WordPress exposes an OPML (Outline Processor Markup Language) file at: /wp-links-opml.php. This file lists blogroll links (a legacy WordPress feature) in a machine-readable format. OPML was designed to share link lists between feed readers and blogging tools. It’s a relic from early blogging workflows.
Why You Should Block OPML Links
On modern WordPress sites, OPML links are almost never used. Leaving the endpoint exposed:
- Reveals unnecessary site metadata
- Provides zero value for most sites
- Adds another publicly accessible PHP endpoint
- Slightly increases the attack surface for scanners and bots
While not a critical vulnerability, it violates a core security principle: expose only what you actually use.
How To Block Them
You can block access to it at the web server (Nginx) and edge level (Cloudflare), for example, returning 403 or 444.
Blocking in Nginx
Open your Nginx config file, for example:
sudo nano /etc/nginx/sites-enabled/defaultCode language: Bash (bash)Add the following location block inside the server block:
# BLOCK OPML LINKS
location = /wp-links-opml.php {
return 403;
}
Code language: Nginx (nginx)Blocking in Cloudflare
Create a new Custom WAF Rule using the following expression:
(starts_with(http.request.uri.path, "/wp-links-opml.php"))Code language: plaintext (plaintext)Action: Block or Managed Challenge.
The end.