Recommendations - JayHoltslander/jays-wp-htaccess GitHub Wiki

Security

1. The best threat prevention I have found against bots is the option for "DENY NO REFERER REQUESTS" option located here. It's turned off by default so be sure to enable it by uncommenting it and changing "yourblog.com" to your actual website domain. This method:

1. Is more effective than putting a captcha on your wp-login which many bots can get past.
2. Isn't as obtrusive as http auth.
3. Isn't as risky as renaming your wp-admin or wp-login.

Use this in conjunction with a captcha and/or 2FA.