All Security settings explained

Lighthouse – WordPress Performance & Security Plugin

Basic Security

Normalize HTTP(S) scheme

  • Normalize HTTP(S) scheme: Ensures that the URLs on your website use the same protocol (HTTP or HTTPS) as the current page. This can help avoid mixed content warnings and ensure a consistent browsing experience.

Disable XML-RPC

  • Disable XML-RPC: Disables the XML-RPC functionality of WordPress, which can prevent remote access to your site. However, note that some plugins may rely on XML-RPC, so disabling it may cause compatibility issues.

Disallow unauthorized REST requests

  • Disallow unauthorized REST requests: Prevents unauthorized users from making requests to the WordPress REST API. This can enhance security, but it may also affect the functionality of some plugins or themes.

Disable user enumeration

  • Disable user enumeration: Prevents attackers from easily discovering valid usernames on your site by enumerating through user IDs. However, disabling this feature may cause compatibility issues with some plugins or themes.

Brute Force Protection

Enable brute force protection

  • Enable brute force protection: Activates protection against brute force attacks, where bots or hackers attempt to log in to your website using common username and password combinations. Enabling this feature can enhance security by limiting login attempts.


Enable firewall

  • Enable firewall: Activates a firewall to protect your website from various types of attacks. This feature may include blocking malicious IPs, monitoring traffic, and detecting and blocking suspicious activity.

Registration Spam

Check registration spam

  • Check registration spam: Prevents users or bots from registering with disposable or spam email addresses. This helps maintain the integrity of your user database and prevent spam registrations.

Enable Spam Pattern Detection: Periods

  • Enable Spam Pattern Detection: Periods: Detects spammers by checking for email addresses with excessive periods, which can be used to evade filters and deceive recipients.

Akismet integration

  • Akismet integration: Integrates Akismet, a spam detection service, to protect your website from spam registrations. Akismet analyzes form submissions to identify and block spam.

Maximum number of periods allowed in an email address

  • Maximum number of periods allowed in an email address: Sets the maximum number of periods allowed in an email address. Excessive periods can indicate spammy behavior.

Custom error message for blacklisted email addresses

  • Custom error message for blacklisted email addresses: Specifies a custom error message to display when a user tries to register with a blacklisted email address. This helps inform users of the reason for registration failure.

Blacklisted Words

  • Blacklisted Words: Lists words or domains that, if found in a new registration email or username, will result in the registration being banned. Each word or domain should be listed on a separate line.

Blacklist Providers

  • Use external blacklists: Allows you to use external blacklists, such as the official Lighthouse blacklist (4P) or Is Spammy, to automatically ban registrations associated with known spam domains.