No worries. WordPress security is not rocket science anymore.
Once you have installed and activated the plugin, it defends WordPress with defaults settings. They are pretty safe for most cases. To get the most out of Cerber, you need to configure the plugin properly, though.
1. Make sure that Cerber detects IP addresses correctly
- Open the What is my IP address page in one browser window and the Cerber Access Lists admin page in another
- Compare the IP address on the What is my IP address page to the IP address under label Your IP on the Access Lists admin page
- You should see two identical IP addresses. If you see two different IP addresses, you need to check My site is behind a reverse proxy in the Main Settings of the plugin and repeat the steps above
- If you still see two different IP addresses and the website is not behind a proxy, follow this instruction: Solving problem with incorrect IP address detection
- One step more if your WordPress is under CloudFlare
2. Make sure that you receive email notifications
Once you have activated the plugin it sends a welcome email to the web site admin email. If you didn’t get the welcome email, make sure that email address that you see on the Notification admin page is correct and emails from the plugin don’t go to the spam folder. If you didn’t receive the welcome email, most likely you will not receive other important notifications. You can enter alternative, multiple email addresses in the Email Address text field on the Notification admin page. To test out the delivery go to the Main Settings page and click any Click to send test link.
Read more how to set up mobile notifications on your smartphone
3. Enable loading the plugin in Standard mode
Go to the Main Settings plugin admin page and set the Load security engine setting to Standard mode.
4. Add your home or office IP address to the White Access list
If you work from home or an office on a computer with a static IP address, it’s reasonable to add that IP address (or the entire company network) to the White IP Access List. You can achieve two goals. It prevents you from being locked out of your website by chance and restricts access to XML-RPC, REST API and other vital parts of WordPress.
Read more how to use Access Lists for WordPress
5. Enable Custom login and registration page
To hide the default wp-login.php WordPress login page from automated attacks and spam registrations specify your own Custom login URL (login page) and turn off wp-login.php. Note: If you use a caching plugin (like W3 Total Cache or WP Super Cache), you have to add your custom login URL to the list of pages not to cache.
How to set up Custom login URL for WordPress
6. Enable antispam protection
The Cerber antispam engine is compatible with most form builders and capable to protect virtually any form. On the Antispam admin page check all necessary features under the Cerber antispam engine section. Make sure that forms on your site work fine. If some of the features on the website stopped working, enable Use less restrictive policies (allow AJAX).
Finally, let the plugin clean up the mess with spam comments. Choose deny spam comments completely or only mark them as spam. Turn on automatic moving spam to trash.
- How to stop spam user registrations on your WordPress
- How to stop spam form submissions on your WordPress
- How to set up reCAPTCHA for WordPress
7. Restrict access to REST API and XML-RPC
- Go to the Hardening admin page.
- Check Disable REST API. Specify namespace exceptions for REST API if it’s needed. For instance, if you use Contact Form 7, the namespace is
contact-form-7for Jetpack it’s
- Check Allow REST API for logged in users if you want to allow using REST API for any authorized WordPress user without limitation.
- Check Disable XML-RPC if you don’t use Jetpack plugin. If you use XML-RPC from specific hosts, add IP addresses of them to the White Access List.
Read more: Restrict access to WordPress REST API
8. Specify a list of prohibited usernames
Go to the plugin Users admin page and, if your list is still empty, you definitely have to put on that list the following usernames: admin, administrator, manager, editor, user, demo, test.
Read more about prohibited usernames
9. Set up form fields masking for Traffic Inspector
The Cerber Security plugin logger always masks the password field on the default WordPress login form and the following form fields: ‘pwd’, ‘pass’, ‘password’. If you’ve enabled saving form fields to the log (Save request fields is enabled) and you use a plugin that generates a login form like some membership or pop-up login form plugins do, you have to add the name of the password form field(s) to the Mask these form fields field on the Traffic Inspector settings page.
Traffic Inspector and logging how to
10. Enable sending malicious IP addresses to the plugin developer
Let the plugin team improve security algorithms in the plugin and optimize its performance, so you will have constantly improving protection for your website. Go to the Main Settings, under the Activity section check the Cerber Lab connection checkbox. For better security set Cerber Lab protocol to HTTPS. Read more about Cerber Lab.
11. Set notifications on events
If you want to keep eye on a specific activity or be notified when user has registered or logged in to your website, filter out a specific activity on the Activity tab and click the Subscribe link. Read more: WordPress notifications made easy.