OpenLiteSpeed Rewrite Rules Ignored or Overridden

[mikegs1]

Hey guys!

I got a VPS with Ubuntu 20.04, Cyberpanel and OpenLiteSpeed, and launched a WordPress website there. All good, up until I realized /xmlrpc.php was not blocked/denied (despite having implemented code in .htaccess for it).

I checked the code and rewrote it accordingly to OLS, no dice. Xmlrpc (readme.html, etc.) still accessible. I’ve tried blocking xmlrpc.php through WP functions.php - again, ignored. I’ve tried a couple of plugins, just to test if they’d work, to no avail.

After a couple of days and dozens of hours, I managed to get it to correctly deny it after adding the rewrite rules once again inside Cyberpanel → Website → Rewrite Rules (basically same as .htaccess), all whilst in OLS Webadmin Rewrite Rules are enabled and Auto Loaded from .htaccess.

It worked for a bit, the files seemed to be blocked, but today, I was doing some testing and noticed they were available once again (despite the exact same code being still in place, correctly).

I have no idea left as to what could override it or why they’re ignored at this point.

I’ve also ruled out every single plugin I’m using (as well as my theme) as culprits. This could only be due to OLS I believe, or something else that I might be missing.

Any help or ideas would be much appreciated - thank you kindly!

Here are the Rewrite Rules I had:

RewriteCond %{REQUEST_URI} ^(.*)?readme\.html(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?readme\.txt(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-trackback\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?license\.txt(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-config\.php(.*)$
RewriteRule ^/wp-admin/install\.php$ - [F]
RewriteRule ^/wp-admin/includes/ - [F]
RewriteRule !^/wp-includes/ - [S=3]
RewriteRule ^/wp-includes/[^/]+\.php$ - [F]
RewriteRule ^/wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^/wp-includes/theme-compat/ - [F]
RewriteRule (^|.*/)\.(git|svn)/.* - [F]
RewriteRule ^/wp-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
RewriteRule ^/wp-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]
RewriteRule ^/wp-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

 

[Cold-Egg]

You can try a simple rule first, for example:

RewriteCond %{REQUEST_URI} xmlrpc\.php [NC]
RewriteRule .* - [F]

Then start adding OR conditions.
Everytime you update the .htaccess file, please remember to restart the web server in order to reload the rules.

 

[mikegs1]

You can try a simple rule first, for example:

RewriteCond %{REQUEST_URI} xmlrpc\.php [NC]
RewriteRule .* - [F]

Then start adding OR conditions.
Everytime you update the .htaccess file, please remember to restart the web server in order to reload the rules.

Thank you so much! I deleted everything and tried with your code and it worked. And, based on your code, I rewrote the whole thing. I'll paste it below for any other users looking for it, as it is working.

<IfModule Litespeed>
# Block access to readme.html and readme.txt files
RewriteCond %{REQUEST_URI} ^/readme\.html$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/readme\.txt$ [NC]
RewriteRule .* - [F,L]

# Block access to xmlrpc.php, phpinfo.php and wp-trackback.php files
RewriteCond %{REQUEST_URI} ^/xmlrpc\.php$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/phpinfo\.php$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-trackback\.php$ [NC]
RewriteRule .* - [F,L]

# Block access to license.txt and wp-config.php files
RewriteCond %{REQUEST_URI} ^/license\.txt$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-config\.php$ [NC]
RewriteRule .* - [F,L]

# Block access to wp-admin/includes directory
RewriteRule ^/wp-admin/includes/ - [F,L]

# Block access to all files in wp-includes directory, except for .js files
RewriteCond %{REQUEST_URI} !^/wp-includes/.*\.js$ [NC]
RewriteRule ^/wp-includes/ - [F,L]

# Block access to all PHP files in wp-includes directory
RewriteRule ^/wp-includes/.*\.php$ - [F,L]

# Block access to PHP files in wp-includes/js/tinymce/langs directory
RewriteRule ^/wp-includes/js/tinymce/langs/.+\.php$ - [F,L]

# Block access to wp-includes/theme-compat directory
RewriteRule ^/wp-includes/theme-compat/ - [F,L]

# Block access to .git and .svn directories
RewriteRule (^|.*/)\.(git|svn)/.* - [F,L]

# Block access to PHP files in wp-content/uploads directory
RewriteRule ^/wp-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ [NC,F,L]

# Block access to PHP files in wp-content/plugins directory
RewriteRule ^/wp-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ [NC,F,L]

# Block access to PHP files in wp-content/themes directory
RewriteRule ^/wp-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ [NC,F,L]
</IfModule>

 

[Cold-Egg]

Glad to know it works, and thanks for sharing.

 

[LiteCache]

@mikegs1

You've obviously made a lot of effort, but you can save 2/3 of this work because it's unnecessary. Especially since every rewrite rule does not make your server faster and safer. Most of these rules are therefore meaningless. I cannot recommend other interested readers to adopt these rewrite rules.