Falcon

Security

WordPress is a popular target for attackers, and many default WordPress features can expose your site to security risks. Falcon's security features help you harden your WordPress installation by disabling unnecessary entry points and restricting access.

The settings for security features are available in the Security tab on the Falcon settings page.

Security settings in Falcon

Comment spam protection

Falcon helps you stop bots from posting spam comments on your site. Your readers won't notice anything, but automated spam tools will get blocked.

When someone loads your comment form, our system waits for 2 seconds and quietly adds an invisible field (honeypot) in the background. When the comment is submitted, we check if it's submitted too fast or that field is there.

  • Real visitors: Their browser loads the page, they write the comment (which takes more than 2 seconds) the invisible field gets added, comment goes through normally.
  • Spam bots: They try to submit comments directly without loading the page, so the submission time is shorter than 2 seconds and/or the invisible field is missing, and the comment gets rejected.

This method is great because:

  • No annoying CAPTCHAs - Your readers don't have to prove they're human
  • Invisible protection - Most people won't even know it's there
  • Easy on your site - No extra services or complicated setup needed, Falcon automatically does it for you. All it does is a few lines of inline JavaScript after the comment form!

Disable REST API for unauthenticated requests

The WordPress REST API is accessible to anyone by default, which can expose sensitive information about your site structure, users, and content. Disabling REST API access for unauthenticated users prevents unauthorized access while still allowing logged-in users and your own applications to use the API. This is especially important if you don't use the REST API for public-facing features, as it reduces your attack surface significantly.

Disable XML-RPC

XML-RPC is an older WordPress feature that allows remote publishing and management. However, it's commonly exploited for brute force attacks, DDoS attacks, and pingback floods. Disabling XML-RPC protects your site from these attacks and is safe to do unless you use the WordPress mobile app or remote publishing tools. This feature also disables trackbacks and pingbacks, which are often used for spam.

Note: Disabling XML-RPC will break the WordPress mobile app. If you rely on mobile apps to manage your site, you'll need to keep this enabled or use alternative management methods.

Learn more about disabling XML-RPC on WordPress.

Restrict upload file types

By default, WordPress allows uploading many file types, some of which could be malicious if uploaded by unauthorized users. This feature restricts uploads to only common, safe file types:

  • images (JPG, JPEG, PNG, GIF, WEBP),
  • office files (DOCX, XLSX, PPTX),
  • PDF, and
  • videos (MP4)

This prevents users from uploading potentially dangerous file types like PHP scripts, executable files, or other code that could compromise your site.

Warning: This applies to all users, including administrators. If you're an admin and need to upload other file types, you'll need to temporarily disable this feature.

Disable detailed login errors

WordPress login errors tell users whether the username or password is incorrect, which helps attackers identify valid usernames through brute force attempts. Disabling detailed login errors shows a generic error message instead, making it harder for attackers to determine if they've found a valid username. This is a simple but effective security measure that doesn't impact legitimate users significantly.

Block AI bots

AI companies use bots to crawl websites and train their models, often without permission and consuming your server resources. This feature blocks common AI crawlers (like GPTBot, ChatGPT-User, Google-Extended, and others) via your robots.txt file. While not foolproof (bots can ignore robots.txt), it signals your intent and may reduce unwanted crawling. This helps protect your content from being used to train AI models and can improve your site's performance by reducing bot traffic.

Force login

This feature requires all visitors to log in before viewing any part of your website. It's useful for private sites, staging environments, development sites, or sites that should only be accessible to registered users. When enabled, non-logged-in users are automatically redirected to the login page. Administrators can still access the site normally after logging in.

Note: This makes your entire site private. Search engines won't be able to index it, and public visitors won't be able to view content. Only enable this if you truly want a private site.