I have a wordpress blog setup with nginx. I keep seeing this
80.82.64.220 - - [10/Nov/2016:08:21:48 +0000] "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
It's one request per second. So I tried denying access to the xmlrpc.php through nginx conf file.
location /xmlrpc.php {
deny all;
access_log off;
}
I tail the access file and can see it's still being accessed. No idea why.
I try a curl from my dev machine with random params and I get an xml file. I don't know why I'm getting an xml file.
I notice that all request are from the same server. So I think let's just block the ip so I do
sudo ufw deny from 80.82.64.220
I check the status and it does show the rule is added. I tail the access file and I can still see that the file is being accessed.
All the changes in firewall and nginx config file including the access log file are on my actual server. This server sits behind a nginx reverse proxy. The reverse proxy's access log doesn't have this access log so I am guessing, the main server is being accessed directly.
But how is the file still being accessed?
Best Answer
The location block does not work because it does not process the
/xmlrpc.phprequest. See this document for details.Use the
^~modifier or the=construct to raise the precedence of the location block (see this document for details):