WordPress Set-Up Cheatsheet
WordPress Set-Up Cheatsheet


Labeled as · wordpress, technical-seo, server-work

Last update at 2020-11-12 07:13:08 +0000

For a quick set up, a DigitalOcean droplet is the best solution. WordPress is easy to migrate to a more cost-effective option later.

Initial WordPress Server Setup

  1. Spin up DigitalOcean Wordpress droplet. Alternatively, get any other LAMP stack elsewhere and install WordPress.
  2. Restrict SSH access: Create a non-root user, disable password access.
  3. Install and configure RKHunter.
  4. Restrict xmlrpc bruteforce attacks on server level.

server speed

page speed



First off, go to Dashboard > Access Lists and whitelist your IP Address. This way you won’t lock yourself out of the website.

Please don’t skip this step lol.

Main Settings

Dashboard > Main Settings

The WP-Cerber Main Settings dashboard is where you configure how many login attempts you allow before you ban people.

You can leave that pretty forgiving for development sites and tighten it for production.

For the rest, just configure your admin email and send a test email.


This is the most important part. Hardening is set under Dashboard > Hardening. This is also where you disable XML-RPC, a never-used and super dangerous interface that WordPress team refuses to ditch.

On majority of Wordpress installations, you can enable all of the hardening options. These days, WordPress is mostly installed for business rather than for blogging.

Blogging features like author pages are irrelevant at best, and can easily become s vulnerability.

This is WP-Cerber Hardening configuration of a business website. The company publishes regular updates in form of blog articles, which means the RSS has to be accessible. The REST API is enabled because of a Slack monitoring integration.

Enabling just the RSS will be good for most WordPress sites.


Google reCAPTCHA integration is the second most important part. It gets attackers banned faster and eases the server load.

Head over to WP Cerber > Anti-spam > reCAPTCHA and set up the Google App the guide provided there wants you to.

Once you’re done, enable reCAPTCHA on all WordPress forms:

This cuts short majority of automated login attacks. The attack bots will fail at the reCAPTCHA.

© 2018-21 TheoryDigital OÜ