What does this .htaccess do?
Am I correct in thinking that all it does is prevent automatic brute force attacks?
So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php
Am I correct?
Here’s the .htaccess rule:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?my-domain.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>
3 s
It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com.
When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.
This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it’s not actually all that helpful.
