How to protect WordPress effectively: a must-do list
A must-do list to get high-security and durable protection for your website.
To get the most out of WP Cerber’s security algorithms, your should configure all the settings below. Do this thoughtfully because some settings may conflict with another plugin or your web server settings. In case of any problem, check the Activity log for related events such as denied requests or blocked IP addresses. Please note that some of the features described below are available in the professional version only.
1. Enable automatic updates
Regular updates of WP Cerber are crucial for strong WordPress security, as we continuously enhance its algorithms, implement protection against emerging threats, and fix software bugs. You can enable them in a couple of clicks: How to enable automatic updates for WP Cerber.
2. Check main settings
- Go to the “Main Settings” page
- Set “Load security engine” to “Standard mode”
- Configure “Custom login URL”
- Set “Processing wp-login.php authentication requests” to “Block access to wp-login.php” or, which is more advanced, to “Deny authentication through wp-login.php”
- Enable “Immediately block IP when attempting to log in with a non-existing username”
- Enable “Disable dashboard redirection”
- Optionally enable “Immediately block IP after any request to wp-login.php”
3. Activate security policies on the Hardening tab
The minimal set of the settings you have to enable in the Hardening WordPress section:
- “Stop user enumeration”
- “Prevent username discovery via oEmbed”
- “Prevent username discovery via user XML sitemaps”
- “Block access to user pages via their usernames”
- “Block execution of PHP scripts in the WordPress media folder”
- “Disable PHP error displaying”
- “Disable XML-RPC”
The following settings are recommended to be enabled in the Access to WordPress REST API section:
- “Stop user enumeration / Block access to user data via REST API”
- “Disable REST API”
- “Allow REST API for logged in users”
Read more: Restrict access to REST API
4. Enable Traffic Inspector firewall
- Set “Enable traffic inspection” to “Maximum security”
- Set “Enable error shielding” to “Maximum security”
5. Enable scheduled malware scans and automatic malware removal
On the Settings tab, the following settings should be enabled
- “Scan temporary directory”
- “Scan session directory”
On the Cleaning up tab:
- You have to enable: “Delete unattended files”, “Recover WordPress files”, “Recover plugins files”
- All checkbox in the “Files in the uploads folder” settings should be checked
6. Enable anti-spam protection even if you think you don’t need it
On the Antispam engine tab, we advise you to enable the following settings:
- “Comment form (Protect comment form with bot detection engine)”
- “Registration form (Protect registration form with bot detection engine)”
- “Other forms (Protect all forms on the website with bot detection engine)”
7. Use GEO rules: block countries you’re not going to have a deal with
On the Security Rules admin page, configure GEO policies for countries that are permitted to interact with your website: submitting forms, being able to log in or register, etc. These settings do not prevent search engines from indexing the website.
8. Rename the WordPress plugins folder
Changing the name of the plugins folder is one of the most underestimated ways that make your WordPress protection stronger. And yet it’s free and easy.
Read more: How to rename the WordPress plugins folder
9. Enable Two-Factor Authentication
To protect user accounts, enable two-factor authentication (2FA). It provides an additional layer of security requiring a second factor of identification beyond just a username and password.
Read more: How to enable two-factor authentication for WordPress
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.
Spotted a bug or glitch?
We’d love to fix it! Share your bug discoveries with us here: Bug Report.
WordPress 5.4.1. A security update fixes seven XSS vulnerabilities
WP Cerber Security 8.6.5
I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.
What exactly do these setttings do?
Enable the Traffic Inspector firewall settings
Set “Enable traffic inspection” to “Maximum security”
Set “Enable error shielding” to “Maximum security”
The “Maximum security” mode is the recommended mode. It provides a more restrictive and sensitive screening of incoming requests and so adds more security to a website. Sometimes, this mode is not compatible with a theme or a plugin installed on a website. As a consequence, the website owner sees a lot of false positives. In such a case switching to the “Maximum compatibility” mode is the only way to get WP Cerber working on the website.
Where could we find Security rules page please???
“On the Security Rules admin page, configure GEO policies”
It is available in the professional version of WP Cerber: https://my.wpcerber.com/ps/