CellarWeb Privacy and Security Options


Secure your WP site with these common security settings. Includes several security and anti-hacking features, plus an alternative login screen. Disables certain functions/processes that are potential security issues. Modifies htaccess file with security settings.


  1. Upload the plugin files to the /wp-content/plugins/cellarweb-private-functions directory.
  2. Activate the plugin through the ‘Plugins’ screen in WordPress
  3. Use the Settings->CellarWeb Private Functions screen to configure the plugin (if any)


What is this?

Some general purpose functions for WordPress sites, including some security-related features to block hacking attempts.

Like what?

There’s lots of options that can be selected, grouped into five sections:

General Settings

  • changes the ‘Howdy’ to ‘Welcome’. Because we think that ‘Howdy’ is for an Old West site.
  • Adds the ‘referer’ to a CF7 form field. Great to figure out where your comments came from.
  • Adds a copyright to the footer. (Right now it’s ours, but future versions will allow you to enter your own footer text.)
  • Remove the WP logo from the Admin bar.
  • Sets up a [current_year] shortcode you can use anywhere.
  • Allows use of shortcodes in widgets.
  • Adds a favicon to generated page ‘head’ section. You supply the favicon file.
  • Adds social sharing buttons centered at the bottom or all posts/pages.

PHP Settings

  • Changes ‘max upload size’ to 256MB.
  • Changes ‘max post size’ to 128M.
  • Changes ‘max execution time’ to 300ms.

These settings may be ignored by some hosting platforms.

General Security Settings

  • Disable XMLRPC as a possible hack attack vector.
  • Removes the WP version from the generated page.
  • Disables code editor in all theme/plugins admin screens.
  • Forces disable of all error reporting by plugins or themes.
  • Checks for a user called ‘admin’ (a common hack attack vector).
  • Disables ability to query by author ID (a common hack attack vector).

Login-Related Security Settings

  • Changes failed login message to more generic error (instead of ‘bad user’ or ‘bad password’.
  • Use a custom login page that you provide.
  • Disable the ‘Remember Me’ checkbox on the login page.
  • Redirect to home page after login/logout.
  • Put login/logout links on menu bars.

htaccess Security Settings

  • Disables directory listings.
  • Protects the wp-config.php file from direct access.
  • Adds directives to block direct access to the wp-comments-post.php file (a common attack vector for comment spam bots).
  • Shows the current contents of your htaccess file.

Wow! That’s a lot of settings!

Yep. But they are ones that we commonly use in all of our managed WP sites, so putting them into one plugin was easier than doing it manually on every site.

What if I want an additional setting?

Just add a message in the plugin’s support area. We’ll consider it.

Do you have other security-related plugins?

Yep! One of our favorites will block all comment spam.

It’s very effective. We put it on one site that was getting a lot of comment spam, and now there is none. Not one.

It’s called “Block Comment Spam Bots”, and can be found in the WP plugin repository. And there’s a link to it (and other plugins we’ve done) on this plugin’s Settings/Information page.


There are no reviews for this plugin.

Contributors & Developers

“CellarWeb Privacy and Security Options” is open source software. The following people have contributed to this plugin.



2.08 (2 Mar 2020)

  • changed when the htaccess is updates; now happens after theme_setup so that the switch_to_locale function is not called before it was available. This also fixes the problem of the ‘updated htaccess’ admin message appearing at the wrong time (as in on other screens).

2.07 (13 Feb 2020)

  • another instance of the switch_to_locale function check was removed

2.06 (12 Feb 2020)

  • corrected incorrect version of main file (didn’t have the 2.05 fix)

2.05 (28 Jan 2020)

  • removed call to switch_to_locale; causing errors on later PHP versions.


  • internal version, not released

2.03 (10 Jan 2020)

  • Further tweaks to htaccess changing module
  • Updated readme and program versions to match

= 2.02 (8 Jan 2020)=
* Fixed invalid htaccess ‘option’ parameter.
* Attempted fix of ‘htaccess changed’ admin message appearing too late.

= 2.01 (3 Jan 2020)=
* Fixed minor typo in Information page about the CF7 shortcodes.
* Added to the FAQ a list of the features of this plugin.

= 2.00 (2 Jan 2020)=
* Initial release of public version.
* Removed code for privately hosted auto-updates.
* Added option to protect against directly accessing the wp-comments-post.php via .htaccess directives.
* Shows the current contents of the htaccess file for your review.
* Ensured all array element names are quoted strings, rather than unquoted. Reduces PHP Warning errors about undefined constants; ensures compatibility with future PHP versions.
* Removed debugging code and unneeded comments.
* Changed variables, css styles, and function prefix to “CWPS” to match plugin name.
* Removed FontAwesome CSS loading; replacement icons are included in the plugin.
* Properly enqueued the CSS file per WP standards.
* Some minor CSS fixes.
* added uninstall process to remove plugin’s options from wp-options table
* Added additional information to the settings/information screen.
* minor code documentation corrections (spelling, mostly)

All versions below were privately released. Public version / initial release is Version 2.00


  • Changed all array element names (the part in the brackets) to be strings, rather than ‘assumed’ strings. The use of ‘assumed’ strings was causing a PHP Warning about undefined constants. PHP ignores that, although that may cause a fatal error in PHP 8x (whenever that gets released). And the PHP Warnings were cluttering up the error.log file.


  • fixed the settings screen relating to the CF7 referer field; the correct field to put in the contact form is ‘[hidden referer-page default:get]’ .


  • Versions 1.4 – 1.52 were testing versions, not released
  • Some minor typos fixed
  • Added versioning to the settings.css file to ensure proper loading


  • Minor code changes; tweaking how CSS loaded.


  • Minor change to html inserted as footer (now a paragraph tag, instead of a div); allows it to be centered more often.


  • Initial private release. Not available via WP plugin area yet.
  • Prior versions were for internal testing only.
  • Additional features are planned.