You are viewing this site in a simplified layout because your browser does not yet support CSS Subgrid.

op111.net

Search op111.net

How to block HTTP/1.* requests to wp-login.php in Apache 2.4

Blocking HTTP/1.0 and HTTP/1.1 requests to wp-login.php can be useful under two conditions:

  1. Pages are served via HTTP/2 (exclusively or preferentially)
  2. People are expected to log in via browsers that support HTTP/2: caniuse.com/#feat=http2

The Apache rule

<Files "wp-login.php">
  <If "%{SERVER_PROTOCOL} == 'HTTP/1.1' || %{SERVER_PROTOCOL} == 'HTTP/1.0'">
    Require all denied
  </If>
</Files>

Custom error response

The rule above will of course block older browsers (e.g., Internet Explorer on systems older than Windows 10). A custom error response can help in this case. Note that, in order to appear in Internet Explorer, the response must be at least 512 bytes.

How to add a custom response error to the rule:

<Files "wp-login.php">
  <If "%{SERVER_PROTOCOL} == 'HTTP/1.1' || %{SERVER_PROTOCOL} == 'HTTP/1.0'">
    Require all denied
    ErrorDocument 403 "\
      Forbidden: Logging in requires a newer browser.\
      <!--\
        PADDING FOR INTERNET EXPLORER\
        The purpose of this comment is to\
        increase the size of the response to at least 512 bytes.\
        By default Internet Explorer shows its own friendly message\
        if the response is smaller than 512 bytes.\
      -->\
    "
  </If>
</Files>