iThemes Security WordPress Tweaks

These are advanced settings that may be utilized to further strengthen the security of your WordPress site.

Note: These settings are listed as advanced because they block common forms of attacks but they can also block legitimate plugins and themes that rely on the same techniques. When activating the settings below, we recommend enabling them one by one to test that everything on your site is still working as expected.

Remember, some of these settings might conflict with other plugins or themes, so test your site after enabling each setting.

Windows Live Writer Header

This is not needed if you do not use Windows Live Writer or other blogging clients that rely on this file.

EditURI Header

Removes the RSD (Really Simple Discovery) header. If you don't integrate your blog with external XML-RPC services such as Flickr then the "RSD" function is pretty much useless to you.

Comment Spam

This option will cut down on comment spam by denying comments from bots with no referrer or without a user-agent identified.


File Editor

Disables the file editor for plugins and themes requiring users to have access to the file system to modify files. Once activated you will need to manually edit theme and other files using a tool other than WordPress.


Off = XMLRPC is fully enabled and will function as normal.

Only Disable Trackbacks/Pingbacks = Your site will not be susceptible to denial of service attacks via the trackback/pingback feature. Other XMLRPC features will work as normal. You need this if you require features such as Jetpack or the WordPress Mobile app.

Completely Disable XMLRPC is the safest, XMLRPC will be completely disabled by your webserver. This will prevent features such as Jetpack that require XMLRPC from working.

Multiple Authentication Attempts per XML-RPC Request

WordPress' XML-RPC feature allows hundreds of username and password guesses per request. Use the recommended "Block" setting below to prevent attackers from exploiting this feature.

Block = Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.

Allow = Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.


The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress. By default, it could give public access to information that you believe is private on your site. For more details, see our post about the WordPress REST API here.

Restricted Access - Restrict access to most REST API data. This means that most requests will require a logged in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.

Default Access - Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.


Protect Against Tabnapping

Enabling this feature helps protect visitors to this site (including logged in users) from phishing attacks launched by a linked site. Details on tabnapping via target="_blank" links can be found in this article.

Powered by Zendesk