Back-end target settings

WordPress has many important backend entrances (i.e. endpoint) that will affect on the website. In this section, you can set up rules to validate requests for particularly important endpoints among them.

Comment post

It validates requests to wp-comments-post.php.

Note: The request to subscribing to bbPress forum can also be blocked by this option.

XML-RPC

It validates requests to xmlrpc.php.

The plugin Jetpack by WordPress.com will access this endpoint from their servers in United States. Therefore, cooperation with WordPress.com does not work if the country code US is not in “Whitelist of country code” or not in the blacklist.

In such a case, please put IP addresses of Jetpack servers or the AS number AS2635 of Automattic, Inc into “Whitelist of extra IP addresses prior to country code”.

Login form

It validates requests to wp-login.php and wp-signup.php.

Login form target actions

Note: The request to the registration page of BuddyPress can also be blocked by this option.

Admin area

It validates requests to wp-admin/*.php.

Requests to this area would cause a redirection to the login page or unintentional affects on the website due to attacks that exploit vulnerabilities in themes and plugins (in case of being authenticated).

Admin ajax/post

It validates requests especially to wp-admin/admin-ajax.php and wp-admin/admin-post.php.

These endpoints are used as WordPress standard interfaces for themes and plugins to perform their specific tasks. But many vulnerable themes and plugins were out there due to lack of secure coding to use these endpoints.

Find blocked request button

Plugins area

It validates requests to wp-content/plugins/⋯/*.php.

Themes area

It validates requests to wp-content/themes/⋯/*.php.

Force to load WP core” and “Exception” are almost the same as “Plugins area”.

See also