Securing WordPress

These configuration options will block some of the more primitive brute force attacks on WordPress.

Place them in an .htaccess file in the root of your website (domains/

# Block all access to `xmlrpc.php`.
<If "%{REQUEST_URI} == '/xmlrpc.php'">
    Require all denied
# Block access form submissions to `wp-login.php` with an empty `Referer` header.
<If "%{REQUEST_METHOD} == 'POST' && %{REQUEST_URI} == '/wp-login.php' && %{HTTP_REFERER} == ''">
    Require all denied

Need support?

Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact support