Plesk Admin: Ban xmlrpc.php globally

If you own a Plesk dedicated server, or a Plesk virtual private server with full server access and host a number of WordPress websites you may have seen a large amount of traffic hitting xmlrpc.php which is a typical and easy to guess endpoint to WordPress in an attempt to take down and use up your server resources.

However, with the way Plesk works using template-based configuration, you can use this to your advantage and create a copy of Plesk’s configuration template and deny access to this endpoint across all of your websites. For those who are not too familar with server management, it can seem a bit of a complicated task however it can be achieved with little risk before rolling out across all of your hosted websites.

Editing Plesk Configuration

First you will need root access to your Plesk setup. Unfortunately, you won’t be able to follow this if you are using a shared Plesk instance where this is not possible. Once there, run the following shell commands individually, ensuring you don’t get any errors in between.

$ cd /usr/local/psa/admin/conf/templates
$ mkdir custom
$ mkdir custom/domain
$ cp default/domain/nginxDomainVirtualHost.php custom/domain/nginxDomainVirtualHost.php
Code language: Shell Session (shell)

If you do get errors while running this, please check with whoever configured Plesk as it may have been installed in a non-standard way. Once this is complete, you can open this file for editing. We typically reconmend nano for this as it’s quick and easy to use, although it may need installing onto your web server first.

$ nano custom/doamin/nginxDomainVirtualHost.php
Code language: Shell Session (shell)

While this file is PHP, it is not outputting HTML. Instead it is outputting a nginx configuration file, which while a valid use of PHP it is quite an unsual one. Once in the file, locate the section further down where you can see lines such as the following:

<?php if (!$VAR->domain->physicalHosting->proxySettings['nginxProxyMode']): ?>
    location ~ /\.ht {
        deny all;
    }
<?php endif ?>
Code language: PHP (php)

Before these lines, you can add the following configuration:

location = /xmlrpc.php {
   deny from all;
   default_type "text/plain";
   return 401 "This service has been disabled for security purposes";
}
Code language: Nginx (nginx)

Testing Plesk Configuration

Saving the file in place, you can now reload the nginx configuration for a subscription. Either run the following command:

$ httpdmng --reconfigure-domain some-domain-you-host.com
Code language: Shell Session (shell)

Or, if this is not available you can go into Plesk admin, choose a subscription, then edit it’s Apache/nginx config and simply press Apply. After a few seconds nginx on your server will pick up the new configuration.

Now you can go to the domain in question and test if accessing xmlrpc.php provides the error message described above. If you do, this guide has worked and now when Plesk refreshes all of the nginx configs over time for your domains they will all recieve this configuration.

You can force this all in one go with the following command:

$ httpdmng --reconfigure-all
Code language: Shell Session (shell)

Summary

In summary, we have been able to create a copy of the Plesk nginx configuration for each domain on your server. From there we have added additional nginx rules to block access to xmlrpc.php, and then reloaded and tested this configuration. Using this rough process and way to modify files you can achieve other things such as allowing nginx to run on multiple IP addresses, or anything else nginx supports.

---