WP Cerber is derived from the name Cerberus, from Greek and Roman mythologies, in which Cerberus is a many-headed dog with a serpent’s tail and lion’s claws, and no one could get around this ever-angry dog.
Installing WP Cerber
The free version of the WP Cerber plugin can be downloaded here . Installation is done the same way as for other WordPress plugins: install the plugin via Plugins> Add new> Download or unzip the plugin package .
This extension is compatible with WooCommerce, WordPress multisite mode, Cloudflare, bbPress, and Wp Engine.
WP Cerber protects your WordPress site from brute force attacks, spam, Trojans, and malware.
This plugin mitigates brute force attacks by limiting the number of login attempts made possible through the login form, XML-RPC/REST API requests, or through the use of authentication cookies.
WP Cerber tracks user activity with malicious activity with email notifications. It also stops spammers by using a specialized anti-spam engine.
WP Cerber uses Google reCAPTCHA to protect signup, contact and feedback forms and restricts access with IP access lists, monitors website integrity with a malware scanner.
It is also possible to manage several WP Cerber instances from a single dashboard, which is particularly useful in case you need to ensure the security of several websites.
Finally, the plugin boosts general WordPress security with a set of flexible security rules and security algorithms.
Restricting Login Attempts
By default, WordPress allows unlimited login attempts through the login form, making it relatively easy to crack passwords via a brute force attack.
WP Cerber Security prevents intruders by IP or subnet from making further attempts after a specified limit of attempts is reached, making brute force attacks or distributed brute force attacks from botnets impossible.
You will be able to create a black IP access list or a white IP access list to block or allow connections from a particular IP address, a range of IP addresses or a subnet of any class (A,B,C).
Moreover, you can create your personalized login page and forget about automatic attacks against the default wp-login.php file, which attract attention and consume a lot of server resources. If an attacker tries to access wp-login.php, they will be blocked and get a 404 error response.
WP Cerber Security Scanner is an extremely powerful tool that deeply scans every folder and inspects every file on a website for traces of malware, Trojans, backdoors, modified files and new files.
More details on scan configuration options here.
Verifying integrity of WordPress folders and files
WP Cerber’s scanner checks if all WordPress folders and files match what’s in the official WordPress main repository, compares your plugins and themes with what’s in the official WordPress repository, and notifies you of any changes. Similar to scanning free plugins and themes, the scanner scans and checks commercial plugins and themes that are installed manually.
Scheduled scans with automatic file recovery
WP Cerber’s scanner allows you to easily set up a schedule for automated recurring scanning. Once the schedule is set up, the scanner automatically scans the website, removes malware, and recovers modified and infected WordPress files. After each scan, you can get an optional report by email with the scan results.
Two-factor authentication (2FA) provides an additional layer of security requiring a second factor of identification beyond just a username and password. When 2FA is enabled on a website, the user must provide an additional verification code when logging into the website. This verification code is generated automatically and sent to the user by e-mail.
Interestingly, this 2FA feature is compatible with managing multiple WP Cerber instances from a single dashboard.
Anti-spam and anti-bot protection
Thanks to WP Cerber it is possible to benefit from good anti-spam and anti-bot protection for contacts, registrations, comments and other forms. The anti-spam and bot detection engine now protects all forms on a website. Tested with Gravity Forms, Caldera Forms, HappyForms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms.
This module allows you to benefit from an invisible reCaptcha on the WordPress login form, the WordPress registration form, the WordPress lost password form, and finally on the WordPress comment form.
This feature is official also for WooCommerce (WooCommerce Login Form, WooCommerce Registration Form, WooCommerce Lost Password Form).
Before activating the invisible reCAPTCHA, you must obtain separate keys for the invisible version. More details here .
If you want to test the functionality of WP Cerber, do so on another computer (or an incognito browser window) and remove the computer’s IP address or network from the white access list.
WP Cerber Firewall “Traffic Inspector”
It is important to note that, according to WP Cerber, the firewall does not slow down the performance of WordPress. It also does not affect your website’s SEO ranking. Indeed, WP Cerber does not automatically block ordinary requests coming from the pages of your visitors, and therefore does not disturb the indexing of search engines.
Only malicious and potentially dangerous requests will be analyzed and blocked, such as: form submissions, requests with GET and POST parameters, requests to PHP scripts. WP Cerber will then block the IP address, and send a 403 “Access Denied” response. These events will be logged in the activity log. More details here .
Integration with Cloudflare
A special Cloudflare add-on for WP Cerber syncs the list of blocked IP addresses with Cloudflare’s IP access rules.
If your site is behind the Cloudflare proxy service and your WordPress is protected by the WP Cerber plugin, you need to do two things to make them work well together.
1) Enable “My site is behind a reverse proxy” option on the Main Settings page.
2) In case you have configured the custom login URL, you need to exclude it from caching by Cloudflare’s servers. To do this, add a rule on the “Page Rules” settings page in your Cloudflare account settings, as described here .
If you have configured the custom login URL and you are using Cloudflare or a W3 Total Cache or WP Super Cache caching plugin, you must add the new custom login URL to the list of pages not to cache .
Other Useful WP Cerber Security Measures
The following steps are optional but they help to strengthen the protection of your WordPress.
- Adjusted connection attempt limitation settings making them more restrictive as needed.
- Setup custom login URL (the plugin will send you an email with it).
- Once you have configured the custom login URL, check “Block IP immediately after any request to wp-login.php” and “Block direct access to wp-login.php and return HTTP 404 error not found” . Stop using wp-admin to log into your WordPress dashboard.
- If your WordPress has a few power users, check “Immediately block IP when trying to login with non-existing username” .
- Specify the list of banned usernames that legitimate users will never use. They will not be allowed to login or register.
Other articles related to WordPress site security here .