CellarWeb Privacy and Security Options


Secure your WP site with common security settings that you can selectively enable. Includes several security and anti-hacking features, plus some customization of your login screen. Disables certain functions/processes that are potential security issues. Can block some comment spam (although our Block Comment Spam plugin https://wordpress.org/plugins/block-comment-spam-bots/ is more effective). Can ncrease memory allocations. Shows your current htaccess file contents with suggestions for improvements, so you can monitor any changes.

We use this on all of our managed WordPress sites, as a convenient way to secure the sites without using a bunch of different plugins.


  • Main heading screen.
  • General Settings screen.
  • PHP Settings screen.
  • Security Settings - General screen.
  • Security Settings - Login Related screen.
  • htAccess File Information screen.
  • htAccess Suggestions screen.


  1. Upload the plugin files to the /wp-content/plugins/cellarweb-private-functions directory.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress
  3. Use the Settings->CellarWeb Private Functions screen to configure the plugin (if any)


What is this?

Some general purpose functions for WordPress sites, including some security-related features to block hacking attempts.

Like what?

There’s lots of options that can be selected, grouped into five sections:

General Settings

  • changes the ‘Howdy’ to ‘Welcome’. Because we think that ‘Howdy’ is for an Old West site.
  • Adds the ‘referer’ to a CF7 form field. Great to figure out where your comments came from.
  • Adds a copyright to the footer. (Right now it’s ours, but future versions will allow you to enter your own footer text.)
  • Remove the WP logo from the Admin bar.
  • Sets up a [current_year] shortcode you can use anywhere.
  • Allows use of shortcodes in widgets.
  • Adds a favicon to generated page ‘head’ section. You supply the favicon file.
  • Adds social sharing buttons centered at the bottom or all posts/pages.

PHP Settings

  • Changes ‘max upload size’ to 256MB.
  • Changes ‘max post size’ to 128M.
  • Changes ‘max execution time’ to 300ms.

These settings may be ignored by some hosting platforms.

General Security Settings

  • Disable XMLRPC as a possible hack attack vector.
  • Removes the WP version from the generated page.
  • Disables code editor in all theme/plugins admin screens.
  • Forces disable of all error reporting by plugins or themes.
  • Checks for a user called ‘admin’ (a common hack attack vector).
  • Disables ability to query by author ID (a common hack attack vector).

Login-Related Security Settings

  • Blocks repeated logins with a limit of 4 failed logins. No logins allowed after those 4 fails is delayed for 5 minutes. This reduces the chance of login brute force attacks.
  • Changes failed login message to more generic error (instead of ‘bad user’ or ‘bad password’.
  • Use a custom login page that you provide.
  • Disable the ‘Remember Me’ checkbox on the login page.
  • Redirect to home page after login/logout.
  • Put login/logout links on menu bars.

htaccess Security Settings

  • Shows the current htaccess file for review. (Hackers like to change it, so it’s good to take a peek at it now and again.)
  • Some suggestions for additional htaccess commands are shown.
  • No changes are made to the htaccess file

Wow! That’s a lot of settings!

Yep. But they are ones that we commonly use in all of our managed WP sites, so putting them into one plugin was easier than doing it manually on every site.

What if I want an additional setting?

Just add a message in the plugin’s support area. We’ll consider it.

Do you have other security-related plugins?

Yep! One of our favorites will block all comment spam – and another that blocks bots from contact forms. It’s very effective. We put it on one site that was getting a lot of comment spam, and now there is none. Not one. And we don’t get any contact form spam on sites that use the technique.

It’s called “Block Comment Spam Bots”, and can be found in the WP plugin repository. And there’s a link to it (and other plugins we’ve done) on this plugin’s Settings/Information page. The Contact Form bot-blocker is called “FormSpammerTrap”, and is available at https://www.FormSpammerTrap.com .

Check out all our plugins at https://cellarweb.com/wordpress-plugins/ .


There are no reviews for this plugin.

Contributors & Developers

“CellarWeb Privacy and Security Options” is open source software. The following people have contributed to this plugin.



3.20 (26 Dec 2022)

  • Fixed upload file size setting.
  • Some text changes to the memory settings area.
  • Tested with WP 6.1x.

3.12 (23 May 2022)

  • Added htaccess suggestion for forcing all requests to SSL.
  • Minor rearragement and positioning of admin users list area.
  • Minor rearrangement of the htaccess section, including some additional text.
  • Additional informative text of the various available settings.

3.11 (21 May 2022)

  • Fixed a curly quote. (I hate those curly quotes that get into the code!)
  • Removed the word ‘options’ from the plugin name, ettings page link, title, and images.
  • Tested with WP 6.0 and PHP 8.1.4 .
  • Increease minimum PHP version required to 7.3. (You should really update if you aren’t there…)

3.10 (20 May 2022)

  • First public release.
  • Plugin options now contained in a constant so only one read access from the options table.
  • Admin-level users shown on settings screen for information.
  • Shows current WordPress and PHP versions on the Settings screen.
  • Changed images to remote ‘options’ from the image
  • Removed some debugging code.
  • Optimized locations of add-filters used to implement various options.
  • Testing of ‘fresh’ install to ensure all functions work without errors.
  • Better alignment of the checkbox with it’s associated text.

3.01 (9 Apr 2022)

  • Fixed a font setting that was overriding the paragraph font size in the site.

3.00 (8 Apr 2022)

  • Added Settings link to the plugin on the Plugins page.
  • Removed plugin’s ability to change the htaccess file. The current htaccess file is shown for information purposes.
  • Added suggestions for the htaccess file, and advice on how to work with your hosting company to make changes.
  • Added a new option to limit login attempts at 4 failed. Any more will cause a timeout delay of 5 minutes befor another login can be attempted. This eliminates login brute force attacks.
  • Changed the process that adds the site logo shown at the top of the optional login screen (if enabled). If there is no site logo defined in the theme, the default logo is used.
  • Changed the rendering of settings to use one function, not individual ‘renders’ for each add_setting field. This allows for easier formatting of the settings and text area. The old individual rendering functions were removed.
  • Added a ‘Save Options” button at the top of the form for convenience.
  • CSS for the optional login screen only added if optional login enabled.
  • Enhanced the showing of the login/logout links on the site menu bar. There must be a menu bar enabled via the theme options for the login/logout links to be shown.
  • If alternate login screen enabled, any ‘verify admin email’ notices are suppressed.
  • Fixed the CSS to set the entire login box background to white, so the various parts of the login area don’t showw up as white stripes on a non-white background.
  • Initial preparation for possible future enhancements to the alternate login screen.
  • Removed option for adding sharing buttons to each post/page because of the constantly changing available sharing options. (And other plugins do it better.)
  • Removed the numbers in front of each settings.
  • Changed the login form code to only change the header image of the login form. Other settings, like the background for the login page, are done by the theme.
  • The login form background is set to white.
  • Changed logos and supporting images (part of re-branding on all plugins).
  • Changes to Settings screen to show new logos and sidebar information.
  • Changed title shown in the Settings list.
  • Removed inline CSS from added footer if enabled, so it will use inherited colors/etc.
  • Put all filters/actions in one area for convenience of the coding team.
  • Version number is a defined constant for convenience in display, and displayed under the heading image.
  • Some minor CSS changes to the Settings screen for slightly larger text and compatible background colors.
  • Text corrections, additional info on the settings, and other changes on the Settings screen.
  • Some code efficiencies; removing obsolete or unneeded code.

These prior versions were not publicly released

2.08 (2 Mar 2020)

  • changed when the htaccess is updates; now happens after theme_setup so that the switch_to_locale function is not called before it was available. This also fixes the problem of the ‘updated htaccess’ admin message appearing at the wrong time (as in on other screens).

2.07 (13 Feb 2020)

  • another instance of the switch_to_locale function check was removed

2.06 (12 Feb 2020)

  • corrected incorrect version of main file (didn’t have the 2.05 fix)

2.05 (28 Jan 2020)

  • removed call to switch_to_locale; causing errors on later PHP versions.


  • internal version, not released

2.03 (10 Jan 2020)

  • Further tweaks to htaccess changing module
  • Updated readme and program versions to match

= 2.02 (8 Jan 2020)=
* Fixed invalid htaccess ‘option’ parameter.
* Attempted fix of ‘htaccess changed’ admin message appearing too late.

= 2.01 (3 Jan 2020)=
* Fixed minor typo in Information page about the CF7 shortcodes.
* Added to the FAQ a list of the features of this plugin.

= 2.00 (2 Jan 2020)=
* Initial release of public version.
* Removed code for privately hosted auto-updates.
* Added option to protect against directly accessing the wp-comments-post.php via .htaccess directives.
* Shows the current contents of the htaccess file for your review.
* Ensured all array element names are quoted strings, rather than unquoted. Reduces PHP Warning errors about undefined constants; ensures compatibility with future PHP versions.
* Removed debugging code and unneeded comments.
* Changed variables, css styles, and function prefix to “CWPS” to match plugin name.
* Removed FontAwesome CSS loading; replacement icons are included in the plugin.
* Properly enqueued the CSS file per WP standards.
* Some minor CSS fixes.
* added uninstall process to remove plugin’s options from wp-options table
* Added additional information to the settings/information screen.
* minor code documentation corrections (spelling, mostly)

All versions below were privately released. Public version / initial release is Version 2.00


  • Changed all array element names (the part in the brackets) to be strings, rather than ‘assumed’ strings. The use of ‘assumed’ strings was causing a PHP Warning about undefined constants. PHP ignores that, although that may cause a fatal error in PHP 8x (whenever that gets released). And the PHP Warnings were cluttering up the error.log file.


  • fixed the settings screen relating to the CF7 referer field; the correct field to put in the contact form is ‘[hidden referer-page default:get]’ .


  • Versions 1.4 – 1.52 were testing versions, not released
  • Some minor typos fixed
  • Added versioning to the settings.css file to ensure proper loading


  • Minor code changes; tweaking how CSS loaded.


  • Minor change to html inserted as footer (now a paragraph tag, instead of a div); allows it to be centered more often.


  • Initial private release. Not available via WP plugin area yet.
  • Prior versions were for internal testing only.
  • Additional features are planned.