WordPress.org

fightsmarttrav
(@fightsmarttrav)

3 months, 2 weeks ago
I’m getting this error message when trying to set up the app, but xmlrpc.php is not blocked or forbidden on my server. I am able to access the file with no issue by visiting https://howtofightnow.com/xmlrpc.php

It says, “XML-RPC server accepts POST requests only.”

With that said, I would like to restrict access to xmlrpc.php to only my ip address, or the ipaddress of my cell phone when accessing the wordpress app. I will be adding to htaccess:
```
<Files xmlrpc.php>
Require all denied
Require ip 100.19.142.9
</Files>
```
1. Why is this not working despite htaccess not being blocked?
2. What, if any, ip addresses other than my own need to be added to htaccess in order for the app to work?
The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)

George Appiah
(@gappiah)

3 months, 2 weeks ago

1. Why is this not working despite htaccess not being blocked?

There are different methods to request a resource from a server: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods

Opening the URL in the browser as you did is a GET request. That’s not blocked by your server, but that’s also not an allowed method to use XMLRPC endpoint.

The app needs to make a POST request to the XMLRPC endpoint (the only allowed method). This is what is being blocked by your web server, hence the 403:Forbidden error message you’re seeing.

2. What, if any, ip addresses other than my own need to be added to htaccess in order for the app to work?

As your server is already blocking these requests, there’s no need to add such a rule in your htaccess file.

Instead, you need to find out where the requests are being blocked and punch a “hole” through for the app to work.

I’m not entirely sure what that “hole” should be though. For the JetPack app, there’s a list of IP addresses that must be allowlisted to enable communications between Jetpack and WordPress.com for the app to work: https://jetpack.com/support/how-to-add-jetpack-ips-allowlist/

But I’m not 100% sure if the WordPress app (which is also a WordPress.com product) also needs these IP addresses allowlisted or not.
Thread Starter fightsmarttrav
(@fightsmarttrav)

3 months, 1 week ago
Hey George,

Thanks for the reply, but it doesn’t seem like there’s any 403 at all. In fact, according to my logs, the POST request is being seen as successful with a 200 ‘success’ status:

Screenshot: https://capture.dropbox.com/BPYlIBDncnbhKyaX
- This reply was modified 3 months, 1 week ago by fightsmarttrav.
George Appiah
(@gappiah)

3 months, 1 week ago

but it doesn’t seem like there’s any 403 at all

I don’t see any hit at your site’s XMLRPC endpoint /xmlrpc.php in your screenshot. I only see hits at the homepage / and some admin dashboard /wp-admin/ URLs.

You can test from here: https://xmlrpc.blog/

sue2208
(@sue2208)

2 weeks, 5 days ago

an ssl error cannot connect to server during login