Skip to content

111 Recipes

How to block HTTP/1.* requests to wp-login.php in Apache 2.4

<Files "wp-login.php">
  <If "%{SERVER_PROTOCOL} == 'HTTP/1.1' || %{SERVER_PROTOCOL} == 'HTTP/1.0'">
    Require all denied
  </If>
</Files>

This can be useful under two conditions:

  1. Pages are served via HTTP/2 (exclusively or preferentially)
  2. People are expected to log in via browsers that support HTTP/2: caniuse.com/#feat=http2

Custom error response

The rule will of course block people with older browsers (for example, users of Internet Explorer on systems older than Windows 10). A custom error response can help in this case. Note that, in order to appear in Internet Explorer, the response must be at least 512 bytes.

How to add a custom response error to the rule:

<Files "wp-login.php">
  <If "%{SERVER_PROTOCOL} == 'HTTP/1.1' || %{SERVER_PROTOCOL} == 'HTTP/1.0'">
    Require all denied
    ErrorDocument 403 "\
      Forbidden: Logging in requires a newer browser.\
      <!--\
        PADDING FOR INTERNET EXPLORER\
        The purpose of this comment is to\
        increase the size of the response to at least 512 bytes.\
        By default Internet Explorer shows its own friendly message\
        if the response is smaller than 512 bytes.\
      -->\
    "
  </If>
</Files>