crashed. I also tried /xmlrpc.php or “xmlrpc.php” without “” and ./xmlrpc.php etc. No matter what I do my error log is full of: 

[Thu Dec 03 18:05:25.628237 2015] [core:alert] [pid 6956] [client 192.168.0.1:56529] /var/www/html/site_root/.htaccess: order not allowed here

How can this be and why is this so difficult to do?

My purpose is to block access to /xmlrpc.php. This is an absolute Achilles heel for WordPress. It is very easy to crash and burn any site by just hitting this over and over and over again. For some reason WordPress leaves it wide open by default and Cloudflare is not able to detect or protect against these attacks. They happen all the time and it brings down the server completely.

Thanks.

Post Views: 0

Related posts

2 comments

  1. The best answer I found is this:

    If your server is an Apache, you can block access before WordPress is even reached with one line in your .htaccess:

    Redirect 403 /xmlrpc.php

    You can add another line to keep the response short:

    ErrorDocument 403 "die"

    That will send a very minimal response (three bytes plus HTTP headers), and it will save your resources for better traffic.

    Source:
    https://wordpress.stackexchange.com/questions/156522/restrict-access-to-xmlrpc-php

    Please go vote up the answer at the wordpress stack, by user @toscho. I don’t have enough reputation. Toscho’s answer is is way better than the accepted answer because you can deny access in .htaccess and still burn up server resources loading the 404 in WordPress. His answer actually saves you one byte over mine.

  2. Well did you restart your server after you made changes to apache2.config? Secondly there is a difference between order allow,deny AND order deny,allow

    Try using this 

    <Files xmlrpc.php>
    order deny,allow
    deny from all
</Files>

    You can also disable the XML-RPC Feature, from the system itself. Just put this in your wp-config

    add_filter('xmlrpc_enabled', '__return_false');

    Update: Some clarification:

    I agree with jason, blocking xmlrpc.php at the htaccess level is always a much better idea because even if you disable it through the filter, the site still goes through the whole request cycle. Here filters is just being used as a safeguard from someone getting in, but the site is still open to DDOS attacks. In short usage of filters is only for people who are using it for some other purposes and not finding an escape from DDOS attacks, for eg if someone doesn’t have access to the htaccess file.

Comments are closed.