Hi,
In Apache , we used to use `deny from all` directive to deny access to xmlrpc.php , but this directive doesn't work in OLS, so there is an alternative way to do
In your .htaccess file , add following code
RewriteRule xmlrpc - [F,L]
And then restart OLS, then when you access /xmlrpc.php , you will have a 403 forbidden result

Best regards,
Comments
> Hi, thank you, but how to deny access to multiple files?
https://openlitespeed.org/kb/access-control/
or try rewrite rule way
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule wp-cron.php$ - [F,L]
This doesn't work, can you give me the right direction please? I think it would be nice to add in your tutorial above.
RewriteRule wp-cron.php$ - [F,L]
does it work ?
then create a phpinfo page, to check the actual value of remote_addr , sometimes if behind proxy , the IP might be different
RewriteRule wp-cron.php$ - [F,L]
Doesn't work as well... Still loads white page instead of 403
While this:
RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|wp-trackback.php|wp-config.php|php.ini|xmlrpc.php [NC]
RewriteRule .* - [F,L]
Works just fine and shows 403. What is the problem it can be?
And this works just perfect right after saving rules:
RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|readme.html|readme.txt|license.txt|wp-trackback.php|wp-config.php|php.ini|xmlrpc.php [NC]
RewriteRule .* - [F,L]
this is more like rewrite rule didn't match the pattern
you can enable OLS debug log , to see what exactly OLS understood that regex and fix on it
But to allow when server's cron calling to Domain.com/wp-cron.php?doing_cron......
and yes I access it by "wp-cron.php" only
see how OLS responded to the rewritecond and rewriterule
it will something like
RewriteCond : value XXXXX check against XXXXX : match X
where after match it will show a number , negative number means no match , positive number means matched
so is same to RewriteRule
it will say something like
rewrite rule : URI xxxx , check against pattern xxxxx , match X
this will help you to debug rewrite rule
RewriteCond %{REQUEST_URI} xmlrpc.php|wp-cron.php [NC]
RewriteRule .* - [F,L]
It works. But doesn't works in:
RewriteRule wp-cron.php$ - [F,L]
```
2021-03-05 19:14:09.446991 [INFO] [29812] [xxx:51931-Q:49B5225303773A50-3#xxx] [REWRITE] strip base: '/' from URI: '/wp-cron.php'
2021-03-05 19:14:09.447071 [INFO] [29812] [xxx:51931-Q:49B5225303773A50-3#xxx] [REWRITE] Rule: Match 'wp-cron.php' with pattern 'wp-cron.php$', result: 1
```
like I said , enable debug log for rewrite rule , it will log each steps for how it checks
but just a Domain.com/wp-cron.php - gives white page reloading...
And for some reason I have zero [REWRITE] INFO in my logs
My rules looks like:
RewriteCond %{SERVER_ADDR} !^123\.123\.123\.123
RewriteRule wp-cron.php$ - [F,L]
https://www.litespeedshare.net/2021/03/7f10cd-ScreenShot2021-03-05_19.23.26.png
restart it
then check on /usr/local/lsws/logs/error.log
can try enable full debug log on OLS , that will tell every single action from start up
set Log Level to DEBUG
set Debug Level to HIGH
RewriteCond %{SERVER_ADDR} !^123\.123\.123\.123
RewriteRule wp-cron.php$ - [F,L]
Why it gives 403 if I request /wp-cron.php?doing_cron
But it doesn't restrict access if I request just /wp-cron.php
go to server conf -> log
set Log Level to DEBUG
set Debug Level to HIGH
RewriteCond %{REQUEST_URI} xmlrpc.php|wp-cron.php [NC]
RewriteRule .* - [F,L]
somethign like this
this means , if request url is wp-cron or xmlrpc , and client ip is not 123.123.123.123 , then 403
you need to check this doc first
when request to a page, it is always a remote addr , even it is from 127.0.0.1 or server itself's public/private ip
Thanks for your help!