By default, WordPress has all features turned on and they are also accessible by everyone. Even if you don’t use these WordPress functions, they can still be called & used. Examples include XML-RPC & Press This. In recent years there have been several software updates that fix security holes in these functions. So if you don’t use this, it’s best to turn it off.
This tutorial does not discuss what these functions mean but how to block them via Nginx and Apache.
– XML-RPC
With Nginx
To block XML-RPC via Nginx use the following block and place this in your configuration:
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}
With Apache
– Press This
Nginx
To block Press This via Nginx use the following block and place this in your configuration:
location = /wp-admin/press-this.php {
deny all;
access_log off;
log_not_found off;
}
With Apache
Nginx reload
After changing the Nginx configurations you have to reload Nginx and then the configurations are active.
- CentOS/RHEL/RockyLinux/AlmaLinux:
systemctl reload nginx.service
Test it out by going to your website with /xmlrpc.php or /wp-admin/press-this.php after the domain and you should see a 403 denied error. You have successfully disabled these WordPress functions. If you ever use applications that happen to use the functions, you need to enable them again.