A security breach at your WordPress site is a nightmare scenario – all your hard work, gone up in a puff of smoke (or, more likely, a puff of pharmacy SEO link spam or weird redirects).
In today’s WP Cerber Security review, I’m going to take a look at a freemium WordPress security plugin that aims to greatly decrease the chances that such a breach happens to you. This plugin is brought to you by Cerber Tech Inc.
I’ll tell you all about the features WP Cerber Security implements to keep you safe. Then, I’ll take you hands-on at my site and show you how everything works.
WP Cerber Security Review: How it Keeps Your Site Safe
Before I go hands-on and show you how WP Cerber Security works, let me take you through everything it’s doing to keep your site safe.
WP Cerber Security brands itself as “Security, Antispam & Malware Scan”, which is a pretty good summary of how it protects your site.
Let’s start with that first part – security. WP Cerber Security helps you implement a lot of the techniques you see in blog posts about WordPress security:
- Protect from a variety of common attacks, including code injection, REST API and ordinary user enumerations, and more
- Implement a web application firewall, called Traffic Inspector
- Limit login attempts
- Monitor login attempts
- Create IP whitelists or blacklists to restrict access
- Change your login page URL.
- Use two-factor authentication, including options for controlling who has to use two-factor
- Disable XML-RPC and REST API (optional – your site might actually need the API to function)
- A special “Citadel mode” that helps protect you from brute force attacks by blocking login functionality
This is not the full list of security features – it implements lots of smaller tweaks as well.
Then, you get a number of antispam features like:
- Protect all forms on your site, including registration, login, lost password, WooCommerce checkout, etc.
- Clean up spam comments
- Add ReCaptcha
- Create country-based anti-spam rules
Finally, you get the malware scanning. WP Cerber Security…
- Verifies the integrity of the WordPress core, as well as your plugins and themes
- Monitors for file changes, including an option to receive email notifications when files are changed
- Runs automatic malware scans, including removal
Overall, there’s a lot going on there! And all that functionality helps explain why WP Cerber Security is active on over 100,000 sites with a 4.9-star rating on over 350 reviews, according to WordPress.org.
Let’s go hands-on and I’ll show you how it works…
WP Cerber Security Dashboard
The main WP Cerber Security dashboard gives you a high-level look at all the important stuff at your site.
For example, you can see how, after having left the plugin running for a week or so, I had a bunch of malicious requests originating in Russia:
Only the last login from Vietnam is me – so there’s definitely some malicious stuff going on…or at least being attempted.
If you explore those tabs at the top, you can get a deeper look at what’s happening. For example, you can see how I accidentally entered the wrong password, as well as the specific files that the malicious actor from Russia was probing (and which WP Cerber Security blocked):
Beyond letting you see what’s happening at your site, the main dashboard also lets you configure some basic settings for your site.
The Main Settings tab lets you configure how the built-in limit login attempts functionality works. There’s also a nice Aggressive lockout option that lets you be more strict during times when you’re under attack.
If you want, you can also whitelist specific IP addresses (like your own) to avoid the chance of locking yourself out:
Further down, there are also some proactive security measures you can enable:
And you can also set up a custom login page and display a 404 for the original page. While I’ve seen the security merits of this tactic debated, one thing everyone seems to agree on is that this is still a great way to avoid wasting resources on bot traffic:
Then, at the bottom, you can configure Citadel Mode, which is helpful when you’re under attack. When triggered, it makes it so that only IP addresses that you’ve specifically white listed can log in for the duration that you set:
Basically, the Main Settings area is giving you a lot of options for locking down your site’s login process.
If you hop over to the Access Lists tab, you’ll be able to manage both IP whitelists (always allowed) and blacklists (never allowed).
In addition to specific IP addresses, you can also specify ranges or subnets:
As the name suggests, the Hardening tab helps you implement some basic security hardening tactics. It’s super simple to use, just make sure you don’t disable something you need.
For example, if you’re using something that relies on the REST API, you might not want to completely disable it. Thankfully, WP Cerber Security also lets you conditionally disable the REST API, which lets you allow it sometimes, but not indiscriminately:
Finally, the Notifications tab lets you control the notifications that you receive. You can even set it up to receive push notifications, which is pretty cool if you want to keep a close eye on your site:
The main dashboard gives you a high-level look at what’s happening on your site, but Traffic Inspector takes things even further, letting you look in detail at every single request.
You can also use filters to, say, only look at suspicious activity from not logged in visitors:
There’s also a settings area where you can:
- Choose how aggressive you want traffic inspection to be
- Add a whitelist
- Choose what and how much to log
The Security Rules area houses a powerful feature that lets you set up geo-specific rules for who can:
- Log in
- Submit forms
- Post comments
- Use XML-RPC
- Use REST API
For example, you already saw how my test site was experiencing some malicious form submissions from Russia.
If I wanted to, I could set up a rule that blocks all Russian visitors from submitting forms:
While you’ll want to be deliberate about setting up these rules, having this functionality gives you more proactive control over security at your site.
The User Policies area helps you set up rules for specific user roles, as well as your site as a whole.
First, you can set up these Role-based rules for:
- Session expiration
- Two-factor authentication use
For two-factor, you can either always enable it, or only do so conditionally, like when someone tries to log in from a new country.
And again, you can do this on a per-role basis. So you could make all your Editors use two-factor, but not Authors:
Beyond the role-specific restrictions, you can also set global limits for things like:
- Prohibited emails and usernames
- Max registration limits
- Session expiration time
Site Integrity Scans
The Site Integrity tab lets you run scans to:
- Verify the integrity of your files by monitoring for new files and changes
- Find malware or other malicious code
You can manually run these scans or set them up to automatically run on a schedule. And you also get options to exclude certain content from the scans.
On my test site, WP Cerber Security did seem to mark a lot of legitimate files as “Suspicious code found”, so you will still need to manually sift through the results. For example, I used Bluehost‘s staging functionality to create a staging site in a subdirectory, which triggered a lot of warnings in WP Cerber Security:
The Antispam tab helps you stop spam in all the forms on your site, including:
- Other forms
You can add a whitelist and choose what to do with any spam comments:
WP Cerber Security can also help you set up reCAPTCHA if you want. And a nice feature here is that you’re able to choose exactly which forms you’d like to add it to.
If you have multiple sites running WP Cerber Security, the Cerber.Hub tab lets you manage multiple sites from one spot.
You can either set it up so that your site is the:
- Master – it will manage other sites.
- Slave – it will be managed by another Master site.
You might find this convenient if you’re dealing with a lot of different sites.
WP Cerber Security Pricing
WP Cerber Security has a limited free version at WordPress.org that helps you implement some of the basic security tweaks.
However, for access to the more proactive features – like malware scans, the firewall, integrity checks, and a lot more – you’ll need to go Pro.
For a single site, you can either pay $29 per quarter or $99 per year. You can also purchase a 5-site license for $39 per month or $399 per year.
Final Thoughts on WP Cerber Security
While I didn’t intentionally infect my site with malware to test WP Cerber Security, I think I can make a few conclusions:
- The interface is really well done. It’s not flashy, but the design is clean and makes it easy to access important information.
- It implements a lot of WordPress security best practices, especially when it comes to your login processes and basic hardening.
- You have lots of options for configuring security policies that make sense for your specific site, with the ability to set up geographic restrictions and role-based login policies.
- It was able to pick up malicious bot traffic that I had no idea was happening, which is scary by itself.
While the free version at WordPress.org can help you implement basic security hardening, I think you’ll want to go with the Pro version for the most proactive security.
Finally – always remember that, while a good WordPress security plugin like WP Cerber Security is a great first step, a WordPress security plugin alone cannot 100% protect your site.