XMLRPC filtering through htaccess not working

The directives in .htaccess (on your application server) would seem to be working as expected.

Yet I keep getting requests on that file.

Blocking the request in .htaccess doesn’t stop the request reaching your server (and being logged). As you can see from the log entry, it is being “blocked” and your server is responding with a 403 Forbidden HTTP response status (as a result of the <Files> / deny from all directives). The xmlrpc.php file is not being processed.

The only way to stop the request reaching your application server is to implement some kind of firewall or front-end proxy server that basically sits in front of your application server and “screens” all the requests before passing them on to the backend server that ultimately deals with the request. But since you are on a “shared hosting” platform, this is probably not something that is available to you.

I believe I should be supposed to get a 301 rather that a 403

The mod_authz_host (or mod_access_compact on Apache 2.4) directives inside the <Files> container will take priority over the mod_rewrite directive, despite the order of directives in the .htaccess file, so no redirect occurs.

Remove the <Files> block and place the RewriteRule directive at the top of the .htaccess file, clear your browser cache and you should see a redirect. (Note that 301s are cached persistently by the browser, so subsequent “test” requests might not hit your server until the browser cache is cleared.)

However, it would be preferable to block these requests with a 403, rather than try to issue a 301 redirect. Bots are unlikely to follow the redirect anyway, so it’s simply seen as a non-success (200) response. The mod_rewrite directive is easier to accidentally override and is more dependent on the ordering of directives in .htaccess.

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Note that Order and Deny directives are Apache 2.2 and officially deprecated on Apache 2.4. If you are on Apache 2.4 then you should be using Require all denied instead.

Aside:

RewriteRule ^xmlrpc\.php$ "http\:\/\/0\.0\.0\.0\/" [R=301,L]

The RewriteRule substitution string (2nd argument) is an “ordinary” string, not a regex, so colons (:), slashes (/) and dots (.) do not need to be backslash-escaped here. (Although even if it was a regex, only the literal dots would need to be escaped as the other characters carry no special meaning here. This unnecessary escaping is quite typical of cPanel.)

Related Posts:

  1. Attach to wp-login.php and xmlrpc.php
  2. Improve wordpress security by hiding non public resources
  3. Does this .htaccess security setting really work?
  4. File and directory permissions
  5. Using “wordpress_logged_in” to restrict direct access to uploads folder in 2021
  6. WordPress URL/Folder ReWrite using Htaccess
  7. Which WordPress scripts need to be executable for a fresh installation?
  8. Blocking access to wp-login via htaccess not working
  9. Block only external access to wp-cron.php on OpenLiteSpeed
  10. Restricting user login by IP address
  11. WordPress: Adding Security
  12. How do I test to ensure that my wp-config file is protected?
  13. WordPress not seeing .htaccess rules
  14. Rules in .htaccess only if the requested URL is /wp-admin
  15. Disable directory browsing of uploads folder
  16. Strange behaviour of is_user_logged_in() and get_current_user_id()
  17. Selectively Disabling PHP via .htaccess in Root Directory
  18. Azure WordPress deny access to xmlrpc
  19. Should I prevent access to .htaccess and wp-config.php files?
  20. Blocking wp-login in HTACCESS has also blocked password protected pages
  21. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  22. Using htaccess to prevent spam through wp-comments-post.php
  23. How can I create a private site that is inaccessible from the outside?
  24. Restrict Content for only Contributors via .htaccess
  25. Allowing access to certain WordPress created pages or posts with htaccess / htpasswd
  26. Change Login URL Without Plugin
  27. htaccess rewrite conflict with wordpress rules and ssl
  28. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  29. Options for restricting access to wp-admin
  30. Remove year and month in URL using .htaccess
  31. Unable to access WP admin
  32. Move wordpress to folder without changing urls
  33. Using WordPress only for the backend, and using AngularJS as a frontend
  34. Two domains on one WordPress Installation
  35. Protect Upload Folder Files With Ampersand Problem
  36. Is it possible to dynamically redirect URL using htaccess?
  37. .htaccess and WordPress Admin Bar
  38. Setup Permanent 301 Redirects after moving to Https [closed]
  39. Force www to non-www on a subdomain in WordPress?
  40. How to Redirect huge numbers of URLs to another URLs?
  41. WP site URL changed to have HTTPS but still homepage does not redirect
  42. Struggling with add_rewrite_rule
  43. Giving WordPress its own subdirectory – nginx
  44. Cannot mask WordPress page URL using .htaccess
  45. How can I make an htaccess file on a Mac? [closed]
  46. Corrupt .htaccess file
  47. .htaccess ‘down for maitenance’ and WordPress
  48. Which is better: 301 Redirect in my .htaccess file or a plugin like Redirection?
  49. How can i redirect one url to another url using .htaccess or add_rewrite_rule
  50. When is it necessary to have Header unset Vary in .htaccess
  51. Redirect http to https does not work on subdir where another instance of WordPress installed
  52. Fixing custom 404 pages broken by WordPress in a subdirectory
  53. redirect the homepage using .htaccess outside of WordPress
  54. I can’t access the admin panel links as I click it shows 403 error
  55. How to hide login form if basic authentication fails?
  56. Redirect an old link to new site homepage [closed]
  57. Headers Content-Security-Policy CSP Major Issue
  58. How to Change The WordPress Login URL Without Plugin
  59. .htaccess rules for blocking bots with an extra condition
  60. WordPress – Promoting A Dev Build In A Subdirectory To Production / Root Directory
  61. .htaccess RewriteRule always overwritten – how to prevent?
  62. How to create a redirect in the .htaccess file, with 2 exceptions
  63. Redirect old domain with query paramaters
  64. What might be removing my redirects from my htaccess?
  65. My Homepage Suddenly Disappeared and I Can’t Get It Back
  66. How to turn this .htaccess rule into a dynamic rule with add_rewrite_rule, et al?
  67. Can I Remove xmlrpc.php completely?
  68. WordPress .htaccess to consider blog as directory
  69. Local PC cache stays filled with old WordPress Site data
  70. Password protect directory but not files
  71. WordPress JSON API restrict to specific domain
  72. fix 302 redirection error on https
  73. main-domain of wordpress keep redirecting to subdomain
  74. How to deny access to a particular wordpress site url
  75. Rewrite URL in address bar for a specific page [closed]
  76. Home links redirects to old site
  77. Shared hosting, multiple sites, can’t log in to WP due to .htaccess redirection
  78. Configure .htaccess to have a WordPress single site installation with all subdomains pointing to the same pages?
  79. Rewriting subfolders to specific parent folder in WordPress
  80. domain redirection is not working from old to new
  81. Deny,Allow on .htaccess isn’t working
  82. execute cron jobs when .htaccess login protected?
  83. Install second wordpress in root subfolder, Error 404
  84. Remove subdirectory from links
  85. modifying htaccess for localhost with a custom port
  86. .htaccess redirects for posts in new directory and new domain
  87. Steps for WordPress over SSL
  88. Fixing Access-Control-Allow-Origin (CORS origin) for multiple subdomains
  89. domain.in/wp-admin give the result to 403 Access to this resource on the server is denied!
  90. Redirect from domain.com to subdomain.domain.com
  91. MAMP.app & .htaccess – Can’t override after config
  92. register_post_type and register taxonomy and htaccess
  93. Why ‘Authorization Required’ is coming on wordpress login
  94. Restricting direct downloads of wp content files, but allow them on the website.
  95. Forward blog requests to another URL
  96. Couple questions about .htaccess, login page, updates
  97. .htaccess rewrite rule stopped working for wordpress site after moving server
  98. WordPress Media Library rendering blank image tiles
  99. Subfolder install not working
  100. Redirect loops in Bing holding my sites back