How to secure my Wordpress Website user login?

Support and Discussion
,
1

This is my htaccess file my Permissions are: -rw-r–r–
I try Purge my Cloudflare and purge my LiteSpeed Cache Toolbox v5.3.2
Purge All Purge the cache entries created by this plugin except for Critical CSS & Unique CSS & LQIP caches

Nothing seems to work, any ideias i dont wanna use plugins if possible i also dont wanna write code on a child theme

# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule \.litespeed_conf\.dat - [F,L]

### marker CACHE RESOURCE start ###
RewriteRule wp-content/.*/[^/]*(responsive|css|js|dynamic|loader|fonts)\.php - [E=cache-control:max-age=3600]
### marker CACHE RESOURCE end ###

### marker FAVICON start ###
RewriteRule favicon\.ico$ - [E=cache-control:max-age=86400]
### marker FAVICON end ###

### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} "image/webp"
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
RewriteCond %{HTTP_USER_AGENT} iPhone.*Version/(\d{2}).*Safari
RewriteCond %1 >13
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###

### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###

</IfModule>
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# Block access to /author/
RewriteRule ^author/(.*)$ - [R=404,L]

# Block access to /wp-json/wp/v2/users
<FilesMatch "(^|/)wp-json/wp/v2/users">
Order Allow,Deny
Deny from all
</FilesMatch>
</IfModule>

# END WordPress
2

Welcome and Happy New Year @Carmel

To disable WP REST API effectively use a plugin such as WP Hardening – Fix Your WordPress Security if you are not techsavvy. To do it yourself add something like

add_filter('json_enabled', '__return_false');
add_filter('json_jsonp_enabled', '__return_false');

to the functions.php file of your theme.

You cannot disable specific WP REST API calls on .htaccess effectively what you can only do effectively is dsable all like

RewriteCond %{REQUEST_URI} ^(.)?wp-json(.)$
3

How about you try this and tell me if it works

RewriteEngine on
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^wp\-json/wp/v2/users$ https://mydomain.com/? [R=301,L]

change mydomain.com to your wordpress site domain

4

thanks for reply so fast i gonna try, do i really need use RewriteEngine on twice ?

or just use those 2 lines are enough ?:
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^wp-json/wp/v2/users$ https://mydomain.com/? [R=301,L]

Also if it will just redirect its not better use a cloudflare rule for redirect ? i wonder if i use a cloudflare rule if the hacker still gonna be able to access the user name

5

This should not be an issue if you have waf for your wordpress like wordfence etc. Someone knowing your website’s users should not be an issue there is not so much they can do with said information if you have bruteforce protection etc.

Yes You can just place these rules at the end