HTTP stands for HyperText Transfer Protocol. It’s the foundation of all communication on the web, defining how browsers and servers exchange information. Every time you open a website, your browser sends HTTP requests to the server, which responds with the requested data (like HTML, CSS, images, scripts).
Most legitimate browsers and users use HTTP/1.1 or newer (HTTP/2, HTTP/3).
HTTP/1.0 is very outdated and rarely used by real visitors. However, it’s sometimes used by:
Because HTTP/1.0 lacks many modern features – especially security improvements – it can be exploited for various attacks or evasion tactics. When a server accepts requests in any version without checking, it becomes easier for automated tools to interact with it undetected. Checking the protocol version is a simple but effective filtering signal.
According to the IETF RFC 9110, which defines the current HTTP semantics standard, older versions of the protocol were not designed with today’s threat landscape in mind. That gap is exactly what makes version-based filtering worth considering for any WordPress site that cares about security.
BotBlocker includes an option to block requests that use HTTP/1.0. This is because:
In practice, the share of real human traffic coming through HTTP/1.0 is negligible. Most hosting environments and content delivery networks have moved on entirely. So when a request using that version hits your WordPress site, it is far more likely to be automated than human. BotBlocker uses this as one of several signals to identify and stop unwanted traffic before it reaches your application.
This kind of passive filtering works without any CAPTCHA or challenge page. The visitor never sees anything – valid users get through instantly, while legacy-version requests are stopped at the gate. For site owners dealing with scraping, credential stuffing, or aggressive crawling, this is a low-effort setting that adds a meaningful layer of protection.
You can learn more about how web crawlers behave and how protocol versions factor into bot detection in the Google Search documentation on crawlers. Notably, Googlebot and other major legitimate crawlers use modern protocol versions, so blocking older ones will not harm your search engine indexing.
BotBlocker’s blocking of HTTP/1.0 is optional – by default, it’s off for maximum compatibility. You can turn it on for tighter security.
Before turning this option on, it is worth spending a few minutes reviewing your access logs. If you see a consistent stream of requests using an outdated protocol version with no corresponding user sessions or conversions, that traffic is almost certainly not coming from real people. Enabling the block in that situation is a straightforward call.
If your site serves any kind of embedded content – widgets, APIs, or feeds consumed by third-party systems – check whether those integrations use older clients. Internal monitoring tools or some legacy payment gateways occasionally send requests using outdated libraries. In those cases, you may need to update the integration or whitelist specific IPs before enabling the block site-wide.
For the vast majority of standard WordPress sites running blogs, stores, or service pages, none of that applies. Enabling the block is safe and takes effect immediately without any code changes or server restarts.
Will blocking HTTP/1.0 affect real users?
Almost never – modern browsers don’t use it. If you serve legacy devices, review before enabling.
Is HTTP/2 or HTTP/3 required?
No, but both offer better performance and security. HTTP/1.1 remains standard.
How to enable blocking?
In BotBlocker’s settings, activate the HTTP/1.0 blocking option.
Does this affect SEO or search engine crawlers?
No. Search engines like Google use modern protocol versions. Blocking outdated ones will not affect your rankings or indexing.
Can I see which requests were blocked?
Yes. BotBlocker logs blocked requests so you can review them and adjust your settings if needed.
