WordPress is a popular target for attackers, and many default WordPress features can expose your site to security risks. Falcon's security features help you harden your WordPress installation by disabling unnecessary entry points and restricting access.
The settings for security features are available in the Security tab on the Falcon settings page.
Disable REST API for unauthenticated requests
The WordPress REST API is accessible to anyone by default, which can expose sensitive information about your site structure, users, and content. Disabling REST API access for unauthenticated users prevents unauthorized access while still allowing logged-in users and your own applications to use the API. This is especially important if you don't use the REST API for public-facing features, as it reduces your attack surface significantly.
Disable XML-RPC
XML-RPC is an older WordPress feature that allows remote publishing and management. However, it's commonly exploited for brute force attacks, DDoS attacks, and pingback floods. Disabling XML-RPC protects your site from these attacks and is safe to do unless you use the WordPress mobile app or remote publishing tools. This feature also disables trackbacks and pingbacks, which are often used for spam.
Note: Disabling XML-RPC will break the WordPress mobile app. If you rely on mobile apps to manage your site, you'll need to keep this enabled or use alternative management methods.
Learn more about disabling XML-RPC on WordPress.
Restrict upload file types
By default, WordPress allows uploading many file types, some of which could be malicious if uploaded by unauthorized users. This feature restricts uploads to only common, safe file types:
- images (JPG, JPEG, PNG, GIF, WEBP),
- office files (DOCX, XLSX, PPTX),
- PDF, and
- videos (MP4)
This prevents users from uploading potentially dangerous file types like PHP scripts, executable files, or other code that could compromise your site.
Warning: This applies to all users, including administrators. If you're an admin and need to upload other file types, you'll need to temporarily disable this feature.
Disable detailed login errors
WordPress login errors tell users whether the username or password is incorrect, which helps attackers identify valid usernames through brute force attempts. Disabling detailed login errors shows a generic error message instead, making it harder for attackers to determine if they've found a valid username. This is a simple but effective security measure that doesn't impact legitimate users significantly.
Block AI bots
AI companies use bots to crawl websites and train their models, often without permission and consuming your server resources. This feature blocks common AI crawlers (like GPTBot, ChatGPT-User, Google-Extended, and others) via your robots.txt file. While not foolproof (bots can ignore robots.txt), it signals your intent and may reduce unwanted crawling. This helps protect your content from being used to train AI models and can improve your site's performance by reducing bot traffic.
Force login
This feature requires all visitors to log in before viewing any part of your website. It's useful for private sites, staging environments, development sites, or sites that should only be accessible to registered users. When enabled, non-logged-in users are automatically redirected to the login page. Administrators can still access the site normally after logging in.
Note: This makes your entire site private. Search engines won't be able to index it, and public visitors won't be able to view content. Only enable this if you truly want a private site.