Skip to content

Securing WordPress

These configuration options will block some of the more primitive brute force attacks on WordPress.

Place them in an .htaccess file in the root of your website (domains/yourdomain.com/public_html).

# Block all access to `xmlrpc.php`.
<If "%{REQUEST_URI} == '/xmlrpc.php'">
    Require all denied
</If>
# Block access form submissions to `wp-login.php` with an empty `Referer` header.
<If "%{REQUEST_METHOD} == 'POST' && %{REQUEST_URI} == '/wp-login.php' && %{HTTP_REFERER} == ''">
    Require all denied
</If>