In the Activity log, such events are labeled as “Exceeded the allowed number of attempts to reset password”.

Squashed bugs

• Erroneous events “Password reset request denied” are logged to the Activity log when viewing the profile page of a blocked user or browsing the “Users” admin page in WordPress dashboard containing blocked users.
• If WP Cerber is unable to create its diagnostic log, it produces the software error “PHP Fatal error: Uncaught ValueError: Path cannot be empty in”.
• When browsing plugin updates on the Dashboard / Updates page, no details about the last release of WP Cerber is shown in the pop-up window.

When two-factor authentication is enabled, users can now optionally click a checkbox on the 2FA form to remember their devices for a predefined period of days. It’s displayed on the form as “Remember this device for N days?” This feature is configured on a per-role basis in the professional version of WP Cerber. You can specify a duration (in days) for which users’ devices can be remembered.

This feature is disabled by default. To enable it, specify a number of days greater than 0. An empty value or a zero will disable and hide the checkbox on the form. When it is enabled, it takes precedence over other 2FA settings.

Minor changes

• Enhanced details about generated 2FA PIN codes on the user profile page.
• The tabs labeled “Role-based” and “Global” are now renamed to “Role Policies” and “Global Policies” respectively.

Squashed bugs

• The 2FA email address set on the user profile page is ignored when sending 2FA codes.
• A fatal error occurs when using Cerber.Hub and switching to a managed website where automatic updates for WP Cerber were enabled. The error is logged as: “Call to undefined function wp_is_auto_update_enabled_for_type().”

• We have introduced the capability to send 2FA verification codes via SMTP. When an SMTP server is set up in the WP Cerber settings, it will be the preferred method for sending these codes. Note that SMTP email feature is available in the professional version of WP Cerber.
• As a backup, if there’s an issue sending emails through the configured SMTP server, WP Cerber will switch to using the default WordPress mailer.
• Additionally, we have added email error reporting. If an error occurs while WP Cerber is sending an email, the error details are captured and shown as a warning on the WP Cerber dashboard.

Minor improvements

• WP Cerber now captures and logs fatal PHP errors managed by WordPress. If your website crashes and displays the WordPress message “There has been a critical error on this website”, and if software error logging is enabled, the error details will be stored and can be accessed in the Traffic Inspector log.
• WP Cerber now identifies and shows the name, version and author of a plugin or a theme that produced PHP errors. The information is available in the Traffic Inspector log.
• All users with prohibited usernames (logins) are marked with the red label “PROHIBITED” on the Users admin page. The label now has an appropriate translation.
• If a user is blocked by the website admin, the red label “User is blocked” is shown on the user profile page next to the username.
• The limits on the maximum length of SMTP setting fields have been increased from 28 characters to 64.
• Translations in the plugin language files have been updated.

Fixed bugs

• If HTTP redirection is set to handle attempts to access protected areas, and WP Cerber blocks an intruder’s IP address, no email alerts are sent even if lockout alerting is enabled.

Just a reminder: WP Cerber, unlike other plugins, got a bug bounty program. If you discover a vulnerability, there is a $1,000 reward waiting for you. Can somebody finally grab it?

Proxy server for outgoing connections

WP Cerber now supports establishing outgoing network connections via a proxy server that’s configured for WordPress. By default, this proxy server usage is disabled in WP Cerber settings. You can find the relevant proxy settings on the Main Settings tab under the “Site-Specific Settings” section. This applies to all connections except for Cerber.Hub, which has a separate proxy setting.

Before you enable the proxy server, ensure you’ve defined the WordPress constants WP_PROXY_HOST and WP_PROXY_PORT. If needed, you can also set a proxy username and password using the WP_PROXY_USERNAME and WP_PROXY_PASSWORD constants.

Beyond the WordPress constants, there’s a specific WP Cerber constant, CERBER_PROXY_TYPE, that allows you to specify your proxy type. For potential integer values for CURLOPT_PROXYTYPE, please refer to the PHP documentation.

The scanner got more stable code

• File operations and error handling in the WP Cerber scanner have been enhanced. If a file recovery requires creating missing folders, they will be created.
• To prevent altering source files, the scanner recovery folders are emptied before starting a scan.
• Any unsuccessful file recoveries are displayed in the scan results.

Minor improvements

• When email notifications for new versions of installed plugins are enabled, you’ll receive an alert as soon as either WP Cerber or WordPress detects an update—whichever comes first.
• You can enable automatic updates for WP Cerber in the main plugin settings now.

Fixed bugs

• If a file is missing, the scanner does not recover it.

This update will be installed automatically if automatic updates are enabled. If WP Cerber is not safeguarding your website yet, here is how to install it.

Fixed bugs

• Excessive alerting in the WordPress dashboard: Fixed a bug that causes multiple admin notices to appear when a new version of WP Cerber is available but not installed.
• An error message while viewing WP Cerber logs: Fixed a bug that could produce a PHP error message while viewing log entries filtered by an IP address.

Since WP Cerber 9.5.3 you can change its location to a more secure place by using a PHP constant. To do this, you need to define the PHP constant CERBER_FOLDER_PATH in the wp-config.php file. Avoid using the functions.php file in the active theme folder for defining the constant.

Note: WP Cerber creates its directory as a subdirectory within the given path.

You have three methods to define a new location: an absolute path, a path relative to the WordPress home directory, or a traversal path above the WordPress home directory. Let’s see those methods separately.

Using an absolute path

This method is generally secure if the new location is not accessible from the internet, but it may require updating the defined path after the website has been moved. The path begins with a directory separator, which is typically ‘/’ on most WordPress hosting platforms. Here is an example:

define( 'CERBER_FOLDER_PATH', '/var/www/my-secure-path/' );

Using a traversal path relative to the WordPress home directory

It’s a recommended compromise between security and compatibility if you are going to move the website. The path starts with two dots. Here is an example:

define( 'CERBER_FOLDER_PATH', '../my-secure-path/' );

Using a path relative to the WordPress home directory

Although it is a less secure method, it is fully compatible with any new location of the website if you are going to move the website because the directory resides within the WordPress directory. The path does not begin with a directory separator or two dots. Here is an example:

define( 'CERBER_FOLDER_PATH', 'my-secure-path/' );

Once you’ve defined the path, it will be shown on the Diagnostic tab in the WP Cerber Constants section.

The values of WP Cerber constants

How to move an existing WP Cerber directory

When you define the constant, an existing WP Cerber directory and its contents is not moved automatically. If you need to move the directory and keep its contents intact, follow these steps in the given order:

1. Locate the existing WP Cerber directory. By default, it resides in the WordPress uploads folder. The name of the WP Cerber folder is displayed on the Diagnostic tab. The folder name always begins with “wp-cerber-” followed by a random string, e.g., wp-cerber-6P8QNB3U7TAWH1ZGS.
2. Copy the entire WP Cerber directory to the new location by using a file manager in your hosting control panel or an SFTP client.
3. Define the constant with the path to the new location.
4. Delete the WP Cerber directory in the old location.

Final notes

It is essential to ensure that there is no direct access to the WP Cerber folder within the new path from the internet; otherwise, defining a new path makes no sense.

Make sure the defined path is not within a regularly cleaned temporary folder; otherwise you can lose your quarantined files and diagnostic logs.

Do not use the functions.php file in the active theme folder for defining the constant.

We’re committed to continuously developing and enhancing WP Cerber algorithms, ensuring they effectively detect and neutralize emerging threats. Earlier this month, we announced the first-of-its-kind bug bounty program in the WordPress plugin ecosystem that rewards a security researcher with a $1000 bonus if they find a vulnerability in WP Cerber. We challenge other vendors to follow our lead.

Enable automatic updates or install WP Cerber if you do not have it on your website.

Improvements to the integrity scanner

WP Cerber uses its own directory to store quarantined files, diagnostic logs, and temporary files created and deleted by the integrity and malware scanner. By default, this directory is created as a hidden subdirectory within the WordPress uploads directory and is protected by an .htaccess file. You can optionally change its location and move it to a more secure place by using a PHP constant CERBER_FOLDER_PATH.

Read more: Changing the location of the WP Cerber directory.

Improvements to traffic and activity logging

• When saving request fields is enabled in the Traffic Inspector settings, the JSON payload of REST API and other requests is decoded and saved to the Live Traffic log as well. This data is searchable via Advanced Search.
• The Form Submissions filter, located on the Live Traffic tab, filters out conventional form submissions and no longer includes REST API requests. To view forms submitted via REST API, use the REST API filter instead.
• The activity export file now includes a new column, “By User,” which contains the user ID of the user who initiated the row event.
• The names of export files generated by WP Cerber are now unified and include the website URL, making it easier to identify which website the file was downloaded from.

Minor improvements

• Multiple optimizations and improvements to CSS styles and the layout of WP Cerber admin pages.
• Prevent Jetpack’s Asset CDN from destroying the layout and style of WP Cerber admin pages.
• Improved compatibly with PHP 8.

Main principles of the program

WP Cerber bug bounty program applies to privately disclosed vulnerabilities only. We do not reward publicly disclosed vulnerabilities.

We do not reward vulnerabilities reported via a third party. Which means the only way to get a bounty is to report a vulnerability directly to us by using the form below.

We accept a vulnerability report with a proof we can reproduce. The report must include the description of all steps to reproduce the security issue. Feel free to use screenshots, video, text files.

Qualifying vulnerabilities

Any design or implementation flaw that substantially affects the security or integrity of an end-user website is likely to be in scope for the program. Common examples include:

• Cross-site scripting,
• Cross-site request forgery,
• Privilege escalation,
• Unauthorized access,
• Bypassing configured access restrictions,
• Bypassing IP Access Lists restrictions,
• Authentication or authorization flaws.

Reward amounts for security vulnerabilities

The exact reward amount depends on various factors, such as the nature and impact of the vulnerability, the risk it poses, and its exploitability.

For a critical vulnerability that meets all the requirements listed on this page, you can receive up to $1000. However, the final amount is always at our discretion, and we may choose to pay a higher reward for an unusually clever vulnerability or a lower reward for a vulnerability that requires unusual user interaction. If you are not interested in the monetary reward or cannot receive it, we offer free license keys for the professional version of WP Cerber.

Submitting your vulnerability report

Use this form to submit your report: Submit a vulnerability report

Enable automatic updates or install WP Cerber if you do not have it on your website.

Be informed whenever your plugins have updates

Be informed about plugin updates by getting a detailed email notification whenever a new version of a plugin is available. To activate notifications, go to the WP Cerber notification settings and enable it. This type of notification doesn’t require a connection to any cloud servers. All data is processed locally on your website with no relation to the integrity scan. You need to enable it in the settings.

Notifications contain information about installed and new versions of plugins, compatibility with installed WordPress, and minimum required versions of PHP and WordPress. WP Cerber will warn you if a plugin is incompatible with your WordPress or PHP. By default, notifications will be sent to the website administrator email address configured in the general WordPress setting.

The professional version of WP Cerber brings you additional features and enables you to configure advanced parameters and use SMTP. You can specify separate email addresses for plugin update notifications. If you consider installed versions and URLs as sensitive data, you can remove them from emails by selecting a brief format of notifications. You can configure the update checks with a desired interval.

Keeping your plugins updated is important for the security of your WordPress. Use these notifications along with the automatic WP Cerber malware scanner and integrity checker. To keep your WP Cerber up to date, enable automatic updates for WP Cerber.

Grant access to users’ data via REST API for selected user roles

An additional option for granting access to users’ data via WordPress REST API for selected user roles. By default, WP Cerber blocks access to users’ data to prevent user enumeration. If you need users with a specific role to have access to users’ data, add the role to the list. Note that all website administrators and super administrators on a multisite WordPress installation have access to all users’ data.

Additional option for sending activity alerts

WP Cerber’s activity alerts can be sent to an email address you have on your WordPress account. You do not need to worry about changing the email. If you have updated the email address, you will keep getting alerts on a new one.

Other improvements

• WP Cerber permanently stores users’ last login data (IP address, time, user’s country) for all users. The data is erased when the user’s personal data is erased by the website admin. See more: https://wpcerber.com/delete-personal-data/
• To prevent having insecure plugin configuration, WP Cerber validates required HTTP headers before enabling the behind a proxy mode in the WP Cerber settings. By default, WP Cerber does not extract IP addresses from HTTP headers. You can easily make sure WP Cerber correctly detects IP addresses by using this instruction: https://wpcerber.com/wordpress-ip-address-detection/

Minor changes

• Detecting remote client IP addresses if the website is behind a proxy server has been improved.
• Wording of new version notifications and emails has been improved.
• The leading “Hi!” has been removed from the new version notification emails.

Fixed bugs

• A specially formatted request can bypass the disabled redirection from a /wp-admin/ locations to the custom login page.
• The integrity scanner labels a file as “File is missing” if a folder containing the file is on the “Directories to exclude” list. The bug affects valid WordPress files, files of plugins and themes with valid checksums.
• After clicking “Apply” and saving the “Screen Options” on the Cerber.Hub page, a blank page is displayed. This issue is caused by a bug (shortcut?) in a WordPress redirection function that relies on the optional Referer header sent by the user browser. If a browser strips request parameters from the Referer header or does not send the header at all, no proper redirection occurs and the blank page is displayed.

How to enable automatic updates for WP Cerber

Monthly activity reports

In addition to weekly reporting, WP Cerber can be configured to generate and send monthly activity reports. Depending on the configuration, the reports can be generated for the last 30 days or the previous calendar month and sent on a selected day of the month to specified email addresses. All the settings are on the “Notifications” tab.

Redirection to a page instead of generating a 404 page

Redirecting requests to a specified URL can be enabled instead of generating a 404 page when attempting to access prohibited locations on a website.

You can specify an URL of a page on your website to redirect lost users and bad actors when they are attempting to get access to locations they have no access to. For instance, it can be a sitemap page that helps legitimate users navigating on your website if they entered a protected URL by mistake or due to a software error. The URL can be a relative or absolute. The setting is “Access to prohibited locations” and it’s located on the “Main Settings” tab. From a security standpoint, the best option is to set it “Display simple 404 page”. Read more.

Disabling “Remember Me” checkbox

The “Remember Me” checkbox on the WordPress login form can be disabled. The new setting is on the “Global” tab of the “User Policies” settings page. If disabled, logging-in users can no longer change the duration of their authentication sessions at will.

The default duration of a user session if “Remember Me” is not checked is two days (48 hours), alternatively, if it is checked, it is 14 days. In terms of modern account security, it’s a huge period. Since most ordinary users do not know the duration of the sessions when the checkbox is checked, they have no idea what the implications of enabling it. It’s highly advised to disable “Remember Me”. This new feature also supports WooCommerce.

Miscellaneous improvements

1. Weekly activity reports now can be generated for the last 7 days or the previous calendar week. New setting is on the “Notifications” tab.
2. Pursuing better user experience, we have improved the process of configuring WP Cerber features that require updating .htaccess files. Improved handling situations when .htaccess files get read-only permission after changing WP Cerber settings. If a .htaccess is non-writable, the related settings are locked. When importing settings from a file, all the checks also take place.
3. When saving WP Cerber in the WordPress dashboard, the text notification “Plugin settings updated” is only shown if the settings has been changed.

Breaking changes

1. The default period of weekly reports is the previous calendar week. In older versions of WP Cerber, the report period was the last 7 days.
2. Disabling author archives has been improved. No access to author archives via any possible URLs if “Block access to user pages via their usernames” is enabled. Additionally, links to author archives are replaced with the website home URL. Previously, access was blocked if accessing author archives by using usernames (logins) in a $_GET parameter.

Minor changes

1. If the “User session expiration time” is set globally for all user roles, the “Remember Me” checkbox is hidden on the standard WordPress login form and does not affect the duration of user sessions.
2. WP Cerber now logs all denied attempts to reset user password when a non-existing user or email has been specified.

Fixed bugs

1. If WordPress is installed in a subfolder and the custom login page is configured, submitting the password reset form doesn’t redirect users to the page with a success message showing “Not Found” instead.
2. If the custom login page is configured, disabling the login language switcher has no effect on the login form and the language switcher is still displayed.
3. On some multi-site WordPress installations, WP Cerber can produce warning messages about using undefined UPLOADBLOGSDIR constant.
4. If the access lists contain IPv6 addresses and the Activity log contains entries with IPv6 addresses, viewing those entries causes PHP warnings “undefined property: stdClass::$comments”.
5. If the Pushbullet mobile notifications are enabled and the list of available devices contains inactive (removed) devices, WP Cerber produces PHP notices “Undefined index: nickname” while parsing the list.