Block xmlrpc.php globally in Apache 2.4 with exceptions for specific sites

This snippet for Apache 2.4 forbids access to xmlrpc.php by default and then adds exceptions for specific sites. The sites that get an exception are specified using the Directory directive.

Add this to “/etc/apache2/apache2.conf”

# Forbid access to xmlrpc.php globally at server level
<Files "xmlrpc.php">
  Require all denied
</Files>

# Add exception for a site that needs XML-RPC
<Directory "/web/site-1/public">
  <Files "xmlrpc.php">
    Require all granted
  </Files>
</Directory>

# Add exception for a second site that needs XML-RPC
<Directory "/web/site-2/public">
  <Files "xmlrpc.php">
    Require all granted
  </Files>
</Directory>