3

I would like to block the access to xmlrpc.php

I created a file in

/etc/apache2/conf.d/block.conf

and added the following content:

<FilesMatch "(^\.|wp-config\.php|xmlrpc\.php|(?<!robots)\.txt|(liesmich|readme)\.*)"> 
Require all denied
</FilesMatch>

If I try any domain on the server I'm still getting access: example.com/xmlrpc.php

I would have expected an "Forbidden"-error.

MyFault
  • 913
  • 3
  • 15
  • 36
  • Please, can you try removing the "require" line, and using, instead " Order allow,deny" followed by "Deny from all"? (sorry for poor formatting: I'm on mobile) – Damiano Verzulli Dec 19 '15 at 16:18
  • It is Apache 2.4, so it is the new statement, the statement you are describing is for Apache 2.2 – Froggiz Dec 19 '15 at 16:26
  • What is th result if you try to add it directly in apache conf file ? (and then restart server to reload configuration) – Froggiz Dec 19 '15 at 16:35

1 Answers1

8

Your syntax is correct but it seems directory /etc/apache2/conf.d not included in /etc/apache2/apache.conf. So either you can include this file with below syntax or move block.conf in directory /etc/apache2/conf-enabled which included in apache(ubuntu) by default.

open file /etc/apache2/apache2.conf in vim or your favroite editor and add below line at the end

Include /etc/apache2/conf.d/block.conf

Restart apache and check, it should be work

Vaibhav Panmand
  • 1,038
  • 7
  • 17
  • Thanks for your reply: It should be included: `/etc/apache2/apache2.conf`-> `Include conf.d/` – MyFault Dec 19 '15 at 15:06
  • If your issue solved with this solution can you please mark this question correct – Vaibhav Panmand Dec 19 '15 at 15:11
  • It is not solved yet ;) I meant that the configuration file should already be included, as `Include conf.d/` is already present in apache2.conf. – MyFault Dec 19 '15 at 15:15
  • 1
    You should have `IncludeOptional conf.d/*.conf` not `Include conf.d/` so it is normal that it is not read. Vaibhav is right, his solution works. – Froggiz Dec 19 '15 at 16:25
  • 1
    FWIW, the Apache `conf.d/` remains for legacy reasons. On more recent Debian and Ubuntu systems, the preferred way would be to put your custom conf file in `/etc/apache2/conf-available/`. Then enable it with `a2enconf block`. – Jeremy Davis Dec 18 '17 at 00:55