In the Activity log, such events are labeled as “Exceeded the allowed number of attempts to reset password”.

Squashed bugs

• Erroneous events “Password reset request denied” are logged to the Activity log when viewing the profile page of a blocked user or browsing the “Users” admin page in WordPress dashboard containing blocked users.
• If WP Cerber is unable to create its diagnostic log, it produces the software error “PHP Fatal error: Uncaught ValueError: Path cannot be empty in”.
• When browsing plugin updates on the Dashboard / Updates page, no details about the last release of WP Cerber is shown in the pop-up window.

When two-factor authentication is enabled, users can now optionally click a checkbox on the 2FA form to remember their devices for a predefined period of days. It’s displayed on the form as “Remember this device for N days?” This feature is configured on a per-role basis in the professional version of WP Cerber. You can specify a duration (in days) for which users’ devices can be remembered.

This feature is disabled by default. To enable it, specify a number of days greater than 0. An empty value or a zero will disable and hide the checkbox on the form. When it is enabled, it takes precedence over other 2FA settings.

Minor changes

• Enhanced details about generated 2FA PIN codes on the user profile page.
• The tabs labeled “Role-based” and “Global” are now renamed to “Role Policies” and “Global Policies” respectively.

Squashed bugs

• The 2FA email address set on the user profile page is ignored when sending 2FA codes.
• A fatal error occurs when using Cerber.Hub and switching to a managed website where automatic updates for WP Cerber were enabled. The error is logged as: “Call to undefined function wp_is_auto_update_enabled_for_type().”

• We have introduced the capability to send 2FA verification codes via SMTP. When an SMTP server is set up in the WP Cerber settings, it will be the preferred method for sending these codes. Note that SMTP email feature is available in the professional version of WP Cerber.
• As a backup, if there’s an issue sending emails through the configured SMTP server, WP Cerber will switch to using the default WordPress mailer.
• Additionally, we have added email error reporting. If an error occurs while WP Cerber is sending an email, the error details are captured and shown as a warning on the WP Cerber dashboard.

Minor improvements

• WP Cerber now captures and logs fatal PHP errors managed by WordPress. If your website crashes and displays the WordPress message “There has been a critical error on this website”, and if software error logging is enabled, the error details will be stored and can be accessed in the Traffic Inspector log.
• WP Cerber now identifies and shows the name, version and author of a plugin or a theme that produced PHP errors. The information is available in the Traffic Inspector log.
• All users with prohibited usernames (logins) are marked with the red label “PROHIBITED” on the Users admin page. The label now has an appropriate translation.
• If a user is blocked by the website admin, the red label “User is blocked” is shown on the user profile page next to the username.
• The limits on the maximum length of SMTP setting fields have been increased from 28 characters to 64.
• Translations in the plugin language files have been updated.

Fixed bugs

• If HTTP redirection is set to handle attempts to access protected areas, and WP Cerber blocks an intruder’s IP address, no email alerts are sent even if lockout alerting is enabled.

Just a reminder: WP Cerber, unlike other plugins, got a bug bounty program. If you discover a vulnerability, there is a $1,000 reward waiting for you. Can somebody finally grab it?

Proxy server for outgoing connections

WP Cerber now supports establishing outgoing network connections via a proxy server that’s configured for WordPress. By default, this proxy server usage is disabled in WP Cerber settings. You can find the relevant proxy settings on the Main Settings tab under the “Site-Specific Settings” section. This applies to all connections except for Cerber.Hub, which has a separate proxy setting.

Before you enable the proxy server, ensure you’ve defined the WordPress constants WP_PROXY_HOST and WP_PROXY_PORT. If needed, you can also set a proxy username and password using the WP_PROXY_USERNAME and WP_PROXY_PASSWORD constants.

Beyond the WordPress constants, there’s a specific WP Cerber constant, CERBER_PROXY_TYPE, that allows you to specify your proxy type. For potential integer values for CURLOPT_PROXYTYPE, please refer to the PHP documentation.

The scanner got more stable code

• File operations and error handling in the WP Cerber scanner have been enhanced. If a file recovery requires creating missing folders, they will be created.
• To prevent altering source files, the scanner recovery folders are emptied before starting a scan.
• Any unsuccessful file recoveries are displayed in the scan results.

Minor improvements

• When email notifications for new versions of installed plugins are enabled, you’ll receive an alert as soon as either WP Cerber or WordPress detects an update—whichever comes first.
• You can enable automatic updates for WP Cerber in the main plugin settings now.

Fixed bugs

• If a file is missing, the scanner does not recover it.

This update will be installed automatically if automatic updates are enabled. If WP Cerber is not safeguarding your website yet, here is how to install it.

Fixed bugs

• Excessive alerting in the WordPress dashboard: Fixed a bug that causes multiple admin notices to appear when a new version of WP Cerber is available but not installed.
• An error message while viewing WP Cerber logs: Fixed a bug that could produce a PHP error message while viewing log entries filtered by an IP address.

We’re committed to continuously developing and enhancing WP Cerber algorithms, ensuring they effectively detect and neutralize emerging threats. Earlier this month, we announced the first-of-its-kind bug bounty program in the WordPress plugin ecosystem that rewards a security researcher with a $1000 bonus if they find a vulnerability in WP Cerber. We challenge other vendors to follow our lead.

Enable automatic updates or install WP Cerber if you do not have it on your website.

Improvements to the integrity scanner

WP Cerber uses its own directory to store quarantined files, diagnostic logs, and temporary files created and deleted by the integrity and malware scanner. By default, this directory is created as a hidden subdirectory within the WordPress uploads directory and is protected by an .htaccess file. You can optionally change its location and move it to a more secure place by using a PHP constant CERBER_FOLDER_PATH.

Read more: Changing the location of the WP Cerber directory.

Improvements to traffic and activity logging

• When saving request fields is enabled in the Traffic Inspector settings, the JSON payload of REST API and other requests is decoded and saved to the Live Traffic log as well. This data is searchable via Advanced Search.
• The Form Submissions filter, located on the Live Traffic tab, filters out conventional form submissions and no longer includes REST API requests. To view forms submitted via REST API, use the REST API filter instead.
• The activity export file now includes a new column, “By User,” which contains the user ID of the user who initiated the row event.
• The names of export files generated by WP Cerber are now unified and include the website URL, making it easier to identify which website the file was downloaded from.

Minor improvements

• Multiple optimizations and improvements to CSS styles and the layout of WP Cerber admin pages.
• Prevent Jetpack’s Asset CDN from destroying the layout and style of WP Cerber admin pages.
• Improved compatibly with PHP 8.

Enable automatic updates or install WP Cerber if you do not have it on your website.

Be informed whenever your plugins have updates

Be informed about plugin updates by getting a detailed email notification whenever a new version of a plugin is available. To activate notifications, go to the WP Cerber notification settings and enable it. This type of notification doesn’t require a connection to any cloud servers. All data is processed locally on your website with no relation to the integrity scan. You need to enable it in the settings.

Notifications contain information about installed and new versions of plugins, compatibility with installed WordPress, and minimum required versions of PHP and WordPress. WP Cerber will warn you if a plugin is incompatible with your WordPress or PHP. By default, notifications will be sent to the website administrator email address configured in the general WordPress setting.

The professional version of WP Cerber brings you additional features and enables you to configure advanced parameters and use SMTP. You can specify separate email addresses for plugin update notifications. If you consider installed versions and URLs as sensitive data, you can remove them from emails by selecting a brief format of notifications. You can configure the update checks with a desired interval.

Keeping your plugins updated is important for the security of your WordPress. Use these notifications along with the automatic WP Cerber malware scanner and integrity checker. To keep your WP Cerber up to date, enable automatic updates for WP Cerber.

Grant access to users’ data via REST API for selected user roles

An additional option for granting access to users’ data via WordPress REST API for selected user roles. By default, WP Cerber blocks access to users’ data to prevent user enumeration. If you need users with a specific role to have access to users’ data, add the role to the list. Note that all website administrators and super administrators on a multisite WordPress installation have access to all users’ data.

Additional option for sending activity alerts

WP Cerber’s activity alerts can be sent to an email address you have on your WordPress account. You do not need to worry about changing the email. If you have updated the email address, you will keep getting alerts on a new one.

Other improvements

• WP Cerber permanently stores users’ last login data (IP address, time, user’s country) for all users. The data is erased when the user’s personal data is erased by the website admin. See more: https://wpcerber.com/delete-personal-data/
• To prevent having insecure plugin configuration, WP Cerber validates required HTTP headers before enabling the behind a proxy mode in the WP Cerber settings. By default, WP Cerber does not extract IP addresses from HTTP headers. You can easily make sure WP Cerber correctly detects IP addresses by using this instruction: https://wpcerber.com/wordpress-ip-address-detection/

Minor changes

• Detecting remote client IP addresses if the website is behind a proxy server has been improved.
• Wording of new version notifications and emails has been improved.
• The leading “Hi!” has been removed from the new version notification emails.

Fixed bugs

• A specially formatted request can bypass the disabled redirection from a /wp-admin/ locations to the custom login page.
• The integrity scanner labels a file as “File is missing” if a folder containing the file is on the “Directories to exclude” list. The bug affects valid WordPress files, files of plugins and themes with valid checksums.
• After clicking “Apply” and saving the “Screen Options” on the Cerber.Hub page, a blank page is displayed. This issue is caused by a bug (shortcut?) in a WordPress redirection function that relies on the optional Referer header sent by the user browser. If a browser strips request parameters from the Referer header or does not send the header at all, no proper redirection occurs and the blank page is displayed.

How to enable automatic updates for WP Cerber

Monthly activity reports

In addition to weekly reporting, WP Cerber can be configured to generate and send monthly activity reports. Depending on the configuration, the reports can be generated for the last 30 days or the previous calendar month and sent on a selected day of the month to specified email addresses. All the settings are on the “Notifications” tab.

Redirection to a page instead of generating a 404 page

Redirecting requests to a specified URL can be enabled instead of generating a 404 page when attempting to access prohibited locations on a website.

You can specify an URL of a page on your website to redirect lost users and bad actors when they are attempting to get access to locations they have no access to. For instance, it can be a sitemap page that helps legitimate users navigating on your website if they entered a protected URL by mistake or due to a software error. The URL can be a relative or absolute. The setting is “Access to prohibited locations” and it’s located on the “Main Settings” tab. From a security standpoint, the best option is to set it “Display simple 404 page”. Read more.

Disabling “Remember Me” checkbox

The “Remember Me” checkbox on the WordPress login form can be disabled. The new setting is on the “Global” tab of the “User Policies” settings page. If disabled, logging-in users can no longer change the duration of their authentication sessions at will.

The default duration of a user session if “Remember Me” is not checked is two days (48 hours), alternatively, if it is checked, it is 14 days. In terms of modern account security, it’s a huge period. Since most ordinary users do not know the duration of the sessions when the checkbox is checked, they have no idea what the implications of enabling it. It’s highly advised to disable “Remember Me”. This new feature also supports WooCommerce.

Miscellaneous improvements

1. Weekly activity reports now can be generated for the last 7 days or the previous calendar week. New setting is on the “Notifications” tab.
2. Pursuing better user experience, we have improved the process of configuring WP Cerber features that require updating .htaccess files. Improved handling situations when .htaccess files get read-only permission after changing WP Cerber settings. If a .htaccess is non-writable, the related settings are locked. When importing settings from a file, all the checks also take place.
3. When saving WP Cerber in the WordPress dashboard, the text notification “Plugin settings updated” is only shown if the settings has been changed.

Breaking changes

1. The default period of weekly reports is the previous calendar week. In older versions of WP Cerber, the report period was the last 7 days.
2. Disabling author archives has been improved. No access to author archives via any possible URLs if “Block access to user pages via their usernames” is enabled. Additionally, links to author archives are replaced with the website home URL. Previously, access was blocked if accessing author archives by using usernames (logins) in a $_GET parameter.

Minor changes

1. If the “User session expiration time” is set globally for all user roles, the “Remember Me” checkbox is hidden on the standard WordPress login form and does not affect the duration of user sessions.
2. WP Cerber now logs all denied attempts to reset user password when a non-existing user or email has been specified.

Fixed bugs

1. If WordPress is installed in a subfolder and the custom login page is configured, submitting the password reset form doesn’t redirect users to the page with a success message showing “Not Found” instead.
2. If the custom login page is configured, disabling the login language switcher has no effect on the login form and the language switcher is still displayed.
3. On some multi-site WordPress installations, WP Cerber can produce warning messages about using undefined UPLOADBLOGSDIR constant.
4. If the access lists contain IPv6 addresses and the Activity log contains entries with IPv6 addresses, viewing those entries causes PHP warnings “undefined property: stdClass::$comments”.
5. If the Pushbullet mobile notifications are enabled and the list of available devices contains inactive (removed) devices, WP Cerber produces PHP notices “Undefined index: nickname” while parsing the list.

This release will be installed automatically if you are running WP Cerber version 9.2 or newer and have activated automatic updates for WP Cerber.

If you are running WP Cerber older than version 9.2, you can install this release as described here: https://wpcerber.com/installation/

If you are updating from WP Cerber 9.2 or newer, the update is available to install on the “Plugins” admin page. For a fresh install or updating an older version of WP Cerber, follow these simple steps.

Improvements

1. Every locked-out IP address on the “Lockout” tab has a link to check its suspicious activity in the Activity log.
2. WP Cerber logs more details on two-factor authentication (2FA) events with the following new statuses that occur if an attempt to log in using 2FA was aborted. Previously such events were logged with generic status “Site policy enforcement”.
   

   User’s IP address does not match the one used to log in User’s browser does not match the one used to log in This indicates a situation when a user tries to log into the website by entering their login and password on one computer (browser) and a 2FA code on another one.

   Exceeded the limit on the number of attempts to enter 2FA code A user entered invalid 2FA codes multiple times and reached the limit to the number of attempts, which is 5 times per a user’s 2FA session. If this happens, WP Cerber destroys the user 2FA session and the pin code. If the user’s computer has no history of being logged-in on the website previously, the WP Cerber blocks the user’s computer IP address.

   IP address is locked out The IP address has been blocked due to suspicious or malicious requests coming from the user’s computer (browser). To see the detailed information, click the IP address in the Activity log.

   Malicious activity detected The IP address of the computer is in the global WP Cerber database of well-known malicious IP addresses. The database is available in the professional version of WP Cerber. None of IP addresses from the database are permitted to log in.

3. WP Cerber logs more details when a user was forcefully logged out (user session has been terminated) due to a restriction. Previously such log out events were logged with generic status “Site policy enforcement”.
   

   Invalid user WP Cerber detects an attempt to use an invalid user account that has been created or modified by altering data in the WordPress database tables directly. This typically occurs if an attacker tries to exploit a breach in a plugin to bypass conventional security measures available in WordPress and create an admin account. The professional version of WP Cerber makes such scenarios impossible.

   Blocked by country rule Occurs if the country from which a logged in user tries to get access to the website is in the list of blocked by the website admin countries. This can occur if a user uses mobile Internet and has crossed a country border or establishes a connection via a VPN server in a different country.

   User blocked by administrator Occurs when the website admin has manually blocked the user from logging in.

Fixed bugs

1. If WordPress is installed in a subfolder and access to REST API has been blocked on the “Hardening” tab, a bad actor can get access to REST API by using a specially formatted request (CVE-2022-4417).
2. Multiple duplicate notifications are sent via email and Pushbullet if an IP address is permanently getting blocked due to multiply consequent malicious requests and the notification limit is set to 0.