Block HTTP request methods

HTTP requests can be made in several ways. Perhaps the best known are the GET and the POST, but web servers support a longer list of options.

  • CONNECT: The CONNECT method establishes a tunnel to the server identified by the resource.
  • DELETE: The DELETE method deletes a specific resource.
  • GET: The GET method requests a representation of a specific resource. Requests that use the GET method should only retrieve data.
  • HEAD: The HEAD method asks for a response identical to that of a GET request, but without the body of the response.
  • OPTIONS: The OPTIONS method is used to describe the communication options for the target resource.
  • PATCH: The PATCH method is used to apply partial modifications to a resource.
  • POST: The POST method is used to send an entity to a specific resource, often causing a change in state or side effects on the server.
  • PUT: PUT mode replaces all current representations of the target resource with the request payload.
  • TRACE: The TRACE method performs a message loop back test along the path to the destination resource.

In the case of WordPress in general, the most common thing is that only the application GET methods are used and POST, being able to extend to HEAD and OPTIONS. The rest of the methods in general are not used and could be blocked.

This means that in the .hatccess file (or in any web server configuration) you could block the methods with a couple of lines such as these:

# Bloquear request method
RewriteCond %{REQUEST_METHOD} ^(connect|delete|head|options|patch|put|trace) [NC]
RewriteRule .* - [F]

Obviously, if you have an API system that requires the corresponding methods, they can be added or removed to taste and needs.

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.