How to Deny Access to xmlrpc.php for All Virtual Hosts in OpenLiteSpeed with CyberPanel

Web Hosting
1

How to Deny Access to xmlrpc.php for All Virtual Hosts in OpenLiteSpeed with CyberPanel
How to Deny Access to xmlrpc.php for All Virtual Hosts in OpenLiteSpeed with CyberPanel1120×1120 65.5 KB

Why block xmlrpc.php?

xmlrpc.php is a WordPress file that allows remote access and can be a security risk if abused (e.g., DDoS, brute force). Blocking it globally improves security without touching individual .htaccess files.

Step-by-step guide

Step 1: Access OpenLiteSpeed WebAdmin Console

  1. Login to your CyberPanel dashboard.
  2. Locate your server IP.
  3. Access OpenLiteSpeed WebAdmin at:
https://YOUR_SERVER_IP:7080
  • Default port: 7080
  • Default username: admin
  • Password: Same as CyberPanel admin or as set during OpenLiteSpeed install.

Step 2: Navigate to Global Rewrite Rules

To block xmlrpc.php on all sites, you need to add a global rewrite rule:

  1. After login, go to the Server Configuration section.
  2. Click on Rewrite (This applies rewrite rules server-wide).

Step 3: Add the Rewrite Rule to Block xmlrpc.php

Add the following lines to the global rewrite rules box:

RewriteCond %{REQUEST_URI} ^/xmlrpc\.php$
RewriteRule .* - [F,L]

Explanation:

  • RewriteCond %{REQUEST_URI} ^/xmlrpc\.php$
    Checks if the requested URI is exactly /xmlrpc.php.
  • RewriteRule .* - [F,L]
    Denies access (sends HTTP 403 Forbidden) and stops processing further rules.

Step 4: Save the Configuration

  • Click Save or Apply Changes after adding the rewrite rules.

Step 5: Graceful Restart OpenLiteSpeed

  • After saving, go to Actions menu in the WebAdmin Console.
  • Select Graceful Restart to reload the configuration without downtime.

Step 6: Verify the Rule is Working

  1. Open a browser or use curl:
curl -I http://yourdomain.com/xmlrpc.php
  1. You should get a 403 Forbidden response:
HTTP/1.1 403 Forbidden

Alternative: Add Per-Domain Rewrite Rules via CyberPanel (If you prefer)

  1. Login to CyberPanel.
  2. Go to Websites > List Websites.
  3. Click Manage on the site.
  4. Go to Rewrite Rules section.
  5. Add the same rewrite rule:
RewriteCond %{REQUEST_URI} ^/xmlrpc\.php$
RewriteRule .* - [F,L]
  1. Save and restart the site.

Notes

  • The global rewrite rule is preferred because it applies to all current and future virtual hosts automatically.
  • If you add more domains later, the rule applies without any extra work.
  • You must have access to OpenLiteSpeed WebAdmin Console (port 7080) to do this.
  • Ensure firewall allows access to port 7080 or use SSH tunnel if blocked.

Summary Table

Step Action
Access WebAdmin Console https://YOUR_SERVER_IP:7080
Go to Server > Rewrite Add global rewrite rules
Add rewrite rule RewriteCond %{REQUEST_URI} ^/xmlrpc\.php$
RewriteRule .* - [F,L]
Save & Graceful Restart Apply changes and restart server
Verify Test via browser or curl for 403 response

#wwebhub