Question
How to disable XML-RPC for a WordPress instance hosted in Plesk?
Answer
Using a WP Toolkit (Recommended)
- Log into Plesk
-
Open WordPress > example.com > Fix vulnerabilities > Security Measures
-
Select Block unauthorized access to xmlrpc.php and click Secure
-
Repeat the steps 2.-3. for all other WordPress instances hosted on the server
Using a WordPress plugin
- Log into Plesk
- Navigate to WordPress > example.com > Plugins and click Install:
- Search for a plugin to disable XML-RPC in the search-field, with for example search-string xmlrpc:
- Click Install to install a suitable plugin
For domains with disabled proxy mode or PHP-FPM served by nginx
-
Add the following additional nginx directives in Domains > example.com > Apache & nginx Settings:
location = /xmlrpc.php {
deny all;
}
if (!-e $request_filename) {
set $test P;
}
if ($uri !~ ^/(plesk-stat|webstat|webstat-ssl|ftpstat|anon_ftpstat|awstats-icon|external-nginx-static-location)) {
set $test "${test}C";
}
if ($test = PC) {
rewrite ^/(.*)$ /index.php?$1;
}These directives will block requests to WordPress XML-RPC and process WordPress permalinks correctly.
For domains with enabled proxy mode and PHP served by Apache
-
Add the following additional nginx directives in Domains > example.com > Apache & nginx Settings:
location /xmlrpc.php {
deny all;
}This directive will block requests to WordPress XML-RPC.