Does this .htaccess security setting really work?

It appears to prevent any POST requests to wp-login.php that aren’t made from a page on my-domain.com.

When the browser sends a POST request, say after submitting a form, it will include a HTTP Referrer header telling the server where the request came from.

This theoretically prevents bots submitting POST requests directly to wp-login.php as part of a brute force attack, but the HTTP referrer is trivial to fake, so it’s not actually all that helpful.

Related Posts:

  1. Improve wordpress security by hiding non public resources
  2. File and directory permissions
  3. Using “wordpress_logged_in” to restrict direct access to uploads folder in 2021
  4. WordPress URL/Folder ReWrite using Htaccess
  5. Which WordPress scripts need to be executable for a fresh installation?
  6. Blocking access to wp-login via htaccess not working
  7. Attach to wp-login.php and xmlrpc.php
  8. XMLRPC filtering through htaccess not working
  9. Restricting user login by IP address
  10. WordPress: Adding Security
  11. How do I test to ensure that my wp-config file is protected?
  12. WordPress not seeing .htaccess rules
  13. Rules in .htaccess only if the requested URL is /wp-admin
  14. Disable directory browsing of uploads folder
  15. Strange behaviour of is_user_logged_in() and get_current_user_id()
  16. Selectively Disabling PHP via .htaccess in Root Directory
  17. Should I prevent access to .htaccess and wp-config.php files?
  18. Blocking wp-login in HTACCESS has also blocked password protected pages
  19. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  20. Using htaccess to prevent spam through wp-comments-post.php
  21. How can I create a private site that is inaccessible from the outside?
  22. Restrict Content for only Contributors via .htaccess
  23. Allowing access to certain WordPress created pages or posts with htaccess / htpasswd
  24. Why is this line of code Wrong in every WordPress .Htaccess security article?
  25. Default .htaccess file for WordPress?
  26. Security and .htaccess
  27. htaccess disable WordPress rewrite rules for folder and its contents
  28. How disable SSL redirect for specific URL?
  29. WordPress site displaying 404 for any page apart from index
  30. Which ways can be used to log in to WordPress?
  31. Why does the header set X-Robots-Tag apply to all pages?
  32. How to change “wp-admin” to something else without search-replacing the core?
  33. Error:406 not acceptable
  34. .htaccess Rewrite URL WordPress
  35. A plugin changes my .htaccess file and I can’t access httpd.conf as that’s a shared server
  36. Cant block wordpress readme files
  37. WordPress keeps deleting .htaccess file
  38. How can I code my plugin to safely modify .htaccess?
  39. Prevent users from browsing through the media galleries
  40. How to modify the .htaccess to force ssl on login and admin pages
  41. HTAccess stops me from accessing WordPress Dashboard links
  42. Server crashed trying to restore wordpress multisite, images are not found pls help
  43. .htaccess rewrite rule puzzle
  44. WordPress Redirect 301 register page
  45. Allow logged in users who doesn’t belong to whitelisted ips
  46. Best way to redirect site in subdirectory to root?
  47. Only expose routes with prefix /wp-json on WordPress using Apache
  48. Missing slash after moving site to subfolder
  49. WildCard SSL with wordpress subdomain
  50. browser caching not disabled after disabling in .htaccess
  51. Transfer to HTTPS – mixed content on main page only [closed]
  52. Htaccess redirect after changing Language URL format
  53. Adding a SSL Certificate
  54. .htaccess Security Header Rules
  55. mod_rewrite loop, redirecting http to https on certain section of wordpress blog
  56. .htaccess in subdir gets ignored by WordPress’ own .htaccess in /
  57. What to write in the htaccess in order to detect browser language and point accordingly?
  58. sitemap contains weird links and does not contain my pages [closed]
  59. .htaccess RewriteCond excluding directories does not work when there is an .htaccess or php.ini in subdirectory
  60. Separate 404 page for WordPress in subfolder
  61. Weird behavior of Dashboard, must be core files
  62. 404 error Additionally 403 Forbidden error on a URL
  63. Conflict with Force SSL and Rewrite Rules
  64. Remove trailing slash after .html extension
  65. Does WP suppresses .htaccess if permalinks are disabled?
  66. Need help rebuilding lost htaccess file
  67. How to rename index.php to home.php
  68. Creating a copy of a website in a subdirectory, wp-admin redirect problem
  69. disable WordPress 404 for one specific page/folder to receive actual php errors
  70. Troll the hackers by redirecting them
  71. .htpasswd asking for authentication on home page
  72. WordPress login fail after .htaccess domain redirect
  73. Redirect to new domain with .htaccess [closed]
  74. I am new in word pres my font awesome is not allow
  75. Access sub-domain when root public_html is protected with .htaccess password
  76. Redirect https://www.subdomain.domain.com is not redirecting to subdomain.website.com [closed]
  77. Can’t access htaccess [closed]
  78. .htaccess redirect not properly working [ ?utm_source=]
  79. hide theme files for admin beneath root
  80. Why my WordPress Site Asking for HTTP Authentication?
  81. Iterating users while user iteration is suppressed
  82. htaccess redirects invalid request to home page not 404
  83. Deny php execution in /wp-includes – using .htaccess in /wp-includes VS root folder
  84. Downloading zip or tar.gz inside WordPress installation?
  85. WordPress permalinks is wrong. It wants me to change my htaccess file. But then site crashes
  86. How to move wordpress website from hosting account to localhost
  87. Clicking PUBLISH Now Redirects to 404 PAGE NOT FOUND
  88. Unable to find ‘full-path’ to my 404.php file
  89. Use htaccess to redirect wordpress non-existent page to homepage
  90. WordPress RSS feed to external XML
  91. Does htaccess password keep search engines out?
  92. Need to edit htaccess while moving on WordPress
  93. block seacrh engines for all pages EXCEPT homepage
  94. Issue after changing permalink structure [duplicate]
  95. My WP site and password was hacked, what to do? [closed]
  96. rewrite rule on plugin activation
  97. Url redirection using htacess for my website
  98. htaccess – Server Subdirectory With Different Name Than URL Subdirectory
  99. The connection to “domain” is not secure
  100. cant access website thru www only works on direct xyz.com

Leave a Comment