After upgrading from PHP 7.2 to 7.4.x, I was taking a look at my graphs in new relic for my wordpress blog and found a high number of E_WARNINGs for //xmlrpc.php. It’s a result of bots hitting a non-existent URL at //xmlrpc.php – note the extra slash in there. The default nginx behavior is to merge double slashes, which normally is fine.
In this case, I added a location block with //xmlrpc.php to block it but I noticed it was not working (hitting that particular URI still returned with a 405 Method Not Allowed instead of a 403 Forbidden). It turns out that I needed to add ‘merge_slashes off;’ and then it worked. Voila, lots of spurious errors removed from my logs (and from hitting PHP). Note that most of the xmlrpc functionality has been supplanted by the newer WordPress REST API, so you likely do not need it enabled.
merge_slashes off;
location = //xmlrpc.php {
deny all;
}If you want to use a plug-in, you could search for ‘Disable XML-RPC’ in the WordPress plug-ins repository or install WordFence. Buh-bye bad bots.
