Posted By Gregory

Getting Started with WP Cerber Security

No worries. WordPress security is not rocket science anymore.


After installing and activating the plugin, it automatically loads a set of essential settings. These enable WP Cerber to effectively protect your WordPress. However, for optimal use of WP Cerber and to ensure the highest level of protection for your website, thoughtful configuration of the plugin is necessary.

1. Make sure that Cerber detects IP addresses correctly

  1. Open the What is my IP address page in your browser
  2. Open a second browser tab (window) and go to the Tools / Diagnostic tab of your WP Cerber installation on your website.
  3. Find the “Your IP address is detected as” row in the “System Info” section.
  4. Compare the IP address on the What is my IP address page to the IP address shown in the “Your IP address is detected as” row.
  5. You should see two identical IP addresses. If you see two different IP addresses, you need to check My site is behind a reverse proxy in the Main Settings of the plugin and repeat the steps above.
  6. If you still see two different IP addresses and the website is not behind a proxy, follow these instructions: Solving problem with incorrect IP address detection
  7. One more step if your WordPress is under Cloudflare

2. Enable loading the plugin in Standard mode

Go to the Main Settings and set the Load security engine setting to Standard mode.

3. Make sure that you receive email notifications

When you activate the plugin, it sends a welcome email to the website admin email. If you didn’t get the welcome email, make sure that the email address that you see on the Notifications tab is correct and emails from the plugin don’t go to the spam folder. If you didn’t receive the welcome email, most likely, you will not receive other important notifications. You can enter alternative email addresses in the Email Address text field. To test out the delivery, click any Click to send test link.

Read more: How to set up mobile notifications on your smartphone

4. Enable your custom login and registration page

To hide the default wp-login.php WordPress login page from automated attacks and spam registrations, specify your own Custom login URL (login page) and turn off wp-login.php. Note: If you use a caching plugin (like W3 Total Cache or WP Super Cache), you have to add your custom login URL to the list of pages not to cache.

How to set up Custom login URL for WordPress

5. Add your home or office IP address to the White IP Access list

If you work from home or an office on a computer with a static IP address, it’s reasonable to add that IP address (or the entire company network) to the White IP Access List. You can achieve two goals. It prevents you from being locked out of your website by chance and enables you to restricts access to XML-RPC, REST API, and other vital parts of  WordPress.

Read more: How to use Access Lists for WordPress

6. Enable spam protection

The Cerber’s anti-spam engine is compatible with most WordPress form builders and capable to protect virtually any form. On the Anti-spam admin page enable all necessary features under the Cerber anti-spam engine section. Once you’ve enabled anti-spam, make sure that forms on your site work normally. If some of the features on the website stopped working, enable Use less restrictive policies (allow AJAX).

Finally, let the plugin clean up the mess with spam comments. Choose deny spam comments completely or only mark them as spam. Turn on automatic moving spam to trash.

7. Restrict access to REST API and XML-RPC

  1. Go to the Hardening admin page.
  2. Check Disable REST API. Specify namespace exceptions for REST API if it’s needed. For instance, if you use Contact Form 7, the namespace is contact-form-7, and for Jetpack it’s jetpack.
  3. Check Allow REST API for logged in users if you want to allow using REST API for any authorized WordPress user without limitation.
  4. Check Disable XML-RPC if you don’t use the Jetpack plugin. If you use XML-RPC from specific hosts only, add their IP addresses to the White IP Access List.

Read more: Restrict access to WordPress REST API

8. Specify a list of prohibited usernames

Go to the plugin Users admin page and, if your list is still empty, it’s advised to put on that list the following usernames: admin, administrator, manager, editor, user, demo, test.

Read more about prohibited usernames

9. Enable Two-Factor Authentication

To protect users’ accounts and prevent account takeover, enable two-factor authentication. It provides an additional layer of security requiring a second factor of identification beyond just a WordPress username and password.

Read more: Two-Factor Authentication for WordPress

10. Enable automatic updates for WP Cerber

Regular updates of WP Cerber are crucial for strong WordPress security, as we continuously enhance its algorithms, implement protection against emerging threats, and fix software bugs. You can enable them in a couple of clicks: How to enable automatic updates for WP Cerber.

11. Enable form fields masking for Traffic Inspector

If you’ve enabled saving form fields to the log (Save request fields is enabled) and you use a plugin that generates the login form for your website, you have to add the name of the password form field to the Mask these form fields on the Traffic Inspector settings page. WP Cerber always masks the password field on the default WordPress login form and the following form fields: ‘pwd’, ‘pass’, ‘password’.

Traffic Inspector and logging how to

12. Enable sending malicious IP addresses to the Cerber’s lab

Let the plugin team improve security algorithms in the plugin and optimize its performance. Go to the Main Settings, under the Activity section enable Cerber Lab connection. For better security, set Cerber Lab protocol to HTTPS. Read more about Cerber Lab.

13. Enable mobile alerts and email notifications

If you want to keep eye on a specific activity or be notified when a user has registered or logged in to your website, filter out a specific activity on the Activity tab and click the Create Alert. Read more: WordPress notifications made easy.

Have a question or need help with WP Cerber?

Get your license key to unlock professional security features

I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.