Disable xmlrpc.php file

## Summary: xmlrpc.php can be used for portscanning or bruteforce attacks. Better is to hide this file. ## Steps To Reproduce: 1. Go to https://www.topechelon.com/xmlrpc.php 2. send a post request. POST /xmlrpc.php HTTP/1.1 Host: www.topechelon.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 91 <methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall> HTTP/1.1 200 OK Date: Fri, 11 Oct 2019 16:34:08 GMT Content-Type: text/xml; charset=UTF-8 Content-Length: 4272 Connection: close Set-Cookie: __cfduid=d3522855e8b518b66e70317fce00b27b91570811646; expires=Sat, 10-Oct-20 16:34:06 GMT; path=/; domain=.topechelon.com; HttpOnly Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Server: cloudflare CF-RAY: 52423d543ec4ddf1-SIN <?xml version="1.0" encoding="UTF-8"?> <methodResponse> <params> <param> <value> <array><data> <value><string>system.multicall</string></value> <value><string>system.listMethods</string></value> <value><string>system.getCapabilities</string></value> <value><string>demo.addTwoNumbers</string></value> <value><string>demo.sayHello</string></value> <value><string>pingback.extensions.getPingbacks</string></value> <value><string>pingback.ping</string></value> <value><string>mt.publishPost</string></value> <value><string>mt.getTrackbackPings</string></value> <value><string>mt.supportedTextFilters</string></value> <value><string>mt.supportedMethods</string></value> <value><string>mt.setPostCategories</string></value> <value><string>mt.getPostCategories</string></value> <value><string>mt.getRecentPostTitles</string></value> <value><string>mt.getCategoryList</string></value> <value><string>metaWeblog.getUsersBlogs</string></value> <value><string>metaWeblog.deletePost</string></value> <value><string>metaWeblog.newMediaObject</string></value> <value><string>metaWeblog.getCategories</string></value> <value><string>metaWeblog.getRecentPosts</string></value> <value><string>metaWeblog.getPost</string></value> <value><string>metaWeblog.editPost</string></value> <value><string>metaWeblog.newPost</string></value> <value><string>blogger.deletePost</string></value> <value><string>blogger.editPost</string></value> <value><string>blogger.newPost</string></value> <value><string>blogger.getRecentPosts</string></value> <value><string>blogger.getPost</string></value> <value><string>blogger.getUserInfo</string></value> <value><string>blogger.getUsersBlogs</string></value> <value><string>wp.restoreRevision</string></value> <value><string>wp.getRevisions</string></value> <value><string>wp.getPostTypes</string></value> <value><string>wp.getPostType</string></value> <value><string>wp.getPostFormats</string></value> <value><string>wp.getMediaLibrary</string></value> <value><string>wp.getMediaItem</string></value> <value><string>wp.getCommentStatusList</string></value> <value><string>wp.newComment</string></value> <value><string>wp.editComment</string></value> <value><string>wp.deleteComment</string></value> <value><string>wp.getComments</string></value> <value><string>wp.getComment</string></value> <value><string>wp.setOptions</string></value> <value><string>wp.getOptions</string></value> <value><string>wp.getPageTemplates</string></value> <value><string>wp.getPageStatusList</string></value> <value><string>wp.getPostStatusList</string></value> <value><string>wp.getCommentCount</string></value> <value><string>wp.deleteFile</string></value> <value><string>wp.uploadFile</string></value> <value><string>wp.suggestCategories</string></value> <value><string>wp.deleteCategory</string></value> <value><string>wp.newCategory</string></value> <value><string>wp.getTags</string></value> <value><string>wp.getCategories</string></value> <value><string>wp.getAuthors</string></value> <value><string>wp.getPageList</string></value> <value><string>wp.editPage</string></value> <value><string>wp.deletePage</string></value> <value><string>wp.newPage</string></value> <value><string>wp.getPages</string></value> <value><string>wp.getPage</string></value> <value><string>wp.editProfile</string></value> <value><string>wp.getProfile</string></value> <value><string>wp.getUsers</string></value> <value><string>wp.getUser</string></value> <value><string>wp.getTaxonomies</string></value> <value><string>wp.getTaxonomy</string></value> <value><string>wp.getTerms</string></value> <value><string>wp.getTerm</string></value> <value><string>wp.deleteTerm</string></value> <value><string>wp.editTerm</string></value> <value><string>wp.newTerm</string></value> <value><string>wp.getPosts</string></value> <value><string>wp.getPost</string></value> <value><string>wp.deletePost</string></value> <value><string>wp.editPost</string></value> <value><string>wp.newPost</string></value> <value><string>wp.getUsersBlogs</string></value> </data></array> </value> </param> </params> </methodResponse> ## Impact this could be used for portscanning or brute force attacks.