Security Blog
Security Blog
Posted By Gregory

Hardening WordPress with WP Cerber

It's easy to get WordPress protected by enabling essential WP Cerber Security features.


All suggested settings are highly recommended for most websites on the Internet. If you need, for some reason, these functions are being accessible from a particular computer or an IP network you can easily add them to the White IP Access List.

Disable REST API

The plugin blocks access to the WordPress REST API. The ability to send invisible requests to the core of your WordPress makes hackers even happier than the ability to hack websites using XML-RPC. If you don’t use WordPress REST API, disable it!

If you use a plugin that requires REST API to be enabled, enter a namespace exception for that plugin. For instance, if you use Contact Form 7, the namespace is contact-form-7 for Jetpack it’s jetpack. You can specify mutiple namespaces in the text field. Enter each on a new line.

Check Allow REST API for logged in users if you want to allow using REST API for any authorized WordPress user without limitation.

Why it’s important to restrict access to the WordPress REST API

Disable XML-RPC

The plugin blocks access to the XML-RPC server including Pingbacks and Trackbacks. Do you know that hackers use this hidden entrance to find out logins stealthily? Do you have a CAPTCHA or reCAPTCHA on your login form to protect from the bots? Don’t be silly, modern bots use XML-RPC and WP REST API to brute-force your WordPress and you don’t even know how and when they do that because any CAPTCHA doesn’t work for XML-RPC requests. Nowadays XML-RPC makes hackers happy and they love it a lot. After activating this setting your website will return 404 Page Not Found for any XML-RPC requests unless you make an exception for hosts with White IP Access List.

Note: If you use the Jetpack plugin, which needs to communicate with wordpress.com, do not disable XML-RPC.

Stop user enumeration

The plugin blocks access to special author pages like /?author=N and ability to retrieve user data via REST API. Intruders and hackers can easily get all logins of all the users on your website just by scanning numbers from 1 to any number they want. This behavior is enabled in WordPress by design and hackers around the world love it a lot. After activating this setting your website will return 404 Page Not Found.

Disable feeds

The plugin blocks access to the RSS, Atom and RDF feeds. That does not allow hackers to find out what kind of software is installed on your website and collect additional helpful information to adjust further attacks to your WordPress. After activating this setting your website will return 404 Page Not Found.

Note: All these settings above do not affect hosts in the White IP Access List and you can easily allow, for instance, publishing posts via XML-RPC for IP address of your home computer just by adding it to the White IP Access List.

If you have a root access to your web server I also recommend using these tips: Hardening WordPress with WP Cerber and NGINX

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments