Patchstack Security

Property	Value
description	Patchstack Security
tags	index, doc, mac-starter, plugin, patchstack

Overview

This section documents the recommended Patchstack hardening settings for MAC Starter.

Hardening

General

Duplicate hardening features

Patchstack overlaps with Perfmatters for some hardening features.

In MAC Starter, if any of the following are enabled, the preferred place to manage them is Perfmatters:

• hide WordPress version
• disable XML-RPC
• disable REST API

Keep the duplicate Patchstack settings disabled unless there is a project-specific reason to manage one of them in Patchstack instead.

User enumeration and frontend user loops

Enabling Disable user enumeration should not affect a normal frontend loop in Bricks that intentionally renders usernames in a table.

That setting is meant to block common username discovery vectors, not deliberate frontend output built into the site.

It can still affect a build if the frontend feature depends on a blocked public endpoint or an enumeration pattern instead of normal server-rendered output, so confirm the implementation if the loop is user-query driven.

• Disable theme editor to protect from potential automated attacks = true
• Block readme.txt access = true
• Disable user enumeration to block users from identifying your usernames = true
• Hide WordPress version in the <meta> tag of the HTML output = false
• Block WordPress application password feature = true
• Restrict XML-RPC access to authenticated users only = false
• Restrict WP REST API access to authenticated users only = false

.htaccess

• Disable .htaccess features (Check this if you want to stop us from writing to your .htaccess file. Note that the current changes to the .htaccess file will remain.) = false
• Add security headers (Add security headers to the response by your webserver.) = true
• Prevent default WordPress file access (Prevent access to such files as license.txt, readme.html and wp-config-sample.php.) = true
• Block access to debug.log file (Check this if you want to block access to the debug.log file that WordPress creates when debug logging is enabled.) = true
• Disable index views (Check this if you want to disable directory and file listing.) = true
• Custom .htaccess rules = empty
• .htaccess rules location = Appear in bottom

Login protection

Custom login URL

Patchstack and Perfmatters both support changing the login URL.

In MAC Starter, both stay off by default and can be enabled only when needed.

Changing the login URL can create compatibility issues for plugins that extend or depend on the default wp-login.php screen, so treat it as a project-specific change, not a default.

Patchstack 2FA and custom login URLs

Patchstack 2FA and similar 2FA plugins may be affected by login URL changes.

If Patchstack 2FA is being used and the login URL must be changed, the recommended approach in MAC Starter is to manage that change in Patchstack, not in Perfmatters.

WS Form login uncertainty

At the time of writing, March 29, 2026, it is uncertain whether a custom WS Form login form with an OTP field will work correctly with Patchstack 2FA or other 2FA plugins.

• Allow two factor authentication (Allow your site users to configure 2FA on the Edit my profile page.) = true
• Block access to wp-login.php (Block access to the default wp-login.php page. This will require you to visit the URL below which will whitelist your IP address for 10 minutes to login.) = false
• New Login URL = empty
• Login whitelist = empty
  • https://<my_domain>.com/
• Automatic Brute-Force IP Ban (Automatically ban IP addresses that fail to login multiple times in a short span of time.) = true
• Block IP for X minutes = 60
• After X failed login attempts = 5
• Over a period of X minutes = 10

Captcha

• Post comments form = false
• User login form = false
• Registration form = false
• Password reset form = false
• Version = Cloudflare Turnstile

Related Documents

• Patchstack
• Perfmatters
• Plugins

Resources

• Patchstack
• Patchstack Docs