WP Cerber Security Review and More About WordPress Security

Share Now

I’m not usually concerned with WordPress security plugins. But, I noticed that “WP Cerber Security” has some helpful security features. I consider scanning, malware detection, spam, cross-site scripting, DDoS, and data modification.

Those are the most critical security features, and most websites can get rid of them fast. Malware detection is probably the most helpful feature of the plugin. 

It is SUPER faster than humans at checking data for modifications using their own hands. But these aren’t without drawbacks.

You must keep checking logs and reviewing files to ensure that nothing has been deleted or added. Also, firewalls are a very critical security feature.

Brute-force attacks on login pages, XML-RPC, DDOS, or repeated attacks.

These attempts mean they usually do not get entrance to your site because they use the things for specific purposes. They crowd your servers with shots, leading to going offline or interrupting users.

The firewall is more about efficiency than any other factor. Now, it isn’t the most vital issue because your host already handles it.

Read my FlyingPress Review.

WP Cerber Security

WP Cerber Security WordPress Plugin has a modern UI that is great for me but may feel uncomfortable for others. I like how I can see many options without needing to scroll down. The detailed guides highlight why each enhancement is critical and provide fun tips for users to consider.

Comprehensive plugins cover all aspects, including scanning, filters, and inspections.

However, some functionality may be limited to the premium version. For example, they could be able to scan and identify which assets are affected.

Still, they will not remove them until you subscribe. And perhaps they will only enable manual checking in the free version and automated inspections in the paid version.

WP Cerber Security’s free version gives you access to most of the functionality. 

Yes, there is a pro version with advanced features, but the free version will be enough for most. Several plugins offer to feature a “detector,” but in truth, many do not analyze your accurate data.

They just check for basic security facts. Some detectors will improperly detect others as potential security threats. For example, third-party paid plugins, even security plugins, or plugins and themes not in the WP.ORG directory.

Many plugins are not worth the money. You can be attacked sometimes if you have a security plugin installed.

WordPress Meme

WP Cerber Features

  • Nice UI
  • Limit login attempts
  • Custom login URL
  • Anti-spam engine
  • Security scanner
  • Lockouts
  • Monitors file changes 
  • Protects (wp-login, signup, register)
  • Hide wp-admin
  • Traffic Inspector
  • Disable PHP in uploads
  • Disable dashboard redirection
  • Stop user enumeration
  • Email Reporting
  • Diagnostic Tool
  • etc., etc

WordPress Code injection

WordPress Code injection

What is a WordPress code injection attack?

Code injection uses a fault in your website’s codes, generally with themes and plugins and application servers like os, extensions, etc., to insert malware into your site.

This script might cause unwanted website activity, such as ads and redirecting links to other websites, and show some lousy content.

This is also used to get the data on your website and databases, create security holes, and gain unauthorized access to private information.

When they obtain your credentials, they will try them on personal email, PayPal, and other stuff. That malware can also modify information, like replacing your email address with one linked to another service or redirecting your contacts to someone else.

Most code injections are usually entered through themes or plugins. This is why it’s crucial to choose your WordPress themes and plugins wisely and to stay up to date. So never use nulled themes and plugins.

Most websites are hacked due to using nulled stuff. If you don’t have the money to buy premium things, stick with the free version till you find some bucks.

Related: First-Rate Blogging Tools

How to Detect Malware Attacks Manually?

Malware types
Source: Techtarget

It’s usually undeniable when something goes wrong with a website’s functionality. Look at some primary checking resources; this is not a simple task. Verify if there are any new characters in .htaccess that you didn’t add or any of your plugins.

Wp-config should also be checked to verify if the site URL has been modified elsewhere. Look around at the root of your active theme for unexpected things.

To see if any harmful functions have been added, look through the functions.php file. However, it is not simple due to the numerous lines, so check carefully.

Similar to checking theme files, check plugin files in your plugin folders.

If you have a lot of folders to look through, this approach is usually not practicable. Oh, dude, Verify the uploads folder or other accessible directories. So many malware and programs lurk there and run from such locations since they are accessible.

It’d be wise to prevent PHP from being executed from the uploads folder. This plugin’s feature is also it. See if plugin configurations have been changed.

You’re looking for any location where they might have modified personal info. Be attentive and double-check everything. Also, there are many things to check, so it’s not a simple task. If you believe something is wrong with your website, you can use a scanning plugin and professional services.

WP Cerber Security Configuration

This is a brief explanation of a few typical plugin features.

I won’t go into great detail because these people have well-written documentation that even beginners can understand.

Main Settings

Set the Load security engine option to Standard mode under Main Options.

Login Security

  • Limit login attempts: Default (It stands to reason to impose a higher limit on login attempts if you have a lot of online users, membership, or even an e-commerce shop.)
  • Block IP address for Default 60 minutes
  • Use White IP Access List: Ignore
  • Processing wp-login.php authentication requests: Default (Set the Filtering wp-login.php authentication requests setting to “Block access to wp-login.php” if you use the Custom login URL. WP Cerber will display the typical “404 Not Found” message when trying to access the website.)
  • Disable the default login error message: On
  • Disable the default reset password error message: On

Once that option is activated, the login error messages do not display invalid usernames or emails when trying to log in with non-existent identities. However, when a user enters an invalid login, WP Cerber shows the typical WP error code.

This prevents malicious attackers from getting genuine passwords and email addresses. This method is also known as “turning off login hints.”

Custom Login Page

Custom login page for WordPress

This custom admin page feature is essential for decreasing security flaws and preventing fraudulent entries.

It’s the very first thing you must do after installing WordPress.

WP Cerber allows you to modify the standard WordPress login URL wp-login.php to something else. There is no need to change the .htaccess file or the wp-login.php file. WP Cerber allows you to change the login page from wp-login.php to a different one.

You can also use the WPS Hide Login plugin, which allows you to quickly and safely alter the URL of the login form page to whatever you wish.

What about forgetting the custom login URL?

Check the site administrator’s email box first to see if you get an email notification about your new URL. Or even any regular email report if you set up your custom login URL but later forgot it.

Sometimes, your custom login URL can be found in those emails. You need to restore the plugins if you can’t find them manually. Use FTP, Cpanel, or any other file manager in your host controller to delete the plugin folder /wp-cerber/manually.

Proactive Security Rules

  • Disable dashboard redirection: OFF
  • Block IP when attempting to log in with a non-existing username: ON
  • Block IP after any request to wp-login.php: ON
  • Block subnet: OFF

Citadel Mode

In Citadel mode, the only IP addresses that can log in are those on the White IP Access List. As for Allow authentication log tracking, Citadel mode limit, and other settings, I recommend keeping them as-is and not making any changes. Activity, Personal Preferences, and stay with plugin default settings.

Traffic Inspector

Most of the time, no set is needed for this security algorithm, which is activated by default. This Traffic Analyzer is an advanced context-aware web app firewall (WAF) that secures WordPress by detecting and stopping harmful HTTP requests.

Scanner analyzes incoming HTTP requests, identifies suspicious ones, and prevents them before they may do damage to your website. Examples include form submissions, requests with getting and post variables, and appeals to PHP programs.

Suppose the firewall identifies a potentially harmful or fraudulent request.

In that case, the WP Cerber blocks the IP address. These events are recorded in the Activity log, and inquiry data is recorded in the Live Traffic Log if Traffic Logging is enabled.

WP Cerber  Live Traffic log

Most security plugins make your website slower.

However, in my experience, WP Cerber’s firewall doesn’t influence performance or SEO ranking. Because it doesn’t monitor or block requests to pages made by visitors’ browsers or search engine crawlers.

WP Cerber Scanner

WP Cerber Security Scanner

This analyzer is an all-inclusive solution for tracking file changes, confirming the reliability of core WordPress, plugins, and themes, and quickly wiping off malware. Navigate to the Site Integrity admin page and select the Start Quick Scan or Start Full Scan option to start testing manually. 

Its fast scan might take up to three mins, and the complete scan could take a maximum of ten mins, according to the speed of the server and the number of files.

Quick Scan vs. Full Scan

Only files with operable extensions are subject to Quick Scan’s integrity check and code inspection. All files on the website are subjected to a full scan to check their consistency and substance.

Every single media file is checked for malicious files. Its detector displays a list of problems and potential solutions for you. A green mark indicates that an object’s integrity has been confirmed. Verified.

If the notice “Integrity data not found” displays. Choose “Resolve issue” to submit a comparison ZIP package you use, such as if you use premium plugins and themes.

Handling suspicious files under the following criteria signify a file security problem.

Checksum mismatch
Executable code found
Suspicious code found
Content has been modified
  • Checksum mismatch: This file’s elements have changed and are different from those of a reference file you previously uploaded or those found in the wordpress.org source. The file might be modified by or corrupted by malware. Some upload plugins can recognize this message.
  • Suspicious code found: The scanner identified suspicious code commands and signs during the algorithmic analysis. This is risky information because many nulled plugins and themes display this warning.
  • Potentially malicious code found: The identified code signs shouldn’t be in a file of this sort, so it is most probable that this file includes malicious code. So, immediately take action.
  • Executable code found: This file has code and might have malware that has been masked. This file must be found in the theme or plugin folder if it is a component of one. Also, it shows some files, like your previous hosting addon or some stuff.
  • Unattended suspicious file: The analyzer identified that file as “having no owner” since it is not a known component of a plugin, theme, or WordPress. It can still be there if you update WordPress or other tools you use to a newer version. It might also be a malware component that has been masked. So take it out.
  • Content has been modified: This happens if a file has been edited and its signature changes from that of the original file. Re-installing the proper plugin or theme is recommended. Your asset optimization plugins may sometimes remove unnecessary stuff.

If a questionable or harmful file has a checkmark on its row, you can typically delete it. Before removing a file, view an explanation by clicking the “problem” link in its row.

When you remove an item, it automatically sends it to a quarantine directory. If you accidentally remove a critical file, you can recover it from a quarantine folder. If you have any issues, please read their official documents here.

Anti-spam and bot detection

WP Cerber Security protects all form fields on a website.

The anti-spam algorithm works with all, including Caldera Forms, Gravity, Contact 7, Ninja, WPForms, WooCommerce, etc. You can use it for registration forms, comments, and others.

Anti-spam and bot detection

Stop anti-spam filtering for logged-in users.

If you believe your logged-in users, the plugin will be allowed to complete any form, even comments, without being subjected to an anti-spam scan. This security algorithm uses JavaScript and analytics to verify whether the browser is genuine and whether a person filled out the form.

Also, the plugin uses its activity log, which logs all questionable and fraudulent requests from an IP address, to make a decision. Read Removing powered by WordPress.

ReCAPTCHA Settings

WP Cerber Security ReCAPTCHA Settings

The human verification system known as reCAPTCHA offers a free anti-spam solution. Combined with the WP Cerber anti-spam technology, it is effective.

Each time the web page with the question is displayed while reCAPTCHA is enabled for a form on your website, a few JavaScript files are fetched from Google’s servers.

A reCAPTCHA button will be shown inside the form if you have activated a visible variant in those settings. These scripts will show a reCAPTCHA badge on a browser window when using invisible reCAPTCHA. Also, I don’t recommend this.

It will super slow your website because it is third-party stuff.

reCAPTCHA meme

Certain websites have issues with reCAPTCHA, such as forms with faulty layouts and layouts that clash with the reCAPTCHA’s style.

Captcha-based security, such as reCAPTCHA, can guard WordPress against a brute-force attempt that targets a regular registration. 

The other ways of validation remain unsafe. Since reCAPTCHA was created initially as a human verification system to protect sites from machines. The attacker is not a machine. ReCAPTCHA does not shield websites from hacking because of this.

Diagnostic Tool

It’s a cool feature. It shows a lot of stuff about your sites, such as System Info, File system, Active Plugins, Database Info, Tables, Server Environment Variables, and Cerber Security Cloud Status.

Email Notifications

As for email addresses, YOU will receive all notification emails.

The Default Email Address will receive the notification if you miss entering one. I like weekly reports since they overview all the actions and unusual incidents of the previous seven days.

Cerber Security Email Notifications

WP-Cerber Security Paid Version

However, I have not used all of their paid services. Their malware scan is superb.

The firewall and checklist tools are detailed without too much space on the monitor. Fantastic user interface. Paid edition features include multilayer spam protection, automated analysis, error checking, GEO controls, Cloud Protection, and professional support.

WP Cerber Security Alternatives

There are other plugins available as solutions. Most premium services include some premium features, while some only provide plugins. So here are a couple of alternatives. Maybe there are some that I haven’t tried yet.

Wordfence Security

Wordfence Security

It would be fantastic if Wordfence developed a server-level solution.

This offers various tools to protect your website against the most frequent assaults, such as code injections and brute force attacks. Through its user interface, the scanner compares code variances and makes it easy for you to correct them.

It is perfectly functional and has the most comprehensive and protected detection. Wordfence catches and stops many attacks, malware, and violations.



By limiting login attempts for the IP, the plugin helps you defend against brute-force attacks. Security measures like reCAPTCHA, two-factor authentication, and others can be used. WP Cerber plugin, however, has more features.

Sucuri Security

Sucuri Security Plugin

A leading security service is protecting your website. This plugin is a decent option if you’re a tech-savvy user with high priority and a firewall. Their firewall costs money; you have to buy it. The plugin is great if you subscribe to their service.

Some drawbacks of WordPress security plugins

They cause your website to load slowly.

 WordPress security meme

If some attacks are primarily concerned with performance.

So, if your security plugin slows down your website, you may be helping them because their primary purpose is to overload your business with unusual requests. And if you use a plugin that makes your website sluggish and involves more processing time. They can now overload your servers even faster.

To avoid bad servers, read hosting recommendations. 👇

Some plugins are not free.

The majority of those will be built and marketed in a way that improves profit rather than quality. A variety of overblown functions to justify the pricing. They’ll keep focusing on the nonsensical things, not the actual security stuff, so the website is slow if there is so much bloated.

Security plugins are not capable of detecting all.

Cybersecurity plugins cannot protect against unsafe plugins and themes.

Remember, these are programs, not humans, so they do some algorithmic stuff, so if you have a hole, they can’t help you much. They catch only a bit of it, but maybe they leave something behind.

Yes, some services guarantee a proper clean, and they will professionally fix your website. But not for the majority. Ineffective feature, That’s especially troublesome because plugins will attempt to promote themselves by loading whatever potential function. Even some stuff that is not related to security.

Related: WP Speed Optimization Plugins

Tips For Securing WordPress Website

  • Regularly make a backup of your website. That is the best approach to repair problems, and backup plugins may be more necessary than security plugins.
  • Always keep your WordPress platform, themes, and plugins up to date.
  • Only use high-quality themes and plugins
  • Prevent using obsolete or unknown source tools.
  • Don’t purchase themes or plugins anonymously, and don’t get them from unknown sites (NULLED).
  • For extra DNS security, use Cloudflare. But, they provide protection from DDOS attacks that 99% of you will never experience. But can also protect against malicious bots.
  • Remove any unused themes or plugins because they can cause different access paths.
  • If you don’t use the XML-RPC protocol, disable it.
  • Change the default “admin” user name to a different one.
  • Customize the wp-login.php login page to something different.
  • Prevent.php files from being processed in specific locations.
  • Use a different password for your database.
  • Use the most modern and trustworthy web host, server, PHP, etc.

There are also elementary things. Like solid passwords, not using the same email for everything, forcing SSL, blocking file editing, not using the same passwords, and other stuff. Read LuckyWP Table of Contents.


Because of its popularity, WordPress security has become a very significant problem nowadays. Most websites use WordPress, so many developers create apps, themes, and plugins. However, this makes it a common target for attackers.

There is a plethora of information and help for WordPress, and you will be able to protect it quickly. The only problem is that specific security steps slow down your site.

In my experience, WP Cerber Security doesn’t affect performance; it has a minor impact like others do, but you can deactivate many unnecessary functions. And one plugin offers a ton of valuable features.

Finally, you can install the WP Cerber plugin for basic security features such as limiting logins, changing login URLs, anti-spam, scanners, lockouts, monitoring file changes, protecting (wp-login, signup, register), hiding wp-admin, and more.

Additional Reading 👇

Await the code.


WordPress design, speed optimization, content marketing, and monetization are on the high end of blogging. I have followed up on all matters for at least seven years.

Leave a Reply

Your email address will not be published.