How to Harden WordPress with WP Cerber, the WordPress Security and Firewall plugin. Firstly you will want to ensure you are following all of the Steps in our General Guide: How to Harden and Secure WordPress.
What is WP Cerber?
WP Cerber is a Free and Powerful and Firewall and Security Plugin for WordPress. WP Cerber Defends WordPress against hacker attacks, spam, trojans and malware. WP Cerber also helps Mitigates brute force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests or using auth cookies and includes a an Advanced malware scanner, integrity checker and file monitor.
To get the most out of WP Cerber and the security it provides, you will want to ensure you’ve configured WP Cerber properly to take advantage of the powerful protective features WP Cerber has to offer.
Download and Install WP Cerber Here
Configuring WP Cerber Security and Firewall
The Firewall becomes active as soon as you activate the Plugin. However, in order to FULLY take advantage of all of the features of WP Cerber and to Safeguard or Harden your WordPress website, there are a few additional set-up tasks that you will want to complete. The steps are outlined below. Create a backup of your WordPress Website FIRST then complete the Recommended Setup Tasks Below:
1. Check the main settings
- Set “Load security engine” to “Standard mode”
- Configure “Custom login URL” and turn on “Disable wp-login.php”
- Enable “Immediately block IP when attempting to log in with a non-existing username”
- Enable “Disable dashboard redirection”
- Enable “Immediately block IP after any request to wp-login.php”
2. Activate security policies on the Hardening tab
The minimal set of the settings you have to enable in the Hardening WordPress section:
- “Stop user enumeration”
- “Block execution of PHP scripts in the WordPress media folder”
- “Disable XML-RPC”
- “Disable PHP error displaying”
The following settings are recommended to be enabled in the Access to WordPress REST API section:
- “Stop user enumeration / Block access to user data via REST API”
- “Disable REST API”
- “Allow REST API for logged in users”
Read more: Restrict access to REST API
3. Enable the Traffic Inspector firewall settings
- Set “Enable traffic inspection” to “Maximum security”
- Set “Enable error shielding” to “Maximum security”
4. Enable scheduled malware scans and automatic malware removal
On the Settings tab, the following settings should be enabled
- “Scan temporary directory”
- “Scan session directory”
On the Cleaning up tab:
- You have to enable: “Delete unattended files”, “Recover WordPress files”, “Recover plugins files”
- All checkbox in the “Files in the uploads folder” settings should be checked
5. Enable anti-spam protection even if you think you don’t need it
On the Antispam engine tab, we advise you to enable the following settings:
- “Comment form (Protect comment form with bot detection engine)”
- “Registration form (Protect registration form with bot detection engine)”
- “Other forms (Protect all forms on the website with bot detection engine)”
6. Use GEO rules: block countries you’re not going to have a deal with
On the Security Rules admin page, configure GEO policies for countries that are permitted to interact with your website: submitting forms, being able to log in or register, etc. These settings do not prevent search engines from indexing the website.
7. Rename the plugins folder
Changing the name of the plugins folder is one of the most underestimated ways that make your WordPress protection stronger. And yet it’s free and easy.
Read more: How to rename the WordPress plugins folder
8. Enable Two-Factor Authentication
To protect user accounts enable two-factor authentication. It provides an additional layer of security requiring a second factor of identification beyond just a username and password.
Read more: How to enable two-factor authentication for WordPress