Does this .htaccess security setting really work?

What does this .htaccess do?

Am I correct in thinking that all it does is prevent automatic brute force attacks?

So, to access the wp-login.php you have to manually type in the URL of the domain so that negates all the bots seeking out wp-login.php

Am I correct?

Here’s the .htaccess rule:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://(.*)?my-domain.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]
</IfModule>

3 s
3

It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com.

When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it’s not actually all that helpful.

Leave a Comment