Deny Access to WordPress xmlrpc.php with NGINX

in WordPress


The XML-RPC support by WordPress looks good in practice but unfortunately it’s commonly used as a denial of service (DOS)¬†attack by automatically posting data to the xmlrpc.php script and doing it in very short intervals. This in effect will eventually overload PHP increase the CPU load and in effect will make the affected website inaccessible.

This can be mitigated via NGINX using the following location block inside the server block:

location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 444; 
}

The 444 response is unique to NGINX. The 444 status will cause NGINX to close the connection without sending any response. This will save your server’s processing power since it will not process the HTTP request at all.

Do note that this will cause WordPress plugins that rely on xmlrpc.php to completely fail, please use with caution.

 

Leave a Comment

Previous post:

Next post: