WordPress Security How To
Posted By Gregory

Strong login security with WP Cerber


It’s no secret that bad actors can break into a newly installed WordPress within a few minutes by mounting a brute-force attack. It’s possible because WordPress has no built-in attack mitigation mechanisms, the default login URL is well known, and the username of a website’s admin can be discovered with ease. WP Cerber brings all the necessary tools to mitigate brute-force attacks and safeguard user accounts.

Configuring WP Cerber’s login security settings

The login security settings are located on the Main Settings tab. Here you can configure the limits on login attempts, restrict access to wp-login.php, and configure error messages to prevent discovering usernames and emails when using non-existing usernames and emails.

Limiting login attempts to mitigate brute-force attacks

The default and recommended settings for limiting login attempts are shown as selection #1 on the screenshot. These settings are set when you activated WP Cerber. If you have many customers on the website, for instance, you run a WooCommerce store, it makes sense to increase the limit on login attempts.

WordPress Login Security - WP Cerber Settings

WordPress Login Security – WP Cerber Settings

Processing wp-login.php authentication requests

See selection #2. By default, WordPress uses wp-login.php as the website login page that processes all user logins as well as provides the registration form and the password reset form. If you have configured the Custom login URL, it’s recommended to disable wp-login.php. You have two options. You can completely block access to wp-login.php and make the file inaccessible for anyone, or you can disable user authentication through wp-login.php without blocking access to the file. You can choose any of them – both stop user authentication via wp-login.php.

When the first option is enabled, WP Cerber renders and returns the “404 Page Not Found” error page like there is no such file on the website. Thus, bad actors have nothing to attack.

When the second option is enabled, WP Cerber prevents any user authentication even with correct usernames and passwords. Meaning nobody is able to log in using wp-login.php. After an attempt to log in via wp-login.php, WP Cerber shows the default incorrect password error message mimicking the standard WordPress authentication process. Using this approach helps WP Cerber to detect slow brute-force attacks by using wp-login.php as a detection honeypot. In the WP Cerber logs, all attempts to log in via wp-login.php are logged as shown on the screenshot below.

An attempt to log into WordPress denied (Forbidden URL)

WP Cerber denies attempts to log in via wp-login.php and logs such events with the Forbidden URL label

Stop bad actors from discovering valid usernames and emails

By default, WordPress login and password reset error messages are quite verbose and help hackers distinct valid and non-existing usernames and emails and so to detect valid ones for mounting brute-force or social engineering attacks.

Disable the default login error message

When enabled, the login error messages do not indicate invalid usernames and emails when attempting to log in with non-existing ones. Instead, WP Cerber displays the default WordPress error message used when a user enters an incorrect password. This helps prevent bad actors from guessing valid usernames and emails. This approach is also known as disabling login hints.

Disable the default reset password error message

When enabled, the password reset error messages do not indicate invalid usernames and emails when attempting to reset the password for a non-existing username or a non-existing email. Instead, WP Cerber mimics the default process of resetting passwords and displays the following message whenever users enter valid or non-existing usernames and emails.

New WordPress password reset message by WP Cerber

The new WordPress password reset message generated by WP Cerber Security

This approach helps prevent bad actors from guessing valid usernames and is known as disabling password reset hints.

Note that all features described above do not apply to the IP addresses in the White IP Access List.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered here: G2.COM/WPCerber.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments
There are currently no comments.