How to block requests to xmlrpc.php using nginx rules?

Question

I tried to add the following code in my nginx custom config file.

location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

However, I got an error after restarting the nginx service because a "duplicate location" for /xmlrpc.php.

It is also specified in common/wpcommon.conf:

location = /xmlrpc.php {
   limit_req zone=one burst=1 nodelay;
   include fastcgi_params;
   fastcgi_pass php;
}

Is there any way to add custom code for the /xmlrpc.php location without directly editing the common/wpcommon.conf file? I'm worried that it will be overwritten on a future update.

As I understand, the existing code applies some kind of rate limiting. But I would rather shut the requests down completely because I have no use for xmlrpc.

Answer 1

Hi James,

You're right, the current code is only rate-limiting the requests to this file.

For now, the only way is to modify the wpcommon.conf file, definitely we need to change it and allow users to have their own choice at least with this specific file, especially when it's a very common case like this. I will add this feature in our roadmap and maybe we will have a permanent solution released in v1.14.0.

Nginx configuration files are not always overwritten in each Webinoly update, just when the stack version is raised. Check: sudo webinoly -v

Comments

Webinoly v1.14.0 has been released today including this feature.