iThemes Security WordPress Tweaks

These are advanced settings that may be utilized to further strengthen the security of your WordPress site.

Note: These settings are listed as advanced because they block common forms of attacks, but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.

Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.

File Editor

Disables the file editor for plugins and themes, requiring users to have access to the file system to modify files. Once activated you will need to manually edit the theme and other files using a tool other than WordPress.


  • Enable XML-RPC = XML-RPC is fully enabled and will function as normal.
  • Disable Pingbacks = Your site will not be susceptible to denial of service attacks via the trackback/pingback feature. Other XMLRPC features will work as normal. You need this if you require features such as Jetpack or the WordPress Mobile app.
  • Disable XML-RPC = XML-RPC will be completely disabled by your webserver and is the safest option. This will prevent features such as Jetpack that require XML-RPC from working.

Multiple Authentication Attempts per XML-RPC Request

WordPress' XML-RPC feature allows hundreds of username and password guesses per request.

Disabling this setting prevents attackers from exploiting this feature.

  • Unchecked = Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.
  • Checked = Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.


The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress. By default, it could give public access to information that you believe is private on your site. For more details, you can see our post about the WordPress REST API here.

  • Default Access = Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.
  • Restricted Access = Restrict access to most REST API data. This means that most requests will require a logged-in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.


Login with Email Address or Username

By default, WordPress allows users to log in using either an email address or username. This setting allows you to restrict logins to only accept email addresses or usernames.

Force Unique Nickname

This forces users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting users' login usernames from the code on author pages. Note this does not automatically update existing users as it will affect author feed URLs if used.

Disable Extra User Archives

Disables a user's author page if their post count is 0. This makes it harder for bots to determine usernames by disabling post archives for users that don't post to your site.

Have more questions? Submit a request
Powered by Zendesk