How to Stop XML-RPC Attacks Server-Wide Using the cPFence WAF?

Important Note: Recommended Method to Block XML-RPC

We’ve introduced a new and improved method to block XML-RPC attacks server-wide. The recommended approach is now to use the following command:

cpfence --bulk-disable-wp-xmlrpc

This command completely disables XML-RPC across all listed WordPress sites, returning a 403 Forbidden response to any attempt to access xmlrpc.php. It’s more efficient, server-friendly, and provides a unified solution for managing WordPress security.

For detailed instructions on using this command and other bulk WordPress security features, please visit our updated guide: How to Use Bulk WordPress Security Features in cPFence.

Why is this recommended? The cpfence --bulk-disable-wp-xmlrpc command ensures complete XML-RPC blocking without relying solely on WAF configurations, making it simpler and more robust to secure your WordPress sites.

 


 

If your server is experiencing frequent XML-RPC attacks, blocking access to the xmlrpc.php file server-wide is an effective solution. You can block these requests globally and allow specific websites to use XML-RPC only if needed. Follow the steps below to configure this using the cPFence Web Application Firewall (WAF).

Step 1: Block xmlrpc.php Globally

  1. Edit the WAF configuration file:

/opt/cpfence/user-config/cpfwaf/whitelist_ols.conf
  1. Add the following rule to block xmlrpc.php globally:

SecRule REQUEST_URI "@streq /xmlrpc.php" "id:6001,phase:1,deny,status:403,msg:'Blocking access to xmlrpc.php - cPFence'"
  1. Apply the changes by running the following command:

/opt/cpfence/app/cpfcron

This will block all XML-RPC requests globally across your server.

 

TIP: Please note, you may still see traffic to xmlrpc.php in tools like top or htop on the server. However, these requests are being blocked with a 403 status and are not consuming server resources.

 

Step 2: Enable XML-RPC for Specific Websites (Optional)

If certain websites on your server need access to XML-RPC, you can configure the WAF to allow xmlrpc.php for those domains by adding the following rule:

SecRule REQUEST_HEADERS:Host "@streq example.com" "id:6002,phase:1,pass,nolog,ctl:ruleRemoveById=6001"

Replace example.com with the actual domain name. Ensure that each rule has a unique ID (e.g., 6003, 6004).

/opt/cpfence/app/cpfcron

This will allow specific domains to bypass the global block while keeping xmlrpc.php disabled for other websites.


Need Further Assistance?

If you encounter any issues or need additional help, feel free to reach out to our support team via your client portal.

  • 19 Users Found This Useful
Was this answer helpful?

Related Articles

How to Enable / Disable WAF Rule by ID ?

This guide provides instructions for enabling and disabling specific WAF rules in cPFence for...

How to Enable / Disable WAF?

This guide provides simple instructions for enabling and disabling the Web Application Firewall...

How to Block or Whitelist Certain User Agents ?

This guide will help you block or whitelist specific user agents in cPFence. You can manage these...

How to Identify Problematic WAF Rule IDs in cPFence?

When your website encounters a WAF-related error (typically a 403 Forbidden error), you may need...

How to Use the cPFence WAF Testing Tool ?

To manually test the WAF (Web Application Firewall) on your WordPress site, you can trigger...