Securing WordPress

These configuration options will block some of the more primitive brute force attacks on WordPress.

Place them in an .htaccess file in the root of your website (domains/yourdomain.com/public_html).

# Block all access to `xmlrpc.php`.
<If "%{REQUEST_URI} == '/xmlrpc.php'">
    Require all denied
</If>

# Block access form submissions to `wp-login.php` with an empty `Referer` header.
<If "%{REQUEST_METHOD} == 'POST' && %{REQUEST_URI} == '/wp-login.php' && %{HTTP_REFERER} == ''">
    Require all denied
</If>

Denying Author Scans

Author scans are frequently a mechanism for determining a username to start bruce-forcing the password. Avoid this by blocking author scans.

Place this inside a .htaccess file at the root of your website (domains/yourdomain.com/public_html).

# Block author scans
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{QUERY_STRING} author=\d+ [NC]
RewriteRule ^(.*)$ - [F]
</IfModule>

Need support?

Can’t find the answer you’re looking for? Don’t worry we’re here to help!

Contact support