Security Blog
Security Blog
Posted By Gregory

Hardening WordPress with WP Cerber


It’s very important to have WordPress protected and it’s easy to do this by using built-in WP Cerber security functions. All these settings are mandatory for most sites in the Internet. If you need, in some custom case, these function being accessible from some host or network you can easily add IP or network to the White IP Access List.

Stop user enumeration

This block access to the author pages like /?author=N where N is a random number. Intruders and hackers can easily find out all logins of all the users from your site just scanning numbers from 1 to any number they wish. This behavior is active in the WordPress by design and hackers around the world love it. After activating this setting site will return 404 Page Not Found.

Disable XML-RPC

Block access to the XML-RPC server including Pingbacks and Trackbacks. Do you know that hackers is using this hidden entrance to find out logins stealthily? Do you have a CAPTCHA or reCAPTCHA on the login form to protect from the bots? Don’t be silly, modern bots are using XML-RPC and WP REST API to brute-force your site and you don’t even know how and when they are doing that because CAPTCHA is not working for XML-RPC requests. Nowadays XML-RPC makes hackers happy and they love it a lot. After activating this setting site will return 404 Page Not Found.

Disable feeds

Block access to the RSS, Atom and RDF feeds. That does not allow hackers to find out what kind of software is installed on your site and collect additional helpful information to adjust further attacks to your site. After activating this setting site will return 404 Page Not Found.

Disable REST API

Block access to the WordPress REST API. Ability to send invisible requests to the core of your site makes hackers even happier than ability to hack sites using XML-RPC. If you don’t use WordPress REST API disable it!

Note: All these settings do not affect hosts from the White IP Access List and you can easily allow, for instance, publishing posts via XML-RPC for your IP just adding IP to the White IP Access List.

If you have root access to your web server I also recommend to use those tips: Hardening WordPress with WP Cerber and NGINX


I’m a self-employed developer who builds software products and services using WordPress. I’m available for hire and enjoy partnering with others for interesting and challenging projects. If you’re interested in hiring me, feel free to contact me.

View Comments