Skip to content

111 Recipes

How to block xmlrpc.php globally in Apache 2.4 with exceptions for specific sites

This snippet for Apache 2.4 forbids access to xmlrpc.php by default and then adds exceptions for specific sites. The sites are specified using the Directory directive.

# Forbid access to xmlrpc.php globally at server level
<Files "xmlrpc.php">
  Require all denied
</Files>

# Add exception for site that needs XML-RPC
<Directory "/web/site-1/public">
  <Files "xmlrpc.php">
    Require all granted
  </Files>
</Directory>

# Add exception for another site that needs XML-RPC
<Directory "/web/site-2/public">
  <Files "xmlrpc.php">
    Require all granted
  </Files>
</Directory>

Documentation: httpd.apache.org/docs/2.4/mod/core