Blocking HTTP/1.0 and HTTP/1.1 requests to wp-login.php can be useful under two conditions:
- Pages are served via HTTP/2 (exclusively or preferentially)
- People are expected to log in via browsers that support HTTP/2: caniuse.com/#feat=http2
The Apache rule
<Files "wp-login.php">
<If "%{SERVER_PROTOCOL} == 'HTTP/1.1' || %{SERVER_PROTOCOL} == 'HTTP/1.0'">
Require all denied
</If>
</Files>
Custom error response
The rule above will of course block older browsers (e.g., Internet Explorer on systems older than Windows 10). A custom error response can help in this case. Note that, in order to appear in Internet Explorer, the response must be at least 512 bytes.
How to add a custom response error to the rule:
<Files "wp-login.php">
<If "%{SERVER_PROTOCOL} == 'HTTP/1.1' || %{SERVER_PROTOCOL} == 'HTTP/1.0'">
Require all denied
ErrorDocument 403 "\
Forbidden: Logging in requires a newer browser.\
<!--\
PADDING FOR INTERNET EXPLORER\
The purpose of this comment is to\
increase the size of the response to at least 512 bytes.\
By default Internet Explorer shows its own friendly message\
if the response is smaller than 512 bytes.\
-->\
"
</If>
</Files>