• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

.htaccess files/filesmatch not processed

J

John W

New Pleskian
I'm trying to block xmlrpc.php access from offsite, but it's somehow being ignored. I've tried editing .htaccess manually entered as suggest by
http://forum.ait-pro.com/forums/top...mlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/
Code: 
<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
Deny from all
Allow from xx.xx.xx. #my ip address range
</FilesMatch>

and automatically by the iTheme Security plugin.
Code: 
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
    # Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC
    <files xmlrpc.php>
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order allow,deny
            Deny from all
        </IfModule>
    </files>
# END iThemes Security - Do not modify or remove this line

Neither way worked. I don't see errors in the log, and xmlrpc.php is still being accessed.
I'm on CentOS Linux 7.2.1511 with Plesk 12.5.30 Update #18.

Thanks,
John
 
Instead of creating custom .htaccess file try to use "Additional Apache directives" or "Additional nginx directives" fields in Plesk interface for applying your options.
 
Thanks IgorG. I tried the following on both .htaccess and "Additional Apache Directives" to no avail. The file (same with wp-login.php) is still accessible offsite. The same configuration works as expected on a different server without Plesk. Any ideas? Thanks.

Code: 
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
    Allow from 172.16.0.0/12 10.0.0.0/8 127.0.0.1
</Files>
 
Apache directives (Files and FilesMatch) aren't working at all. I see the changes in "/var/www/vhosts/system/mysite.com/conf/vhost_ssl.conf", but its somehow being ignored.

Nginx on the other hand worked to some degree. It rejects external request, but internal requests are forcing download of PHP files instead of executing and returning HTML...

Any ideas? Did I screwup Plesk somehow? Any Plesk configuration I should be checking?

Thanks,
John
 
Same problem here.

Apache directives in Plesk in Additional Apache Directives (Files/FilesMatch) are ignored for php files. The directives will work for a html file, but not for php files. I don't want to work with plesk mod_security work around. I just want the Additionial Apache Directives in Plesk to work normally.

Someone knows whats going on here?

Edit: I found out that the Files/FilesMatch directives in .htaccess or in Plesk, Additional Apache Directives, doesn't work on php files when when php is run as fpm-php application. Selecting "run as fastcgi application by apache" in the php settings of the domain, will work and the directives are no longer ignored.

Thank you,
Chris
 
Last edited:
If someone could explain why fastcgi works but fpm-php not, as described in the extra edit of the post I wrote before, that would be very helpful. Thanks.
 
All,

I know this is an older post. But our wordpress installation is now getting attacked and apache log files include lots of requests to "POST /blog/xmlrpc.php". Banning the offending IPs worked for the moment, but a longer term solution is needed.

Any final resolution on best practices to mitigate? Thanks.
 
After selecting the domain to manage, click "Apache & nginx Settings", under Additional directives for HTTP and Additional directives for HTTPS, I've entered the following to restrict wp-login.php and xmlrpc.php access to only internal IP addresses.
Code: 
<FilesMatch "^(wp-login|xmlrpc)\.php$">
    Order deny,allow
    Deny from All
    allow from xxx.xxx.xxx.xxx
</FilesMatch>

For NEW sites, you can apply the above via Service Plans => *select your plan* => Web Server.

For existing sites, if you don't want to manually edit each site with the GUI, you'd need to use a script to add the above code to /var/www/vhosts/system/xxxxx.domain.name/conf/vhost.conf and /var/www/vhosts/system/xxxxx.domain.name/conf/vhost_ssl.conf, then apply the fix with the command
Code: 
/usr/local/psa/admin/sbin/httpdmng --reconfigure-domain xxxxx.domain.name
 
You must log in or register to reply here.

Similar threads

A
Question How to enable php-xmlrpc on my server
Replies
4
Views
4K
Sebahat.hadzhi
Sebahat.hadzhi
F
WP-Toolkit Wordpress/Jetpack ios-app no connection
Replies
3
Views
5K
bni
B
S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
3K
NewGate
N
T
Issue Host settings and htaccess behavior in nginx proxy mode
Replies
3
Views
3K
Peter Debik
P
O
Issue .htaccess Expires Headers not working at all
Replies
3
Views
3K
MartinT
M
Back
Top