Hardening
Here you can enable or disable additional protections that harden your WordPress site. Each option is a switch you can turn on or off depending on the site’s needs.
Hardening options
Section titled “Hardening options”Disable XML-RPC
Section titled “Disable XML-RPC”Disables the xmlrpc.php file. If you do not use external applications to publish to your blog, such as the WordPress mobile app, enable this protection. XML-RPC is one of the most frequently attacked WordPress endpoints.
Restrict REST API
Section titled “Restrict REST API”Makes the WordPress REST API respond only to signed-in users. This prevents unauthenticated visitors from querying site information from outside.
Rename login URL
Section titled “Rename login URL”Changes the address of your login page. Instead of using /wp-login.php, which bots know by default, you will sign in through a custom URL that you choose.
Block user enumeration
Section titled “Block user enumeration”Prevents attackers from discovering usernames by testing addresses such as ?author=1 or querying the REST API.
Protect common paths
Section titled “Protect common paths”Blocks direct access to sensitive files such as wp-config.php, .htaccess, readme.html, and other files that should not be publicly accessible.
Limit login attempts
Section titled “Limit login attempts”After a configured number of failed attempts, the attacker’s IP is temporarily blocked. You can also configure how many minutes that block lasts.