Security Blog
Security Blog

Hardening WordPress with WP Cerber and NGINX

Working together these two can dramatically improve defense of any site

NGINX is a free, open-source, high-performance HTTP server. WP Cerber is a free, open-source, security plugin which protects WordPress powered sites from intruders and hackers.

How to hardening WordPress using WP Cerber and NGINX together

First of all, you need to set up a Custom login URL and check Block direct access to wp-login.php and return HTTP 404 Not Found Error. Check out details here: How to rename wp-login.php. For security reasons, do not set up your custom login URL as “login” or “wp-admin”.

Then you need to block access to the wp-login.php file in the NGINX configuration file. By default, this file placed in the directory /etc/nginx, /usr/local/nginx/conf or /usr/local/etc/nginx.

Add this line to the server section of the NGINX configuration file for your site:

location /wp-login.php { return 404; }

If you don’t use XML RPC on your site, I highly recommend to add this line also:

location /xmlrpc.php { return 404; }

Finally, we protect our site and server from being overloaded by attacker’s attempts or automated attempts from stupid bots. Let’s do it using the ability of NGINX to limit the rate of inbound requests. Rate limiting allows you to slow down the rate of inbound requests beyond a specific threshold.

Open main configuration file nginx.conf and find the http section. Add the following line inside of it:

limit_req_zone $binary_remote_addr zone=main:10m rate=60r/m;

Then return to the server section of your site and find the line

location / {

add this line after opening curly brackets:

limit_req zone=main burst=10 nodelay;

Changes we have made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted. To load the new configuration, execute in the command line of your server:

service nginx reload


Now, you and your backend server (powered by Apache maybe) can relax. These several easy steps allow you to clean up inbound traffic from “bad requests” and allow server’s resource to serve “right requests”.

Last posts from WordPress security blog

I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.

View Comments
There are currently no comments.