Posted By Gregory

Getting Started

No worries. WordPress security is not rocket since anymore.


Once you have installed and activated the plugin, it defends WordPress with defaults settings. They are pretty safe for most cases. To get the most out of Cerber, you need to configure the plugin properly, though.

1. Make sure that Cerber detects IP addresses correctly

  1. Open the What is my IP address page in one browser window and the Cerber Access Lists admin page in another
  2. Compare the IP address on the What is my IP address page to the IP address under label Your IP on the Access Lists admin page
  3. You should see two identical IP addresses. If you see two different IP addresses, you need to check My site is behind a reverse proxy in the Main Settings of the plugin and repeat the steps above
  4. If you still see two different IP addresses and the website is not behind a proxy, follow this instruction: Solving problem with incorrect IP address detection
  5. One step more if your WordPress is under CloudFlare

2. Make sure that you receive email notifications

Once you have activated the plugin it sends a welcome email to the web site admin email. If you didn’t get that welcome email, make sure that email address that you see on the Notification admin page is correct and emails from the plugin don’t go to the spam folder. If you didn’t receive the welcome email, most likely you will not receive other important notifications. You can enter alternative, multiple email addresses in the Email Address text field on the Notification admin page.

To test out delivery go to the Main Settings page and click any Click to send test link.

Read more how to set up mobile notifications on your smartphone

3. Add your home or office IP address to the White Access list

If you work from home or an office on a computer with a static IP address, it’s reasonable to add that IP address (or the entire company network) to the White IP Access list. You can achieve two goals. It prevents you from being locked out of your website by chance and restrict access to XML-RPC, REST API and other vital parts of  WordPress.

Read more how to use Access Lists for WordPress

4. Enable Custom login page

To hide the default wp-login.php WordPress login page from automated attacks specify your own hidden custom login URL (login page) and turn off wp-login.php. Note: If you use a caching plugin (like W3 Total Cache or WP Super Cache), you have to add your custom login URL to the list of pages not to cache.

How to set up Custom login URL for WordPress

5. Specify prohibited usernames

Go to the plugin Users admin page and if your list is still empty, you definitely have to put on that list the following usernames: admin, administrator, manager, editor, user, demo, test.

Read more about prohibited usernames

6. Enable antispam protection

The Cerber antispam engine is compatible with most form builders and capable to protect virtually any form. On the Antispam admin page check all necessary features under the Cerber antispam engine section. Test out the forms on your site. If some of the features on the website stopped working try to enable Use less restrictive policies (allow AJAX).

Finally, let the plugin clean up the mess with spam comments. Choose deny spam comments completely or only mark them as spam. Turn on automatic moving spam to trash.

7. Restrict access to REST API and XML-RPC

  1. Go to the Hardening admin page.
  2. Check Disable REST API. Specify namespace exceptions for REST API if it’s needed. For instance, if you use Contact Form 7, the namespace is contact-form-7 for Jetpack it’s jetpack.
  3. Check Allow REST API for logged in users if you want to allow using REST API for any authorized WordPress user without limitation.
  4. Check Disable XML-RPC if you don’t use Jetpack plugin. If you use XML-RPC from specific hosts, add IP addresses of them to the White Access List.

Why it’s important to restrict access to WordPress REST API

8. Enable sending malicious IP addresses to the plugin developer

Let the plugin team improve security algorithms in the plugin and optimize its performance, so you will have constantly improving protection for your website. Go to the Main Settings, under the Activity section check the Cerber Lab connection checkbox. For better security set Cerber Lab protocol to HTTPS. Read more about Cerber Lab.

Have a question or got an issue?

Do you like Cerber?

Give it a five-star review!

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.