Symptoms
- A WP website displays a 403 error intermittently
- The following errors are present within the nginx error log for the website:
2023/07/20 10:40:09 [error] 3925966#0: *145240 access forbidden by rule, client: 203.0.113.2, server: example.com, request: "POST /xmlrpc.php HTTP/2.0", host: "www.example.com"
2023/07/20 10:44:25 [error] 3925966#0: *145353 access forbidden by rule, client: 203.0.113.2, server: example.com, request: "POST /xmlrpc.php HTTP/2.0", host: "www.example.com" - The Block access to xmlrpc.php security feature is enabled for this website via Plesk > WP Toolkit > example.com > three dots > Check Security > Security Measures:
Cause
This specific WordPress website seems to require the xmlrpc.php file to be accessible in order to function properly. Since xmlrpc.php in WordPress installations is a severely outdated file that is essentially a vulnerability, the WP Toolkit in Plesk has a security measure prevents access to the xmlrpc.php file.
It is recommended to apply it to reduce attack surface, if XML-RPC is not used by WordPress. This measure modifies the server configuration file (Apache, nginx for Linux or web.config for Windows).
Note: Custom directives in the .htaccess or web.config files might override this security measure.
Resolution
If your WordPress website needs to use the xmlrpc.php file in order to function properly, you should do the following:
2. Go to WordPress > example.com > > Check Security > Security Measures
3. Check the box for the Block access to xmlrpc.php security feature
4. Press the Revert button
Once this security measure is disabled, the xmlrpc.php of the WordPress installation will be accessible once again.
Additional Information
How to disable XML-RPC for a WordPress instance hosted in Plesk?
with