Defends WordPress against hacker attacks, spam, trojans, and malware. Mitigates brute-force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests, or using auth cookies. Tracks user and bad actors activity with flexible email, mobile and desktop notifications. Stops spammers by using a specialized anti-spam engine. Uses Google reCAPTCHA to protect registration, contact, and comments forms. Restricts access with IP Access Lists. Monitors the website integrity with an advanced malware scanner and integrity checker. Reinforces the security of WordPress with a set of flexible security rules and sophisticated security algorithms. **Features you will love** * Limit login attempts when logging in by IP address or entire subnet. * Monitors logins made by login forms, XML-RPC requests or auth cookies. * Permit or restrict access by [IP Access Lists](https://wpcerber.com/using-ip-access-lists-to-protect-wordpress/) with a single IP, IP range or subnet. * Create **Custom login URL** ([rename wp-login.php](https://wpcerber.com/how-to-rename-wp-login-php/)). * Cerber anti-spam engine for protecting contact and registration forms. * Automatically detects and moves spam comments to trash or denies them completely. * [Manage multiple WP Cerber instances from one dashboard](https://wpcerber.com/manage-multiple-websites/). * [Two-Factor Authentication for WordPress](https://wpcerber.com/two-factor-authentication-for-wordpress/). * Logs users, bots, hacker and other suspicious activities. * Security scanner verifies the integrity of WordPress files, plugins and themes. * Monitors file changes and new files with email notifications and reports. * [Mobile and email notifications with a set of flexible filters](https://wpcerber.com/wordpress-notifications-made-easy/). * Advanced users’ sessions manager * Protects wp-login.php, wp-signup.php and wp-register.php from attacks. * Hides wp-admin (dashboard) if a visitor isn’t logged in. * Immediately blocks an intruder IP when attempting to log in with non-existent or prohibited username. * Restrict user registration or login with a username matching REGEX patterns. * [Restrict access to WP REST API with your own role-based security rules](https://wpcerber.com/restrict-access-to-wordpress-rest-api/). * Block access to WordPress REST API completely. * Block access to XML-RPC (block access to XML-RPC including Pingbacks and Trackbacks). * Disable feeds (block access to the RSS, Atom and RDF feeds). * Restrict access to XML-RPC, REST API and feeds by **White IP Access list** by an IP address or an IP range. * [Authorized users only mode](https://wpcerber.com/only-logged-in-wordpress-users/) * [Block a user account](https://wpcerber.com/how-to-block-wordpress-user/). * Disable automatic redirection to the hidden login page. * **Stop user enumeration** (blocks access to author pages and prevents user data leaks via REST API). * Proactively **blocks IP subnet class C**. * Anti-spam: **reCAPTCHA** to protect WordPress login, register and comment forms. * [reCAPTCHA for WooCommerce & WordPress forms](https://wpcerber.com/how-to-setup-recaptcha/). * Invisible reCAPTCHA for WordPress comments forms. * A special Citadel mode for **massive brute force attacks**. * [Play nice with fail2ban](https://wpcerber.com/how-to-protect-wordpress-with-fail2ban/): write failed attempts to the syslog or a custom log file. * Filter out and inspect activities by IP address, user, username or a particular activity. * Filter out activities and export them to a CSV file. * Reporting: get weekly reports to specified email addresses. * Limit login attempts works on a site/server behind a reverse proxy. * [Be notified via mobile push notifications](https://wpcerber.com/wordpress-mobile-and-browser-notifications-pushbullet/). * Trigger and action for the [jetFlow.io automation plugin](http://jetflow.io). * Protection against (DoS) attacks (CVE-2018-6389).