Security Blog
Posted By Gregory

How to protect WordPress effectively: a must-do list


A must-do list that provides high-security and durable protection for your website.

We want you to get the most out of WP Cerber’s security algorithms. That’s why we encourage you to configure all the settings below. Do this thoughtfully because some settings may conflict with another plugin or your web server settings. In case of any problem, check the Activity log for related events such as denied requests or blocked IP addresses.

1. Check the main settings

  1. Set Load security engine” to “Standard mode”
  2. Configure “Custom login URL” and turn on “Disable wp-login.php”
  3. Enable “Immediately block IP when attempting to log in with a non-existing username”
  4. Enable “Disable dashboard redirection”
  5. Enable “Immediately block IP after any request to wp-login.php”

2. Activate security policies on the Hardening tab

The minimal set of the settings you have to enable in the Hardening WordPress section:

  1. “Stop user enumeration”
  2. “Block execution of PHP scripts in the WordPress media folder”
  3. “Disable XML-RPC”
  4. “Disable PHP error displaying”

The following settings are recommended to be enabled in the Access to WordPress REST API section:

  1. “Stop user enumeration / Block access to user data via REST API”
  2. “Disable REST API”
  3. “Allow REST API for logged in users”

Read more: Restrict access to REST API

3. Enable the Traffic Inspector firewall settings

  1. Set “Enable traffic inspection” to “Maximum security”
  2. Set “Enable error shielding” to “Maximum security”

4. Enable scheduled malware scans and automatic malware removal

On the Settings tab, the following settings must be enabled

  1. “Scan temporary directory”
  2. “Scan session directory”

On the Cleaning up tab:

  1. The “Unattended files” setting must be enabled
  2. All checkbox in the “Files in the uploads folder” settings are checked

5. Enable anti-spam protection even if you think you don’t need it

On the Antispam engine tab, the following settings are recommended to be enabled:

  1. “Comment form (Protect comment form with bot detection engine)”
  2. “Registration form (Protect registration form with bot detection engine)”
  3. “Other forms (Protect all forms on the website with bot detection engine)”

6. Use GEO rules: block countries you’re not going to have a deal with

On the Security Rules admin page, configure GEO policies for countries that are permitted to interact with your website: submitting forms, being able to log in or register, etc. These settings do not prevent search engines from indexing the website.

7. Rename the plugins folder

Changing the name of the plugins folder is one of the most underestimated ways that make your WordPress protection stronger. And yet it’s free and easy.

Read more: How to rename the WordPress plugins folder

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments
There are currently no comments.