Securing WordPress

These configuration options will block some of the more primitive brute force attacks on WordPress.

Place them in an .htaccess file in the root of your website (domains/yourdomain.com/public_html).

# Block all access to `xmlrpc.php`.
<If "%{REQUEST_URI} == '/xmlrpc.php'">
    Require all denied
</If>

# Block access form submissions to `wp-login.php` with an empty `Referer` header.
<If "%{REQUEST_METHOD} == 'POST' && %{REQUEST_URI} == '/wp-login.php' && %{HTTP_REFERER} == ''">
    Require all denied
</If>

Need support?

Can’t find the answer you’re looking for? Don’t worry we’re here to help!

Contact support