Posted By Gregory

Getting Started

No worries. WordPress security is not rocket since anymore.


The plugin has robust security and anti-spam engine that must be set up correctly. Once you have installed and activated the plugin, it is working with defaults settings. They are pretty safe for most cases. To get the most out from Cerber, you need to configure the plugin according to your needs.

Make sure that Cerber detects IP addresses correctly

  1. Open the What is my IP address page in one browser window and the Cerber Access Lists admin page in another
  2. Compare the IP address from the first page with the IP address under label Your IP on the Access Lists admin page
  3. You should see two identical IP addresses. If you see two different IP addresses, you have to check My site is behind a reverse proxy in the Main Settings of the plugin and repeat the steps above
  4. If the plugin is still unable to detect IP addresses and the website in not behind a proxy, follow this instruction: Solving problem with incorrect IP address detection
  5. Additional note if your WordPress is under CloudFlare

Make sure that you receive email notifications

Once you have activated the plugin it sends a welcome email to the web site admin email. If you didn’t get that welcome email, make sure that email address that you see on the Notification admin page is correct and emails from the plugin don’t go to the spam folder. If you didn’t receive the welcome email, most likely you will not receive other important notifications. You can set up alternative, multiple email addresses in the Email Address text field on the Notification admin page.

To test out delivery go to the Main Settings page and click any Click to send test link.

Read more how to set up mobile notifications for your smartphone

Add your home or office IP address to the White Access list

If you work from home or an office on a computer with a static IP address, it’s reasonable to add that IP address (or the entire company network) to the White IP Access list. You can achieve two goals. It prevents you from being locked out of your website by chance and restrict access to XML-RPC, REST API and other vital parts of  WordPress.

Read more how to use Access Lists for WordPress

Enable Custom login page

To hide the default wp-login.php login page from automated attacks specify your own hidden custom login URL (login page) and turn off wp-login.php. If you use a caching plugin, you have to add your custom login URL to the list of pages not to cache.

How to set up custom login URL

Specify prohibited usernames

Go to the Hardening admin page and if your list is still empty, you definitely have to put on that list the following usernames: admin, administrator, manager, editor, user, demo, test.

Read more about prohibited usernames

Enable antispam protection

Cerber antispam engine is compatible with most form plugins and capable to protect virtually any form. On the Antispam admin page check all necessary features under the Cerber antispam engine section. Test out the forms on your site. If some of the features on the website stoped working try to enable Use less restrictive policies (allow AJAX).

Finally, let the plugin clean up the mess with spam comments. Choose deny spam comments completely or only mark them as spam. Turn on automatic moving spam to trash.

Read more about prohibited usernames

Have a question?

Get help on the plugin support forum

Do you like Cerber?

Give it a five star review!

Last posts from WordPress security blog


I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.