Here below is a default Wordpress setup that we use on all projects running on WordPress. It provides a good base of security on the application side with little impact on performance.
(Keep in mind that for a good setup, server-side security is needed too.)
Initial WordPress Server Setup
- Spin up DigitalOcean Wordpress droplet. Alternatively, get any other LAMP/LEMP stack elsewhere and install WordPress.
- Restrict SSH access: Create a non-root user, disable password access.
- Install and configure RKHunter.
- Restrict xmlrpc bruteforce attacks on server level.
This is how to restrict xmlrpc on an Apache server:
Recommended WordPress Plugins
[ server speed /
- WP Cerber Security: Efficient banning of malicious traffic eases the server load and makes the website respond faster.
- ^ Disable XML-RPC: Minimises attack surface and eases the server load. This is available via WP-Cerber under Dashboard > Hardening.
- ^ Enable Google reCAPTCHA: Gets attackers banned faster, eases the server load. This is available via WP-Cerber under Anti-spam > reCAPTCHA.
[ page speed /
- Fast Velocity Minify: Merge and minify CSS & JS, compress HTML.
- W3 Total cache: Or any other caching plugin.
[ media /
- Smush: Minimise and resize images.
- Cloudinary: (optional) integration with Cloudinary image CDN - free tier is very often enough!
[ seo /
- Yoast SEO: Basic on-page SEO and structured data.
- 301 Redirects – Easy Redirect Manager: The name says it.
WP-Cerber: Recommended configuration
First off, go to
Dashboard > Access Lists and whitelist your IP Address. This way you won’t lock yourself out of the website.
Please don’t skip this step lol.
Dashboard > Main Settings
The WP-Cerber Main Settings dashboard is where you configure how many login attempts you allow before you ban people.
You can leave that pretty forgiving for development sites and tighten it for production.
- Development: 5 tries
- Production: 2 tries. Tell people to use a password manager.
For the rest, just configure your admin email and send a test email.
This is the most important part. Hardening is set under
Dashboard > Hardening. This is also where you disable XML-RPC, a never-used and super dangerous interface that WordPress team refuses to ditch.
On majority of Wordpress installations, you can enable all of the hardening options. These days, WordPress is mostly installed for business rather than for blogging.
Blogging features like author pages are irrelevant at best, and can easily become s vulnerability.
This is WP-Cerber Hardening configuration of a business website. The company publishes regular updates in form of blog articles, which means the RSS has to be accessible. The REST API is enabled because of a Slack monitoring integration.
Enabling just the RSS will be good for most WordPress sites.
Google reCAPTCHA integration is the second most important part. It gets attackers banned faster and eases the server load.
Head over to
WP Cerber > Anti-spam > reCAPTCHA and set up the Google App the guide provided there wants you to.
Once you’re done, enable reCAPTCHA on all WordPress forms:
This cuts short majority of automated login attacks. The attack bots will fail at the reCAPTCHA.