I have 30 sites, what's the easiest way to block "xmlrpc.php" on all of them?

Hello, how can I block all URIs that contain XMLRPC on all sites in my account?

I know how to do one by one, but I would need to save time and leave this as the default.

In fact it could be a native security option, because it’s a file most of the time useless.

Using Cloudflare, on each block any requests to the uri path “xmlrpc.php” using Firewall Rule.

Maybe you’d be faster using API? :thinking:

Unfortuantely, yet there is no possible way to configure/duplicate/transfer/apply Firewall Rule from one zone to another, or to apply some Firewall Rule to all of the zones in the same CF account → which for example works fine when using “IP Access Rules” where we can set the “action” to apply it on “all websites in the current account” or rather for the particular zone/domain.

Hi!

I understand, maybe there is a way to redirect all accesses with this tool?
https://developers.cloudflare.com/rules/bulk-redirects/

something like: *xmlrpc.php* redirect to google.com

1 Like

Yes it can be faster if you use the CF API Cloudflare API v4 Documentation to first list the Firewall rule(s) you want, then write a custom CF API query to add them to each CF zone using the zone id as the identifier. That’s how I do it right now.

Quick example if you can script the CF Firewall API rule creation

create the rule.json file with the actual rule

[{
  "paused": true,
  "description": "Example CF Firewall API Rule",
  "action": "block",
  "priority": 1,
  "filter": {
    "expression": "(http.request.uri.path eq \"/private/\")",
    "paused": false
  }
}]

Then I pass the file in my script to CF Firewall rule creation API routine - I can also pass a 3rd parameter for zoneid so can go through and create the Firewall rule for a specific zoneid

./cf-firewall-api.sh rule-create rule.json
{
  "result": [
    {
      "id": "14ffe0c138774217ba3d40b964e752ba",
      "paused": true,
      "description": "Example CF Firewall API Rule",
      "action": "block",
      "priority": 1,
      "filter": {
        "id": "9c9d81dbfa824e0e9e1dc20cc5bbec25",
        "expression": "(http.request.uri.path eq \"/private/\")",
        "paused": false
      },
      "created_on": "2022-03-05T08:49:29Z",
      "modified_on": "2022-03-05T08:49:29Z",
      "index": 1
    }
  ],
  "success": true,
  "errors": [],
  "messages": []
}

Listing all CF Firewall Rules formatted to remove fields not used in re-creating the rule

./cf-firewall-api.sh rules-list-all-formatted

{
  "paused": true,
  "description": "Example CF Firewall API Rule",
  "action": "block",
  "priority": 1,
  "filter": {
    "expression": "(http.request.uri.path eq \"/private/\")",
    "paused": false
  }
}

Or with all fields

./cf-firewall-api.sh rules-list-all
{
  "id": "14ffe0c138774217ba3d40b964e752ba",
  "paused": true,
  "description": "Example CF Firewall API Rule",
  "action": "block",
  "priority": 1,
  "filter": {
    "id": "9c9d81dbfa824e0e9e1dc20cc5bbec25",
    "expression": "(http.request.uri.path eq \"/private/\")",
    "paused": false
  },
  "created_on": "2022-03-05T08:49:29Z",
  "modified_on": "2022-03-05T08:49:29Z"
}

The actual curl command used to create the Firewall rule

    curl -4sX POST "https://api.cloudflare.com/client/v4/zones/$zid/firewall/rules" \
     -H "Authorization: Bearer $cftoken" \
     -H "Content-Type: application/json" \
     -d "@$input_file" | jq -r

where input_file=rule.json and zid=yourzoneid and cftoken=yourcf-api-token

2 Likes

That’s also possible with the use of Bulk Redirect, good idea.

1 Like

Is not the same as “block” → which is what you want to achieve from your first post? :thinking:

:+1:

Was thinking the same, but I am afraid it might not be a good solution as far as until Google or some other website to which the OP is redirecting, instead of “block” as wanted in first post, finds it and add some restriction or ban his domain for some reason? :thinking:

If so, in terms of redirecting instead of blocking, I’d suggest to redirect to some non existing domain.

Redirects to localhost :+1: :crazy_face:

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.