Here below is a default Wordpress setup that we use on all projects running on WordPress. It provides a good base of security on the application side with little impact on performance.
(Keep in mind that for a good setup, server-side security is needed too.)
Initial WordPress Server Setup
- Spin up DigitalOcean Wordpress droplet. Alternatively, get any other LAMP/LEMP stack elsewhere and install WordPress.
- Restrict SSH access: Create a non-root user, disable password access.
- Restrict xmlrpc bruteforce attacks on server level (snippet below)
Recommended WordPress Plugins
[ server speed /
- Use Cloudflare’s free tier. Seriously, it’s 2024.
- A firewall plugin that shields bad login attempts is crucial to keep your website fast. Efficient banning of malicious traffic eases the server load and makes the website respond faster. WP Cerber or Shield Security are most effective at that because they are good at recognizing patterns. Also, they work with a list of known offenders. That is great for security while keeping the website fast.
- ^ Disable XML-RPC: Minimises attack surface and eases the server load. This is available via WP-Cerber under Dashboard > Hardening.
- ^ Enable Google reCAPTCHA: Gets attackers banned faster, eases the server load. This is available via WP-Cerber under Anti-spam > reCAPTCHA.
[ page speed /
- WPO Cache and Minify: Cache your website plus merge and minify CSS & JS, compress HTML.
[ media /
- Smush: Minimise and resize images on the fly.
- Cloudinary: Integration with Cloudinary image CDN - their free tier is usually enough.
[ metadata /
- Yoast SEO: Basic SEO and most of all, JSON-LD structured data.
WP-Cerber: Recommended configuration
First off, go to
Dashboard > Access Lists and whitelist your IP Address. This way you won’t lock yourself out of the website.
Please don’t skip this step lol.
Dashboard > Main Settings
The WP-Cerber Main Settings dashboard is where you configure how many login attempts you allow before you ban people.
You can leave that pretty forgiving for development sites and tighten it for production.
- Development: 5 tries
- Production: 2 tries. Tell people to use a password manager.
For the rest, just configure your admin email and send a test email.
This is the most important part. Hardening is set under
Dashboard > Hardening. This is also where you disable XML-RPC, a never-used and super dangerous interface that WordPress team refuses to ditch.
On majority of Wordpress installations, you can enable all of the hardening options. These days, WordPress is mostly installed for business rather than for blogging.
Blogging features like author pages are irrelevant at best, and can easily become s vulnerability.
This is WP-Cerber Hardening configuration of a business website. The company publishes regular updates in form of blog articles, which means the RSS has to be accessible. The REST API is enabled because of a Slack monitoring integration.
Enabling just the RSS will be good for most WordPress sites.
Google reCAPTCHA integration is the second most important part. It gets attackers banned faster and eases the server load.
Head over to
WP Cerber > Anti-spam > reCAPTCHA and set up the Google App the guide provided there wants you to.
Once you’re done, enable reCAPTCHA on all WordPress forms:
This cuts short majority of automated login attacks. The attack bots will fail at the reCAPTCHA.