Getting Started with WP Cerber Security
No worries. WordPress security is not rocket science anymore.
Once you have installed and activated the plugin, it loads a set of essential settings. They allow WP Cerber to protect your website effectively. Nevertheless, to get the most out of WP Cerber and protect WordPress the most effective way, you need to configure the plugin thoughtfully.
1. Make sure that Cerber detects IP addresses correctly
- Open the What is my IP address page in your browser
- Open a second browser tab (window) and go to the Tools / Diagnostic tab of your WP Cerber installation on your website.
- Find the “Your IP address is detected as” row in the “System Info” section.
- Compare the IP address on the What is my IP address page to the IP address shown in the “Your IP address is detected as” row.
- You should see two identical IP addresses. If you see two different IP addresses, you need to check My site is behind a reverse proxy in the Main Settings of the plugin and repeat the steps above.
- If you still see two different IP addresses and the website is not behind a proxy, follow these instructions: Solving problem with incorrect IP address detection
- One more step if your WordPress is under Cloudflare
2. Enable loading the plugin in Standard mode
Go to the Main Settings and set the Load security engine setting to Standard mode.
3. Make sure that you receive email notifications
When you activate the plugin, it sends a welcome email to the website admin email. If you didn’t get the welcome email, make sure that the email address that you see on the Notifications tab is correct and emails from the plugin don’t go to the spam folder. If you didn’t receive the welcome email, most likely, you will not receive other important notifications. You can enter alternative email addresses in the Email Address text field. To test out the delivery, click any Click to send test link.
Read more: How to set up mobile notifications on your smartphone
4. Enable your custom login and registration page
To hide the default wp-login.php WordPress login page from automated attacks and spam registrations, specify your own Custom login URL (login page) and turn off wp-login.php. Note: If you use a caching plugin (like W3 Total Cache or WP Super Cache), you have to add your custom login URL to the list of pages not to cache.
How to set up Custom login URL for WordPress
5. Add your home or office IP address to the White IP Access list
If you work from home or an office on a computer with a static IP address, it’s reasonable to add that IP address (or the entire company network) to the White IP Access List. You can achieve two goals. It prevents you from being locked out of your website by chance and enables you to restricts access to XML-RPC, REST API, and other vital parts of WordPress.
Read more: How to use Access Lists for WordPress
6. Enable spam protection
The Cerber’s anti-spam engine is compatible with most WordPress form builders and capable to protect virtually any form. On the Anti-spam admin page enable all necessary features under the Cerber anti-spam engine section. Once you’ve enabled anti-spam, make sure that forms on your site work normally. If some of the features on the website stopped working, enable Use less restrictive policies (allow AJAX).
Finally, let the plugin clean up the mess with spam comments. Choose deny spam comments completely or only mark them as spam. Turn on automatic moving spam to trash.
- How to stop spam user registrations on your WordPress
- How to stop spam form submissions on your WordPress
- How to set up reCAPTCHA for WordPress
7. Restrict access to REST API and XML-RPC
- Go to the Hardening admin page.
- Check Disable REST API. Specify namespace exceptions for REST API if it’s needed. For instance, if you use Contact Form 7, the namespace is
contact-form-7
, and for Jetpack it’sjetpack
. - Check Allow REST API for logged in users if you want to allow using REST API for any authorized WordPress user without limitation.
- Check Disable XML-RPC if you don’t use the Jetpack plugin. If you use XML-RPC from specific hosts only, add their IP addresses to the White IP Access List.
Read more: Restrict access to WordPress REST API
8. Specify a list of prohibited usernames
Go to the plugin Users admin page and, if your list is still empty, it’s advised to put on that list the following usernames: admin, administrator, manager, editor, user, demo, test.
Read more about prohibited usernames
9. Enable Two-Factor Authentication
To protect users’ accounts and prevent account takeover, enable two-factor authentication. It provides an additional layer of security requiring a second factor of identification beyond just a WordPress username and password.
Read more: Two-Factor Authentication for WordPress
10. Enable form fields masking for Traffic Inspector
If you’ve enabled saving form fields to the log (Save request fields is enabled) and you use a plugin that generates the login form for your website, you have to add the name of the password form field to the Mask these form fields on the Traffic Inspector settings page. WP Cerber always masks the password field on the default WordPress login form and the following form fields: ‘pwd’, ‘pass’, ‘password’.
Traffic Inspector and logging how to
11. Enable sending malicious IP addresses to the Cerber’s lab
Let the plugin team improve security algorithms in the plugin and optimize its performance. Go to the Main Settings, under the Activity section enable Cerber Lab connection. For better security, set Cerber Lab protocol to HTTPS. Read more about Cerber Lab.
12. Enable mobile alerts and email notifications
If you want to keep eye on a specific activity or be notified when a user has registered or logged in to your website, filter out a specific activity on the Activity tab and click the Create Alert. Read more: WordPress notifications made easy.