Main principles of the program

WP Cerber bug bounty program applies to privately disclosed vulnerabilities only. We do not reward publicly disclosed vulnerabilities.

We do not reward vulnerabilities reported via a third party. Which means the only way to get a bounty is to report a vulnerability directly to us by using the form below.

We accept a vulnerability report with a proof we can reproduce. The report must include the description of all steps to reproduce the security issue. Feel free to use screenshots, video, text files.

Qualifying vulnerabilities

Any design or implementation flaw that substantially affects the security or integrity of an end-user website is likely to be in scope for the program. Common examples include:

• Cross-site scripting,
• Cross-site request forgery,
• Privilege escalation,
• Unauthorized access,
• Bypassing configured access restrictions,
• Bypassing IP Access Lists restrictions,
• Authentication or authorization flaws.

Reward amounts for security vulnerabilities

The exact reward amount depends on various factors, such as the nature and impact of the vulnerability, the risk it poses, and its exploitability.

For a critical vulnerability that meets all the requirements listed on this page, you can receive up to $1000. However, the final amount is always at our discretion, and we may choose to pay a higher reward for an unusually clever vulnerability or a lower reward for a vulnerability that requires unusual user interaction. If you are not interested in the monetary reward or cannot receive it, we offer free license keys for the professional version of WP Cerber.

Submitting your vulnerability report

Use this form to submit your report: Submit a vulnerability report

What is it?

The WP Cerber software repository is our special website where we publish updates to our plugins and add-ons allowing our customers update them from within WordPress dashboard in a hassle-free way automatically or with a manual approval.

How it works

The repository is supported and enabled by default since WP Cerber version 9.2. You can update the plugin manually clicking the “update now“ link on the “Plugins” admin page or automatically depending on the configuration of your website. Technically, it works as a fallback for the wordpress.org repository; meaning that if a newer version of the plugin is available in the wordpress.org repository, the plugin is installed from it. The use of the repository can be disabled in the main WP Cerber settings.

How to enable automatic updates

Please read this guide: How to enable automatic updates for WP Cerber

Is it safe?

The plugin updates we upload to our repository are the same we upload to the wordpress.org plugin repository. It is the software we proud of and have responsibility for. All files are located on a dedicated server disk with read-only access from the Internet. Code and script execution is disabled on this disk. We do not install third-party software on our servers other than open source.

The only official WP Cerber repository URL is: https://downloads.wpcerber.com

Why did we do that?

Like other plugin developers we, believe it or not, have no control over plugin updates we upload on wordpress.org. At any given time, a plugin can become a “persona non grata” because the internal wordpress.org repository rules have suddenly changed, and the developer must rewrite the plugin code to meet new requirements. If they fail to do that swiftly, the plugin will be temporarily closed. We, on the contrary, believe our customers must have the ability to get software updates in any circumstances. Especially, it’s true for security updates. This is our first goal.

The next goal on our roadmap is to provide continuous deployment of small software updates and new add-ons. Having flexible settings, our customers will be able to install and update our software according to their needs, schedule, and preferences.

Download the add-on using this link: https://my.wpcerber.com/downloads/wp-cerber-cloudflare-addon.1.2.zip

Read more: Cloudflare add-on for WP Cerber.

We have to control application passwords

Although using application passwords brings an additional security barrier, the default WordPress implementation of application passwords is minimalistic and has the following issues.

• Application passwords have no protection against brute-force attacks
• We have no ability to disable or enable passwords for a specific user role
• Standard, interactive user passwords can still be used to access website APIs.
• We have no control over the use of passwords due to a lack of logging

Disabling application passwords

If you want to disable application passwords on your WordPress completely, set the “Application Passwords” setting to “Disabled.” This setting is located under the “User Policies” admin menu on the “Global” tab. Once it’s activated, users will no longer be able to create new passwords and use any of the passwords that were generated earlier. For advanced management, please read the rest of the article.

Use WP Cerber to manage application passwords

All the settings are located under the “User Policies” admin menu. To configure the use of application passwords for all users on your website, switch to the “Global” tab. To configure the setting for each user role separately, switch to the “Role-Based” tab. The settings configured for a role have a higher priority.

The WP Cerber setting you need to configure is named “Application Passwords”

Managing WordPress application passwords with WP Cerber

The default value of the setting is to permit the use of the application passwords the way how it’s implemented in WordPress. It implies using both, traditional passwords (that users use to log into your website via a login form) and application passwords when accessing website APIs. The setting in this case is “Enabled, access to API using standard user passwords is allowed”.

A more secure, advanced, and recommended way of using application passwords is to permit access to website APIs by using application passwords only. In this case, traditional interactive passwords cannot be used when accessing website APIs, even if the specified one is valid. Any attempt to get access to APIs will be denied. To achieve this, select “Enabled, no access to API using standard user passwords”.

The last and straightforward way of dealing with application passwords is to disable them with the setting set to “Disable”.

Configure settings for a specific user role

All the settings configured for a role have a higher priority than the global ones. So you can disable using application passwords globally for all users and enable them for a specific role only.

The default value for all roles is to use global settings configured on the “Global” tab. In the role settings, this option is named “Use global policies”. This means the role’s setting inherits all the changes made to the global settings.

If you select any other than the “Use global policies” option, that selected option will have an effect on the role instead of a setting configured on the “Global” tab.

Note: the role-based settings are available in the professional version of WP Cerber.

How to monitor application password usage

WP Cerber adds two new columns to the lists of users’ application passwords on their profile pages in the WordPress dashboard. Using links in those columns, you can check the Activity log. The “Authorized” column links navigate you to all logged events of using application passwords by the user. The links in the “Authorization Failed” column navigate you to all failed attempts to use website APIs when the user’s username or email was in use.

Monitoring the usage of application passwords with WP Cerber

How to get notified when a user creates a new password

On the Activity log admin page, you can enable sending an email or a mobile notification when any user or a specified one creates a new application password. Go to the Activity log, select “User application password created” from the first select above the table and click Filter. Now, to enable notifications, you need to click the “Create Alert” button on the right. To configure the email address or the mobile device for notifications, switch to the “Notifications” tab.

Please read more on how to configure any notification you need: WordPress notifications made easy.

How to restrict access to REST API and XML-RPC

WP Cerber offers several options to restrict access and you can configure any combination of them. You can block access to these APIs completely by disabling them; you can permit or block access to these APIs from specific IP addresses by using IP Access Lists. Additionally, you can permit access to REST API for specific roles or to specific namespaces only. By configuring country-based access rules, you can permit or deny access to REST API or XML-RPC by a list of countries.

The professional version of WP Cerber enables you to enhance user accounts’ security by configuring a limit to the number of concurrent user sessions a user may have open. You can configure the limits for each user role separately.

How to configure concurrent user session limits

1. Go to the User Policies configuration page
2. Select the role you want to configure the limits for
3. Specify the desired number in the Number of allowed concurrent user sessions setting field
4. Set the desired policy for When the limit on concurrent user sessions is reached

Configuring the limits to the number of concurrent user sessions in WordPress

How to limit concurrent user sessions with two-factor authentication

1. Go to the User Policies configuration page
2. Select the role you want to configure the limits for
3. For Two-factor authentication select “Advanced mode”
4. Specify the desired number in the If the number of concurrent user sessions is greater setting field. This number must be smaller than the number specified in Number of allowed concurrent user sessions. The number of active user sessions is calculated including the new user session. So if you specify 1, the second one and all further attempts to log in will require a user to complete the 2FA verification process.

Configuring the limits to the number of concurrent user sessions in WordPress with two-factor authentication

Read more on how to configure two-factor authentication for WordPress.

How to disable limiting

If you leave a configuration field empty or specify 0 (zero), the limiting feature is not active.

How to monitor user activity

Once you’ve configured the limits, you can monitor related events on the Activity log page. Depending on your settings, WP Cerber logs the following events.

• Attempt to log in denied (Limit on concurrent user sessions). This event means the user has reached the limit and any further attempts to log in are denied.
• User session terminated (Limit on concurrent user sessions). This event means the user has reached the limit and the oldest user’s session has been terminated by WP Cerber allowing the user to log into the website with a new session.
• Two-factor authentication enforced. This event means the number of concurrent user sessions has become greater than the limit, which initiates 2FA for new logins.

The bottom line

Limiting the number of concurrent user sessions brings the following  advantages:

• Reducing the risk of personal data leakage through abandoned sessions
• Reducing the risk of compromising user accounts by reusing credentials across multiple computers
• Stops your users from sharing their WordPress usernames, passwords, and accounts.

At the same time, all the features described in this article have nothing to do with and do not replace the limit login attempts feature. Limiting the number of concurrent user sessions is an additional security measure enabling you to get a professional-grade defense of your WordPress.

Because this is a security release, it is recommended that you update your websites immediately. Along with a security plugin you have.

Here is the list of fixed vulnerabilities as they listed on wordpress.org.

• Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an issue where password reset tokens were not properly invalidated
• Props to ka1n4t for finding an issue where certain private posts can be viewed unauthenticated
• Props to Evan Ricafort for discovering an XSS issue in the Customizer
• Props to Ben Bidner from the WordPress Security Team who discovered an XSS issue in the search block
• Props to Nick Daugherty from WordPress VIP / WordPress Security Team who discovered an XSS issue in wp-object-cache
• Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently reported an XSS issue in file uploads.
• Props to Weston Ruter for fixing a stored XSS vulnerability in the WordPress customizer.

The source: https://wordpress.org/news/2020/04/wordpress-5-4-1/

When to use the Cloudflare add-on

• If you already have a Cloudflare account and use the Cloudflare firewall to protect your website
• If your website permanently suffers numerous cyber attacks and you’d like to reduce the burden on the server

Don’t forget about the following drawbacks: the necessity to delegate the domain to Cloudflare’s nameservers and your SSL certificate to Cloudflare’s webservers; plus, you have to accept the necessity to process your private data and personal data of your customers on Cloudflare’s webservers in unencrypted form.

Warning: this add-on is not recommended for beginners. You can easily lock yourself out or block your users.

How to install the add-on

The add-on is a standard WordPress plugin and available to download for free from our website. Follow instructions at the end of this page. Once you’ve activated the plugin, you get the following settings page. By default, all operations are disabled. Note: the add-on requires the WP Cerber setting “Load security engine” set to “Standard mode.”

Syncing IP addresses blocked by WP Cerber

When enabled, the list of locked out IP addresses is continuously monitored, and Cloudflare IP Access Rules are kept in sync with the list. Once an IP address is locked out, it is completely blocked from accessing an entire website because it’s added to the Cloudflare firewall. Without using the add-on, a blocked IP address has read-only access to the website. If you accidentally block your IP address, see the instruction below.

Some lockouts are not synced

In the following cases, locked out IP addresses are not synced and are not blocked by the Cloudflare firewall: a user is logged-in, a remote host produces erroneous requests such as 404 Page Not Found, the limit on login attempts has been reached for the first time, Googlebot requests originating from the googlebot.com domain.

Note: We intentionally do not implement syncing of subnet lockouts. If you use the add-on to sync Cerber’s lockouts, the WP Cerber’s “Block subnet – Always block entire subnet Class C of intruders IP” setting must be disabled.

Syncing IP Access Lists

When enabled, all changes in the WP Cerber’s IP Access Lists are one-way synchronized with Cloudflare IP Access Rules. For instance, if you add the 192.168.1.0/24 network to the Black IP Access List, no computers from this network have access to your website. If you accidentally block your IP address, see the instruction below.

The Cloudflare firewall has limited capabilities, though. Keep in mind that unlike WP Cerber, Cloudflare doesn’t support arbitrary IP ranges or CIDR networks. It supports single IP addresses and classful networks only such as A, B, C. So if you add a network other than A, B, or C classes to an access list, the network will not be added to the Cloudflare firewall and remains a local entry fully processed by WP Cerber.

Note that it’s a one-way synchronization. If you make changes to access rules on the Cloudflare website, Cloudflare does not send them to WP Cerber.

Also note that currently, the add-on doesn’t sync existing entries in the Access Lists that were added/deleted before ACL syncing has been enabled.

Other settings

Verbose syncing

It’s an optional privacy-related feature that enables or disables saving additional information as Cloudflare notes. When enabled, the add-on saves your Access Lists comments and the reason for an IP address lockout to a Cloudflare note. Enable it if you need to precisely identify or search entries by a keyword among the firewall rules on the Cloudflare website. Don’t forget that those notes can be stored on Cloudflare servers for an unknown amount of time.

Delete Cloudflare rules on plugin deactivation

If the Cloudflare add-on or the WP Cerber plugin will be deactivated, all rules that were previously added to the Cloudflare firewall will be deleted. It’s important to understand that once the plugins get activated again, the deleted entries will not be added back.

How to get support

The professional support is provided for our customers only; please see plans and pricing here. If you use the free version of WP Cerber, please serve yourself by using online documentation and how-to manuals. If you come across a technical issue, enable diagnostic logging and check Cerber’s log; it’s located on the Tools / Log tab.

How to unlock yourself

If you accidentally block the IP address of your computer, and so have no access to the website, there are two ways to unlock the IP on Cloudflare:

1. Use your mobile device that connected to the Internet with a different IP address (a cellular network instead of Wi-Fi) to log into the website and delete a lockout or an access list entry.
2. Log into your account on the Cloudflare website, find the entry with your IP address on the Firewall / Tools page and remove it manually. Hint: get your current IP address on this page: https://wpcerber.com/what-is-my-ip/

How to delete all synced Cloudflare rules

1. Enable Delete Cloudflare rules on plugin deactivation
2. Deactivate and activate the Cloudflare for WP Cerber Security plugin on the Plugins page

How to install this Cloudflare add-on

The add-on is available to download for free from our website, not from the wordpress.org plugin repository. The add-on is a standard WordPress plugin. After activating the add-on make sure that the WP Cerber setting “Load security engine” is set to “Standard mode.”

1. Download the add-on to your computer: https://downloads.wpcerber.com/plugin/wp-cerber-cloudflare-addon.1.2.zip
2. Log into your WordPress admin dashboard
3. Click the Add New submenu under the Plugins admin menu
4. Click the Upload Plugin button that is located next to the page title
5. Select the downloaded ZIP archive
6. Click the Install Now button
7. Click the Activate Plugin button

Next steps that’ll strengthen your WordPress security

• How to protect WordPress effectively: a must-do list
• Turn your WordPress into Fort Knox
• Hardening WordPress with WP Cerber
• Renaming the WordPress plugins folder
• Enable custom login page

Those cookies allow WP Cerber to distinct logged in users and non-logged in visitors as well as search engine bots and spammers. Based on the set of cookies in a request, WP Cerber restricts access to protected areas, the login form, and the WordPress dashboard.

What data cookies contain

Cookies contain randomly generated alphanumeric values. No personal data is used.

How many cookies WP Cerber sets

The number is random and in general, it depends on the plugin configuration. Usually, it’s 2 to 6 cookies.

How to identify cookies set by WP Cerber

If an applicable privacy law or a user consent policy requires you to list cookies, specify the unique cookies’ prefix in the plugin settings, and use it as a unique cookies identifier.

Cookie prefix

You can specify any alphanumeric prefix for WP Cerber cookies you need. For instance “alpha_”. The configuration setting is located on the Main Settings admin page in the “Site-specific settings” section.

Displaying WP Cerber cookies on a website page

To get your website fully compliant with GDPR, you might need to display all cookies on a cookie consent page. Using a WordPress shortcode you can display a list of browser cookies set by WP Cerber. See several examples below. All attributes are optional. You can use any combination of them.

No user consent is necessary

You don’t need to obtain user consent because WP Cerber’s cookies are strictly necessary and no natural person is associated with the cookies.

How to be in compliance with data privacy laws

The features below give you full control of personal data if it was logged by WP Cerber and help your organization to be in compliance with data privacy laws such as GDPR in Europe or CCPA in California.

Exporting personal data
Deleting personal data

To start using a personal data erase feature in WP Cerber, you need to enable it in the plugin settings. Go to the User Policies admin page and click the Global tab. Scroll to the Personal Data section. Click Enable data erase. If the privacy law under what personal data on your website is being processed threats IP addresses as personal data (like GDPR does), you need to enable “Delete user sessions data when users data is erased”. You should do that because WordPress stores users’ IP addresses in a session record which is created when a user logs into a website. The standard WordPress erase tool doesn’t delete these IP addresses.

Using the WordPress Erase Personal Data tool

Once you’ve enabled the erase feature, you can use the WordPress Erase Personal Data tool which is located under the Tools / Erase Personal Data menu.

What data is deleted

Once a request to delete personal data has been added and processed by a website admin, WP Cerber finds a WordPress user with the email address provided in the request. If the user is found, all the entries in the Cerber’s log relating to the user are deleted when you click the Erase Personal Data button. If “Delete user sessions data when users data is erased” is enabled, all user sessions will be terminated and all sessions data will be deleted as well.

How to empty WP Cerber’s log tables

There is an alternative way that enables you to completely erase all data in the log tables, read more: How to clean up the activity and live traffic logs

How to block a user

Once you’ve erased the personal data of a user, you can block the user to prevent them from logging in and processing their personal data again.

Recommended settings for GDPR

Enable both settings: “Enable data erase” and “Terminate user sessions”.

What versions of software you need

The tool described above is available since WordPress 4.9.6 and WP Cerber 8.5.8

Does WP Cerber plugin process personal data in a cloud?

The WP Cerber plugin doesn’t send to or process personal data in any cloud. We take your privacy, privacy your users and our reputation very seriously. We’re a firm believer that any personal data or sensitive technical information cannot be processed or stored on our servers.

What’s next

Exporting personal data
WP Cerber’s cookies explained

To start using a personal data export feature in WP Cerber, you need to enable it in the plugin settings. Go to the User Policies admin page and click the Global tab. Scroll to the Personal Data section. Click Enable data export and select what type of data from the Cerber’s logs you want to be included in the export files. You have to configure these settings before processing export requests and creating export files. Keep in mind that these export files are available to download by anyone who has a download link.

Using the WordPress Export Personal Data tool

Once the export is enabled, you can use the WordPress Export Personal Data tool which is located under the Tools / Export Personal Data menu. All personal data will be included in the export file automatically. If personal data were logged, a file will contain two non-empty sections: “Activity log” and “Traffic log”.

What data is exported

Once a request to export personal data has been added and processed by a website admin, WP Cerber finds a WordPress user with the email address provided in the request. If the user is found, all the entries in the Cerber’s log relating to the user are included in the export file. If there is no WordPress user associated with the email address in the request, no data are included in the export file.

The type and amount of data to be included in the export file are depend on the plugin’s settings. You need to configure them depending on under what law (such as GDPR in Europe or CCPA in California) personal data on your website is being processed.

Also, note that if the logging of requests is disabled in the Traffic Inspector settings, nothing from the requests log is included in an export file. As well as submitted form fields are not included if saving request fields is disabled.

The format of the data

The export file is generated and compressed to a ZIP archive by WordPress. All entries that are generated by WP Cerber have the JSON format, which is universal and can be read or/and decoded with easy. This format is used because the personal data export feature is limited by WordPress to using plain text only. In case you need to get an export file in the CSV format, you need to use the WP Cerber Export feature instead, read more below.

Recommended settings for GDPR

You need to enable all settings in the Personal Data section.

Troubleshooting

If you see the following error when you click Download Personal Data on the Tools / Export Personal Data admin page, reload the page using the F5 key on PC or Command + R keys on Mac.

An error occurred while attempting to export personal data. Exporter index is out of range.

An alternative way to export user-related data

Is using the Export feature on the Activity tab and Live Traffic page.

What versions of software you need

The tool described above is available since WordPress 4.9.6 and WP Cerber 8.5.8

Does WP Cerber plugin process personal data in a cloud?

The WP Cerber plugin doesn’t send to or process personal data in any cloud. We take your privacy, privacy your users and our reputation very seriously. We’re a firm believer that any personal data or sensitive technical information cannot be processed or stored on our servers.