WordPress Security
WordPress Security
Posted By Gregory

Hardening WordPress with WP Cerber and NGINX

Working together these two can dramatically improve defense of any site

NGINX is a free, open-source, high-performance HTTP server. WP Cerber is a free, open-source, security plugin which protects WordPress powered sites from intruders and hackers.

How to hardening WordPress using WP Cerber and NGINX together

First of all, you need to set up a Custom login URL and check Block direct access to wp-login.php and return HTTP 404 Not Found Error. Check out details here: How to rename wp-login.php. For security reasons, do not set up your custom login URL as “login” or “wp-admin”.

Then you need to block access to the wp-login.php file in the NGINX configuration file. By default, this file placed in the directory /etc/nginx, /usr/local/nginx/conf or /usr/local/etc/nginx.

Add this line to the server section of the NGINX configuration file for your site:

location /wp-login.php { return 404; }

If you don’t use XML RPC on your site, I highly recommend to add this line also:

location /xmlrpc.php { return 404; }

Finally, we protect our site and server from being overloaded by attacker’s attempts or automated attempts from stupid bots. Let’s do it using the ability of NGINX to limit the rate of inbound requests. Rate limiting allows you to slow down the rate of inbound requests beyond a specific threshold.

Open main configuration file nginx.conf and find the http section. Add the following line inside of it:

limit_req_zone $binary_remote_addr zone=main:10m rate=60r/m;

Then return to the server section of your site and find the line

location / {

add this line after opening curly brackets:

limit_req zone=main burst=10 nodelay;

Changes we have made in the configuration file will not be applied until the command to reload configuration is sent to nginx or it is restarted. To load the new configuration, execute in the command line of your server:

service nginx reload


Now, you and your backend server (powered by Apache maybe) can relax. These several easy steps allow you to clean up inbound traffic from “bad requests” and allow server’s resource to serve “right requests”.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.

I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments
There are currently no comments.