Since WP Cerber 9.5.3 you can change its location to a more secure place by using a PHP constant. To do this, you need to define the PHP constant CERBER_FOLDER_PATH in the wp-config.php file. Avoid using the functions.php file in the active theme folder for defining the constant.

Note: WP Cerber creates its directory as a subdirectory within the given path.

You have three methods to define a new location: an absolute path, a path relative to the WordPress home directory, or a traversal path above the WordPress home directory. Let’s see those methods separately.

Using an absolute path

This method is generally secure if the new location is not accessible from the internet, but it may require updating the defined path after the website has been moved. The path begins with a directory separator, which is typically ‘/’ on most WordPress hosting platforms. Here is an example:

define( 'CERBER_FOLDER_PATH', '/var/www/my-secure-path/' );

Using a traversal path relative to the WordPress home directory

It’s a recommended compromise between security and compatibility if you are going to move the website. The path starts with two dots. Here is an example:

define( 'CERBER_FOLDER_PATH', '../my-secure-path/' );

Using a path relative to the WordPress home directory

Although it is a less secure method, it is fully compatible with any new location of the website if you are going to move the website because the directory resides within the WordPress directory. The path does not begin with a directory separator or two dots. Here is an example:

define( 'CERBER_FOLDER_PATH', 'my-secure-path/' );

Once you’ve defined the path, it will be shown on the Diagnostic tab in the WP Cerber Constants section.

The values of WP Cerber constants

How to move an existing WP Cerber directory

When you define the constant, an existing WP Cerber directory and its contents is not moved automatically. If you need to move the directory and keep its contents intact, follow these steps in the given order:

1. Locate the existing WP Cerber directory. By default, it resides in the WordPress uploads folder. The name of the WP Cerber folder is displayed on the Diagnostic tab. The folder name always begins with “wp-cerber-” followed by a random string, e.g., wp-cerber-6P8QNB3U7TAWH1ZGS.
2. Copy the entire WP Cerber directory to the new location by using a file manager in your hosting control panel or an SFTP client.
3. Define the constant with the path to the new location.
4. Delete the WP Cerber directory in the old location.

Final notes

It is essential to ensure that there is no direct access to the WP Cerber folder within the new path from the internet; otherwise, defining a new path makes no sense.

Make sure the defined path is not within a regularly cleaned temporary folder; otherwise you can lose your quarantined files and diagnostic logs.

Do not use the functions.php file in the active theme folder for defining the constant.

To enable automatic updates for WP Cerber, you need to enable two settings. For more detailed information, please refer to the information provided below.

1. Enable “Use WP Cerber’s plugin repository” on the “Main Settings” tab and save the settings.
2. Go to the “Plugins” admin page and click the “Enable auto-updates” link located in the WP Cerber row next to the plugin description.

Step 1. Enable using the WP Cerber plugin repository

Click “WP Cerber” in the admin menu of your WordPress dashboard. Go to the “Main Settings” tab. Scroll down to the “Site-specific settings” section. Enable “Use WP Cerber’s plugin repository” and save the settings. Now, if a newer version of WP Cerber is available to install, you see a prompt announcing this version on the “Plugins” admin page. You can click the “update now” link to update the plugin. It’s important to note that if a new version is available to install from the wordpress.org plugin repository, it is installed from it. It means the plugin version from the wordpress.org plugin repository has priority over the version from the WP Cerber repository.

Step 2. Enable automatic updates for WP Cerber

Once you have enabled using WP Cerber’s plugin repository, you can enable automatic updates for WP Cerber on the “Plugins” admin page. To enable them, click “Enable auto-updates” in the WP Cerber row next to the plugin description.

Enable the logging

First of all, make sure that traffic logging is properly enabled in the Traffic Inspector settings.

1. “Logging mode” is not set to “Logging disabled”
2. “Save request fields” is enabled

Now, when a form is being submitted, all the form fields are saved to the Traffic Inspector log and can be viewed on the Live Traffic log page by clicking “Details” in an appropriate row.

View submitted forms

To view all submitted forms, go to the Live Traffic log page and click the small “Form submissions” button. To view submitted form fields, hover the mouse over the row and click the “Details” link. Note that it shows you all form submissions, including the WordPress comments form. To view forms denied as spam, use the advanced search.

Viewing submitted form fields in the Traffic Inspector log

Viewing spam form submissions only

To view all denied spam form submissions, click the “Advanced Search” button, select “Spam form submission denied” in the “Activity” field, and click the “Search” button under the search form. You will see all logged and denied spam form submissions.

Filtering out spam form submissions using the advanced search

Prevent saving sensitive data to the log

If a form field is intended to submit sensitive or personal data, you can disable saving data from such a field by adding the name of the form field to the “Mask these form fields” list. Now, before saving form fields to the log, real field values are replaced with asterisks. Hint: field names are shown in the “Form Fields” sections in the Traffic Inspector log.

Please know more on how to handle personal data in the logs from these articles: Deleting personal data from the logs and Exporting personal data from the logs.

Configuring WP Cerber’s login security settings

The login security settings are located on the Main Settings tab. Here you can configure the limits on login attempts, restrict access to wp-login.php, and configure error messages to prevent discovering usernames and emails when using non-existing usernames and emails.

Limiting login attempts to mitigate brute-force attacks

The default and recommended settings for limiting login attempts are highlighted as #1 on the screenshot. These settings were set when you activated WP Cerber. If you have many customers on the website, for instance, you run a WooCommerce store, it makes sense to increase the limit on login attempts.

WordPress Login Security – WP Cerber Settings

Processing wp-login.php authentication requests

See selection #2. By default, WordPress uses wp-login.php as the website login page that processes all user logins as well as provides the registration form and the password reset form. If you have configured the Custom login URL, it is recommended to disable wp-login.php. You have two options. You can completely block access to wp-login.php and make the file inaccessible for anyone, or you can disable user authentication through wp-login.php without blocking access to the file. You can choose any of the options. Both prevent user authentication via wp-login.php.

When the first option is enabled, WP Cerber renders and returns the “404 Page Not Found” error page like there is no such file on the website. Thus, bad actors have nothing to attack.

When the second option is enabled, WP Cerber prevents any user authentication even with correct usernames and passwords. This means nobody is able to log in using wp-login.php. After an attempt to log in via wp-login.php, WP Cerber shows the default incorrect password error message mimicking the standard WordPress authentication process. Using this approach helps WP Cerber to detect slow brute-force attacks by using wp-login.php as a detection honeypot. All attempts to log in via wp-login.php are logged to the WP Cerber activity log, as shown on the screenshot below.

WP Cerber denies attempts to log in via wp-login.php and logs such events with the Forbidden URL label

Prevent bad actors from discovering real usernames and customers’ emails

The default login and password reset error messages generated by WordPress are quite verbose and help hackers detect real usernames and emails to use them for mounting brute-force or social engineering attacks.

Disable the default login error message

When enabled, the login error messages do not indicate invalid usernames and emails when attempting to log in with non-existing ones. Instead, WP Cerber displays the default WordPress error message used when a user enters an incorrect password. This helps prevent bad actors from guessing valid usernames and emails. This approach is also known as disabling login hints.

The professional version of WP Cerber enables you to specify your own login error message using the Custom login error message setting field.

Disable the default reset password error message

When enabled, the password reset error messages do not indicate invalid usernames and emails when attempting to reset the password for a non-existing username or a non-existing email. Instead, WP Cerber mimics the default process of resetting passwords and displays the following message whenever users enter valid or non-existing usernames and emails.

The new WordPress password reset message generated by WP Cerber Security

This approach helps prevent bad actors from guessing valid usernames and is known as disabling password reset hints.

The professional version of WP Cerber enables you to specify your own password reset error message using the Custom login error message setting field.

Note that all features described above do not apply to the IP addresses in the White IP Access List.

It is important to note that this approach will help you remove many types of WordPress malware but may fail in case of complex infection or if malware resides in the HTML content of your website. Some malware can be removed by a cybersecurity export only. Based on our statistics, about 50% of modern malware can be removed manually with no expert knowledge. Meaning it is worth trying.

The approach is provided without warranty of any kind, either express or implied. Use at your own risk.

How to removing malware manually

1. Change passwords for all admin accounts on the website
2. Reinstall (restore) WordPress files.
3. Remove all inactive plugins and themes.
4. Reinstall all commercial plugins and themes by unpacking freshly downloaded versions from the vendor websites you’ve bought them on. Do not deactivate plugins or themes, and do not delete existing files. You need to unpack an archive with a plugin or theme and overwrite existing files by using FTP or a file manager in your hosting control panel.
5. Reinstall all free plugins and themes by unpacking freshly downloaded versions from the wordpress.org repository. Do not deactivate plugins or themes, and do not delete existing files. You need to unpack an archive with a plugin or theme and overwrite existing files by using FTP or a file manager in your hosting control panel.
6. Install the free version of the WP Cerber plugin from wordpress.org
7. Run the integrity checker and malware scanner. Once the scan is completed, delete all unattended files in the results of the scan.
8. Remove all “nulled” plugins and themes (GPL versions of commercial software) since, in many cases, their code has been altered and contains malware.

Read more: What to do if your WordPress site has been hacked.

When WP Cerber creates an export file, it does it in several iterations, meaning it splits all the rows retrieved from the database into chunks. By default, the size of the chunks is set to 1000 rows. You can change this size to any value by specifying a PHP constant in the wp-config.php file. To do this, add the following line to the beginning of the wp-config.php on the next line after <?php.

define( 'CERBER_EXPORT_CHUNK', 2000 );

You can try to increase or decrease the value. The optimal value depends on the server configuration. The bigger the number, the more server memory will be consumed, and less time (typically) it takes to complete the export. So the optimal value is dictated by a compromise between the size of data that can be processed by the server per a single database request and the configured limit on PHP execution time. You can raise it to any reasonable value if your web server is capable to handle it.

PHP settings you might need to increase

When WP Cerber creates an export file, it tries to allocate additional resources by changing default PHP settings, which you normally don’t need to change manually. However, on some hostings, this is blocked by server policies and the only option you have is to set them manually in the php.ini file.

1. You can control the amount of time PHP allows a script to execute by changing the max_execution_time directive in your php.ini file. The standard value is 30 seconds. Try to set it to 60 seconds.
2. By changing the memory_limit directive, you can control the amount of memory a PHP script can consume. The normal value is 256 MB. The good one is 512 MB.

In the vertical WordPress admin menu click “Dashboard”, then the “Updates” submenu. It takes you to the “WordPress Updates” admin page as shown below.

Click the “Re-install Now” button. This will start the process of downloading and updating WordPress files. The process is safe and doesn’t affect website data. Usually, it takes up to several minutes.

The professional version of WP Cerber Security automatically repairs altered or infected WordPress files, read more: Automatic cleanup of malware and file recovery.

Once a user is blocked, the user will not be able to log into the website. If you block a logged-in user, the user will be automatically logged out and redirected to the home page of the website.

You can block users on the user profile page (Edit User page), on the All Users page and on the user Sessions tab on the WP Cerber dashboard. You can optionally specify a message to be displayed when the user will try to log in. The message can be added on the user edit page and can be changed at any time later.

By the way, you can block a user in a bit more rough way using a list of prohibited logins.

To block a WordPress user with a message

1. Go to the Users admin page
2. Find the user you want to block
3. Click the Edit link to open the user profile page
4. Click the Block User checkbox
5. Enter an optional message for the user. If you leave this field empty, the default message “You are not allowed to log in” will be shown to the user if she/he tries to log in.
6. Click the Update User button at the bottom of the page

Blocking a WordPress user on the user profile page

Note: If you use a heavily customized login form, the user message might not be displayed.

To block WordPress users in bulk

1. Go to the Users admin page
2. Find users you want to block and check appropriate checkboxes in the Username column
3. Select “Block” from the Bulk Actions drop-down list above the table
4. Click the Apply button

To block currently logged in WordPress users

1. Go to the WP Cerber Dashboard and click the Sessions tab
   
2. Find users you want to block and check appropriate checkboxes in the User column
3. Select “Block user” from the Bulk Actions drop-down list above the table
4. Click the Apply button

Managing blocked user accounts

On the Users admin page, you can easily filter out and manage blocked users. All blocked users are tagged with a red BLOCKED tag in the Username column. To filter out all blocked users click the Blocked Users link. To view the user activity log, click the date in the Last login column.

Blocked WordPress Users in the Dashboard

To unblock a user

1. Go to the Users admin page
2. Find the user you want to unblock
3. Click the Edit link to open the user profile page
4. Uncheck the Block User checkbox
5. Click the Update User button at the bottom of the page

Next steps that’ll strengthen your WordPress security

• • How to block spam user registrations
  • How to block spam form submissions
  • How to block access to WordPress REST API
  • How to block access from a specific IP address
  • How to disable using a specific username
  • Rename the plugins folder

Restrict access to WordPress REST API

If you use Contact Form 7, Jetpack or another plugin that makes use of REST API, you need to whitelist its REST API namespaces as described below.

Permit access to a specific REST API namespace

A REST API namespace is a part of a request URL that allows WordPress to recognize what program code processes a certain REST API request. To get the namespace, take a string between /wp-json/ and the next slash in the REST URL. Every plugin that utilizes REST API uses its own unique namespace. The table below shows namespaces for some plugins.

Specify namespace exceptions for REST API if it’s needed as shown on the screenshot

Permit your users to use REST API

Enable Allow REST API for logged in users if you want to allow using REST API for any authorized (logged in) WordPress user without limitation.

Restrict access to WordPress REST API by IP addresses

To permit access to REST API from a specific IP address or an IP network add them to the White IP Access List.

To completely block access to REST API from a specific IP address or an IP network add them to the Black IP Access List.

Read more: Using IP Access Lists to protect WordPress

How to stop REST API user enumeration

To block access to users’ data and to stop user enumeration via REST API you need to enable the Block access to users’ data via REST API setting on the Hardening tab. This security feature is designed to detect and prevent hackers from scanning your site for user logins and sensitive users’ data.

When it’s enabled Cerber blocks all request to REST API and return HTTP 403 Error. You can monitor such events on the Activity tab. They are logged as “Request to REST API denied”.

Access to users’ data via WordPress REST API is always granted in two cases:

1. For administrator accounts, meaning if “Stop user enumeration” via REST API is enabled, all users with the administrator role always have access to users’ data
2. For all IP addresses in the White IP Access List

What is REST API?

In a nutshell, it’s a technology that allows two different pieces of code (applications) to talk to each other and exchange data in a standardized way. Using REST API enables developers to create, read and update WordPress content from external applications running on a remote computer or a website. The WP REST API is enabled by default starting the WordPress version 4.7.0.

Read more: Why it’s important to restrict access to the WP REST API

Developers documentation: https://developer.wordpress.org/rest-api/

Do you know that you can manage REST API settings on any number of websites remotely? Enable a main website mode on the main Cerber.Hub website and a managed website mode on your other websites to manage all WP Cerber instances from one dashboard.

Next steps that’ll strengthen your WordPress security

• How to block spam user registrations
• How to block spam form submissions
• How to block a WordPress user
• How to block access from a specific IP address
• How to disable using a specific username

What’s the Cerber Security, anyway? It’s a complete security solution for WordPress which is evolved from a simple yet effective limit login attempts plugin.

The fastest way to stop spammers is to enable the antispam engine for the WordPress registration form. To enable protection:

1. Go to the Antispam plugin admin page
2. Enable Protect registration form with bot detection engine in the Cerber antispam engine section
   
3. If you have a separate, non-standard registration form or a membership plugin, enable Protect all forms on the website with bot detection engine
4. Click the Save Changes button

Change the default registration and login URL

The next thing you need to do is to change the default WordPress registration URL to a custom one. That allows you to block automated spam attacks. Follow this guide: Custom login and registration URL for WordPress.

Set the limit on user registrations from one IP address

The third step is to set the limit to the number of user registrations from one IP address. By default, three user accounts are allowed to be registered from one IP address within one hour. This feature is available in Cerber Security Pro.

1. Go to the plugin admin Dashboard
2. Click on the Users tab
3. Enter appropriate values in the Registration limit fields

Block new user registrations from specific countries with GEO rules

The country-based GEO rules enable you to set a list of countries from which users are permitted to register on your WordPress. If you want to get new users from your country only, this is the right way. GEO rules are available in  Cerber Security Pro. To create the list of the countries:

1. Go to the Security Rules admin page and click the Countries tab
2. Click Register on the website.
3. Create a list of countries by clicking on the country name in the left window. Selected countries are listed in the right window.
4. Once you’ve created the list, set its type. If you want to permit new user registrations from the selected list of countries, click Selected countries are permitted to register on the website, other countries are not permitted to. Otherwise, if you want to block registrations, click the second option Selected countries are not permitted to Register on the website, other countries are permitted to.
5. Click the Save all rules button.

Block user registrations on WordPress from specific countries with GEO rules

Enable reCAPTCHA for the WordPress registration form

The last but not the least option is to enable reCAPTCHA for the WordPress registration form. Before you can start using reCAPTCHA on the website, you have to obtain a Site key and a Secret key on the Google website. To get the keys you have to have Google account. Register your website and get both keys here: https://www.google.com/recaptcha/admin

Read more: How to set up reCAPTCHA for WordPress and WooCommerce registration, reset password and login forms.

How to protect a contact form on your WordPress

The Cerber antispam and bot detection engine is capable to protect virtually all contact forms on a website. It’s tested with Caldera Forms, Gravity Forms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms and WooCommerce forms.

Follow this guide: How to stop spam form submissions on your WordPress.