Visit WordPress SEO Security Settings For WP Cerber for the whole story
One might think cybersecurity is not an SEO topic, but it is a very important SEO topic. SEO as I keep noting here is more than keywords today.
Technical SEO is about speed optimization, files such as robots.txt and sitemap.xml and security of your site IS an SEO matter.
If you neglect your security Google can take action including deindexing your site if malware is found. You’d be notified likely in Google Search Console of manual action and be removed from searches until you’ve cleaned up the site.
Consider images like these in Search Engine Console or read about a real life deindexing from an SEO’s perspective.
Wordfence Alternative – WP-Cerber
Wordfence is a highly popular WordPress security plugin that offers multiple layers of protection and is known to protect the most WordPress sites of any other security plugin.
Is it fool profit? Has anyone ever beaten it? Yes, and often.
Because of that last sentence I never use Wordfence because being number one makes you the target most hackers train to overcome.
Think of the Microsoft vs Apple security myth … Apple is thought to be more secure, and its not that it is more secure it is more that more computers run Microsoft so most threats focus on it.
WP Cerber Security Settings
Sometimes its good to be number two. WP Cerber is a security plugin that I viewto be the best Wordfence alternative.
There are a lot of features and settings in any security plugin but these are the ones I’ve found help secure my site’s SEO future.
- Dashboard – Offers quick updates on the site and recent history.
- Activity – A play by play line by line log of whats been noted on your site.
- Session – Who’s on the site now and what are they up too
- Lockouts – IP addresses that are locked outa your site
- Main Settings – Settings (discussed later)
- Access Lists – IP address white list
- Hardening – Where the real fun is at!
- Notifications – Spam yourself settings I call them…
- Help – self explanatory
First section of the security settings deals with brute force attacks, which is simply trying random passwords over and over until you get in.
I limit these in harsher terms than the default and I recommend changing these settings so they aren’t predictable.
In the example 3 retries missed at logging in give someone 600 minutes of blocked access. I might do 617 minutes just to make it more irregular and harder to anticipate.
Aggressive lockout increases the block if further misses are seen after a block expires.
In the example we have a period of 72 hours if they miss 2 times they are blocked an additional 24 hours. I often set this to 999 hours forcing contact with a webmaster.
These settings can be ignored if the misses come from a white listed IP address such as your office or home.
Block subnet – I turn it on to prevent IP addresses similar to one blocked from accessing the site.
Non-existing users – I turn on to prevent a hacker from testing out if a username matches an author.
Disable Dashboard Redirection: I turn on. Later I change the login page and I don’t want WordPress giving it away.
Request wp-login.php: I turn this on as well. This setting blocks anyone who directly tries to access the default login page.
I use a custom login page url and the default for WordPress is never linked too on my site so NO ONE should ever go to the default login page address. Unless they are not familiar with this site yet still have an account.
It also blocks scripts that simply target the default login address.
The next section allows you to set a custom login page address. I generally set one in other plugins so in the example this is blank.
If you don’t have another plugin you can set the login page here. I’d recommend disabling wp-login.php after verifying that you can login with the alternative wp-login.php
Citadel Mode is basically time out. If 200 failed logins happen within 30 minutes something is a foot.
Look down the entire login process of the site for 60 minutes….better yet an odd number like 74.
I retain activity and share it with rthe plugin author as well as request all the info I can gather on the IP addresses that are flagged.
Hardening in WP Cerber is pretty straight forward. I recommend all the options here except disabling feeds if you want your site’s content available to other sites.
Another settings area in WP Cerber, Traffic Inspection may be useful to your site. I usually go with the default settings here.
There are additional settings under User Policies where you can limit what different roles may be able to do.
With these settings, changes in login page addresses, lockouts and traffic inspection I generally have solid security and free myself from SEO efforts to restore a site to Google’s index.