You can block WordPress xmlrpc.php requests from Cloudflare but exclude the JetPack IP addresses by creating a custom firewall rule, attacks on xmlrpc.php are frequent and it is best now disabled as it will be deprecated from WordPress in the future.

However, some of the more popular WordPress plugins such as JetPack still need to access xmlrpc.php so you may need a custom solution to make it available.

Fully Disable xmlrpc.php

You can fully disable xmlrpc.php with a plugins such as perfmatters or Disable XML-RPC or a line of code in your functions.php

add_filter( 'xmlrpc_enabled', '__return_false' );

Check that xmlrpc is disabled with this online validator.

Online Xmlrpc Validator

Partially Disable xmlrpc.php localhost

You can restrict usage by partially blocking access to xmlrpc.php by adding a rule in your .htaccess file

<Files xmlrpc.php>
Order allow,deny
Allow from 192.0.64.0/18
Deny from all Satisfy All ErrorDocument 403 http://127.0.0.1/ </Files>

So only IP addresses in the range of 192.0.64.0/18 can access xmlrpc.php  – which is part of the JetPack IP address range.

Partially Disable xmlrpc.php at Cloudflare but allow JetPack

With the free Cloudflare you can add up to five custom firewall rules, create one to block all IP addresses apart from JetPacks to deny access to any query string that contains xmlrpc.php

Cloudflare Firewall Xmlrpc Rule Create

Create a custom firewall rule

 

 

Cloudflare Firewall Xmlrpc Rule

Add in the range of IP addresses and URI path that contains xmlrpc.php

 

JetPack IP Address Range

The JetPack IP address range is discussed on Github, published at JetPack, but is subject to change which can be verified here, and converted to CIDR notation here.

 

Now you can check the activity of the firewall rule by clicking on the Activity last 24hr link in the rule – also verify your xmlrpc.php is disabled by visiting the online validator.

3 Comments

  1. Ahmed on November 2, 2020 at 4:03 am

    Came across this article and would like to say Thank you!

    I have a challenge rule for my xmlrpc.php causing jetpack not to work regardless to what cloudflare WAF jetpack is.

    To allow jetpack, I had to whitelist jetpack server AS number by adding “AS2635” in the IP address column.

    That did the trick for me.

  2. user5555 on October 9, 2020 at 3:17 pm

    Cloudflare actually has built-in Jetpack protection: https://support.cloudflare.com/hc/en-us/articles/218377098-WordPress-Jetpack-and-Cloudflare

    “The Cloudflare WordPress WAF rule WP0007 protects xmlrpc.php file ion all Cloudflare plans to allow only Jetpack to use the xmlrpc.php?for=jetpack query string. Cloudflare does this by only allowing the IP range of Jetpack’s automation systems. As such any attempt to access xmlrpc.php?for=jetpack from an IP that is not a genuine Jetpack IP will be blocked with a HTTP 403 Forbidden message from Cloudflare. This in itself is nothing to worry about and improves the security of your website and does not affect the functionality of Jetpack whatsoever.”

  3. Leonidas on July 29, 2020 at 11:20 pm

    Thank you for this.

    Cloudflare now has an expression editor, so it looks like this (simply copy and paste):

    (not ip.src in {122.248.245.244/32 54.217.201.243/32 54.232.116.4/32 192.0.80.0/20 192.0.96.0/20 192.0.112.0/20 195.234.108.0/22 192.0.96.202/32 192.0.98.138/32 192.0.102.71/32 192.0.102.95/32} and http.request.uri.path contains “xmlrpc.php”)

Leave a Comment