IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Does this .htaccess security setting really work?

    • IT Nursery
    • April 25, 2022
    • 0

    What does this .htaccess do?

    Am I correct in thinking that all it does is prevent automatic brute force attacks?

    So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php

    Am I correct?

    Here’s the .htaccess rule:

    <IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?my-domain.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

    3 s
    3

    It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com.

    When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

    This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it’s not actually all that helpful.

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *