Linux 软件免费装
Banner图

WP Cerber Security, Anti-spam & Malware Scan

开发者 gioni
更新时间 2024年2月13日 19:53
捐献地址: 去捐款
PHP版本: 7.0 及以上
WordPress版本: 6.4
版权: GPLv2

标签

recaptcha captcha security 2FA log logging custom login url antispam firewall malware scanner activity limit login attempts access list

下载

8.8.5 8.9.5.2 9.5 8.4 8.5 8.6.3 9.5.3 9.5.5 9.5.7 9.6.2 8.5.8 8.5.9 8.6 8.6.5 8.6.6 8.6.7 8.6.8 8.7 8.8 8.8.3 8.5.3 8.9 8.9.5 8.9.6 9.0 8.9.3 9.1 9.2 8.5.5 8.5.6 8.8.6 9.2.2 9.3.3 9.4

详情介绍:

Defends WordPress against hacker attacks, spam, trojans, and malware. Mitigates brute-force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests, or using auth cookies. Tracks user and bad actors activity with flexible email, mobile and desktop notifications. Stops spammers by using a specialized anti-spam engine. Uses Google reCAPTCHA to protect registration, contact, and comments forms. Restricts access with IP Access Lists. Monitors the website integrity with an advanced malware scanner and integrity checker. Reinforces the security of WordPress with a set of flexible security rules and sophisticated security algorithms. Features you will love Limit login attempts done right By default, WordPress allows unlimited login attempts through the login form, XML-RPC or by sending special cookies. This allows passwords to be cracked with relative ease via brute force attack. WP Cerber blocks intruders by IP or subnet from making further attempts after a specified limit on retries is reached, making brute force attacks or distributed brute force attacks from botnets impossible. You will be able to create a Black IP Access List or White IP Access List to block or allow logins from a particular IP address, IP address range or a subnet any class (A,B,C). Moreover, you can create your Custom login page and forget about automatic attacks to the default wp-login.php, which takes your attention and consumes a lot of server resources. If an attacker tries to access wp-login.php they will be blocked and get a 404 Error response. Malware scanner Cerber Security Scanner is a sophisticated and extremely powerful tool that thoroughly scans every folder and inspects every file on a website for traces of malware, trojans, backdoors, changed and new files. Read more about the malware scanner. Integrity checker The scanner checks if all WordPress folders and files match what exist in the official WordPress core repository, compares your plugins and themes with what are in the official WordPress repository and alerts you to any changes. As with scanning free plugins and themes, the scanner scans and verifies commercial plugins and themes that are installed manually. Scheduled Scans With Automatic File Recovery Cerber Security Scanner allows you to configure a schedule for automated recurring scanning easily. Once the schedule is configured the scanner automatically scans the website, deletes malware and recovers modified and infected WordPress files. After every scan, you can get an optional email report with the results of the scan. Read more about the scheduled scans. Two-Factor Authentication Two-Factor Authentication (2FA) provides an additional layer of security requiring a second factor of identification beyond just a username and password. When 2FA is enabled on a website, it requires a user to provide an additional verification code when signing into the website. This verification code is generated automatically and sent to the user by email. Read more about Two-Factor Authentication. Log, filter out and export activities WP Cerber tracks time, IP addresses and usernames for successful and failed login attempts, logins, logouts, password changes, blocked IP and actions taken by itself. You can export them to a CSV file. Limit login attempts reinvented You can hide WordPress dashboard (/wp-admin/) when a user isn't logged in. If a user isn't logged in and they attempt to access the dashboard by requesting /wp-admin/, WP Cerber will return a 404 Error. Massive botnet brute force attack? That's no longer a problem. Citadel mode will automatically be activated for awhile and prevent your site from making further attempts to log in with any username. Cerber anti-spam engine Anti-spam and anti-bot protection for contact, registration, comments and other forms. WP Cerber anti-spam and bot detection engine now protects all forms on a website. No reCAPTCHA is needed. It’s compatible with virtually any form you have. Tested with Gravity Forms, Caldera Forms, HappyForms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms. Anti-spam protection: invisible reCAPTCHA for WooCommerce Anti-spam protection: invisible reCAPTCHA for WordPress Integration with Cloudflare A special Cloudflare add-on for WP Cerber keeps in sync the list of blocked IP addresses with Cloudflare IP Access Rules. Stay in compliance with GDPR How to get full control of personal data to be in compliance with data privacy laws such as GDPR in Europe or CCPA in California. Documentation & Tutorials Translations Thanks to POEditor.com for helping to translate this project. Compatibility is not verified There are some plugins that were not checked to be compatible: Login LockDown, Login Security Solution, BruteProtect, Ajax Login & Register, Lockdown WP Admin, Loginizer, Sucuri, Wordfence, BulletProof Security, SiteGuard WP Plugin, iThemes Security, All In One WP Security & Firewall, Brute Force Login Protection Another reliable plugins from the trusted author Checks plugins for deprecated WordPress functions, known security vulnerabilities, and some unsafe PHP functions Make your website instantly available in 90+ languages with Google Translate Widget. Add the power of Google automatic translations with one click.

安装:

Installing the WP Cerber Security plugin is the same as other WordPress plugins.
  1. Install the plugin through Plugins > Add New > Upload or unzip plugin package into wp-content/plugins/.
  2. Activate the WP Cerber through the Plugins > Installed Plugins menu in the WordPress admin dashboard.
  3. Read carefully: Getting Started Guide
Important notes
  1. Before enabling invisible reCAPTCHA, you must obtain separate keys for the invisible version. How to enable reCAPTCHA.
  2. If you want to test out plugin's features, do this on another computer (or incognito browser window) and remove computer IP address or network from the White Access List. Cerber is smart enough to recognize "the boss".
  3. If you've set up the Custom login URL and you use some caching plugin like W3 Total Cache or WP Super Cache, you have to add the new Custom login URL to the list of pages not to cache.
  4. Read this if your website is under CloudFlare
  5. If you use the Jetpack plugin or another plugin that needs to connect to wordpress.com, you need to unlock XML-RPC. To do that go to the Hardening tab, uncheck Disable XML-RPC, and click the Save changes button.
The following steps are optional but they allow you to reinforce the protection of your WordPress.
  1. Fine tune Limit login attempts settings making them more restrictive according to your needs
  2. Configure your Custom login URL and remember it (the plugin will send you an email with it).
  3. Once you have configured Custom login URL, check 'Immediately block IP after any request to wp-login.php' and 'Block direct access to wp-login.php and return HTTP 404 Not Found Error'. Don't use wp-admin to log in to your WordPress dashboard anymore.
  4. If your WordPress has a few experienced users, check 'Immediately block IP when attempting to log in with a non-existent username'.
  5. Specify the list of prohibited usernames (logins) that legit users will never use. They will not be permitted to log in or register.
  6. Configure mobile and browser notifications via Pushbullet.
  7. Obtain keys and enable invisible reCAPTCHA for password reset and registration forms (WooCommerce supported too).

屏幕截图:

  • The activity log in WP Cerber helps website owners and WordPress administrators monitor user activity, identify potential security threats, and troubleshoot issues that may arise on the website.
  • A user session management console is a tool that enables WordPress administrators to manage user sessions on their websites from a central location. It allows administrators to search for, monitor, and manage active user sessions, including the ability to view user activity and terminate user sessions.
  • A list of blocked malicious IP addresses is another tool for WordPress administrators. It provides a detailed overview of all IP addresses that have been blocked by WP Cerber, including host names, countries of origin, reasons for being blocked, and the ability to unlock an IP address if necessary.
  • The Main Settings tab enables you to configure login security features, brute-force protection parameters, custom WordPress login page and other important plugin settings.
  • On the Hardening tab you can manage multiple access control features that block access to sensitive website data, prevent user enumeration, disable user detail exposure, restrict access to WordPress REST API, and other WordPress data interfaces that are vulnerable to bad actors and data scraping bots.
  • On the Notification tab administrators configure email parameters for notifications, alerts, and reports. WP Cerber provides mobile alerts and email notifications to WordPress administrators to keep them informed about security-related events on their websites.

其他记录:

  1. If you want to test out plugin's features, do this from another computer and remove that computer's network from the White Access List. Cerber is smart enough to recognize "the boss".
  2. If you've set up the Custom login URL and you use some caching plugin like W3 Total Cache or WP Super Cache, you have to add a new Custom login URL to the list of pages not to cache.
  3. Read this if your website is under CloudFlare
Deutsche Schützt vor Ort gegen Brute-Force-Attacken. Umfassende Kontrolle der Benutzeraktivität. Beschränken Sie die Anzahl der Anmeldeversuche durch die Login-Formular, XML-RPC-Anfragen oder mit Auth-Cookies. Beschränken Sie den Zugriff mit Schwarz-Weiß-Zugriffsliste Zugriffsliste. Track Benutzer und Einbruch Aktivität. Français Protège site contre les attaques par force brute. Un contrôle complet de l'activité de l'utilisateur. Limiter le nombre de tentatives de connexion à travers les demandes formulaire de connexion, XML-RPC ou en utilisant auth cookies. Restreindre l'accès à la liste noire accès et blanc Liste d'accès. L'utilisateur de la piste et l'activité anti-intrusion. Український Захищає сайт від атак перебором. Обмежте кількість спроб входу через запити ввійти форми, XML-RPC або за допомогою авторизації в печиво. Обмежити доступ з чорний список доступу і список білий доступу. Користувач трек і охоронної діяльності. What does "Cerber" mean? Cerber is derived from the name Cerberus. In Greek and Roman mythology, Cerberus is a multi-headed dog with a serpent's tail, a mane of snakes, and a lion's claws. Nobody can bypass this angry dog. Now you can order WP Cerber to guard the entrance to your site too.

常见问题:

Can I use the plugin with CloudFlare?

Yes. WP Cerber settings for CloudFlare.

Is WP Cerber Security compatible with WordPress multisite mode?

Yes. All settings apply to all sites in the network simultaneously. You have to activate the plugin in the Network Admin area on the Plugins page. Just click on the Network Activate link.

Is WP Cerber Security compatible with bbPress?

Yes. Compatibility notes.

Is WP Cerber Security compatible with WooCommerce?

Completely.

Is reCAPTCHA for WooCommerce free feature?

Yes. How to set up reCAPTCHA for WooCommerce.

Are there any incompatible plugins?

The following plugins can cause some issues: Ultimate Member, WPBruiser {no- Captcha anti-Spam}, Plugin Organizer, WP-SpamShield. The Cerber Security plugin won't be updated to fix any issue or conflict related to them, you should decide and stop using one or all of them. Read more: https://wpcerber.com/compatibility/.

Can I change login URL (rename wp-login.php)?

Yes, easily. How to rename wp-login.php

Can I hide the wp-admin folder?

Yes, easily. How to hide wp-admin and wp-login.php from possible attacks

Can I rename the wp-admin folder?

Nope. It's not possible and not recommended for compatibility reasons.

Can I hide the fact I use WordPress?

No. We strongly encourage you not to use any plugin that renames wp-admin folder to protect a website. Beware of all plugins that hide WordPress folders or other parts of a website and claim this as a security feature. They are not capable to protect your website. Don't be silly, hiding some stuff doesn't make your site more secure.

Can WP Cerber Security work together with the Limit Login Attempts plugin?

Nope. WP Cerber is a drop in replacement for that outdated plugin.

Can WP Cerber Security protect my site from DDoS attacks?

Nope. The plugin protects your site from Brute force attacks or distributed Brute force attacks. By default WordPress allows unlimited login attempts either through the login form or by sending special cookies. This allows passwords to be cracked with relative ease via a brute force attack. To prevent from such a bad situation use WP Cerber.

Is there any WordPress plugin to protect my site from DDoS attacks?

Nope. This hard task cannot be done by using a plugin. That may be done by using special hardware from your hosting provider.

What is the goal of the Citadel mode?

Citadel mode is intended to block massive bot (botnet) attacks and also a slow brute force attack. The last type of attack has a large range of intruder IPs with a small number of attempts to log in per each.

How to turn off the Citadel mode completely?

Set Threshold fields to 0 or leave them empty.

What is the goal of using Fail2Ban?

With Fail2Ban you can protect site on the OS level with iptables firewall. See details here: https://wpcerber.com/how-to-protect-wordpress-with-fail2ban/

Do I need to use Fail2Ban to get the plugin working?

No, you don't. It is optional.

Can I use this plugin on the WP Engine hosting?

Yes! WP Cerber Security is not on the list of disallowed plugins.

Is the plugin compatible with Cloudflare?

Yes, read more: https://wpcerber.com/cloudflare-and-wordpress-cerber/

Does the plugin works on websites with SSL(HTTPS)

Absolutely!

It seems that old activity records are not removing from the activity log

That means that scheduled tasks are not executed on your site. In other words, WordPress cron is not working the right way. Try to add the following line to your wp-config.php file: define( 'ALTERNATE_WP_CRON', true );

I'm unable to log in / I'm locked out of my site / How to get access (log in) to the dashboard?

There is a special version of the plugin called WP Cerber Reset. This version performs only one task. It resets all WP Cerber settings to their initial values (excluding Access Lists) and then deactivates itself. To get access to your dashboard you need to copy the WP Cerber Reset folder to the plugins folder. Follow these simple steps.

  1. Download the wp-cerber-reset.zip archive to your computer using this link: https://wpcerber.com/downloads/wp-cerber-reset.zip
  2. Unpack the wp-cerber folder from the archive.
  3. Upload the wp-cerber folder to the plugins folder of your WordPress using any FTP client or a file manager in your hosting control panel. If you see a question about overwriting files, click Yes.
  4. Log in to your website as usual. Now WP Cerber is disabled completely.
  5. Reinstall the WP Cerber plugin again. You need to do that, because WP Cerber Reset cannot work as a normal plugin.

更新日志:

9.6.2 New: Introduced an admin tool that provides clear explanations of security events in WP Cerber logs and security settings WP Cerber applied in processing requests. New: Implemented settings for configuring header-based exceptions for WP Cerber’s anti-spam and firewall. Improved: A new activity log event, "Comment marked as spam", to simplify spam comment management and related plugin settings. Improved: A new quick filter, "Spam Events" on the Activity tab. It helps admins to easily view all spam-related events and actions taken by WP Cerber’s anti-spam. Improved: WP Cerber now logs the reasons for blocking IP addresses with better accuracy making it simpler to discern the root cause of lockouts. Improved: To mitigate plugin conflicts, implemented a dequeuing mechanism that removes conflicting JavaScript scripts loaded by other plugins on WP Cerber admin pages. Improved: The layout of several WP Cerber admin settings pages and translations have been improved for better admin experience. Improved: Refined the wording of WP Cerber plugin settings, improving clarity for a better understanding of the plugin’s behavior. Fixed: A minor PHP bug "An error of type E_ERROR was caused in line 661 of the file /wp-cerber/cerber-lab.php." Fixed: A minor PHP bug "PHP Warning: Undefined array key net_connection_ip in /wp-cerber/cerber-lab.php on line 330" 9.6.1 Fixed: An issue where you could not change the mode of two-factor authentication (2FA) for a user if 2FA was previously enabled or completely disabled on the user profile page. This only happened if the license key for the professional version of WP Cerber had expired or was removed from a website. Fixed: A bug that triggered a PHP fatal error: Uncaught TypeError: array_merge(): Argument #1 must be of type array, bool given in …/wp-cerber/cerber-settings.php:1037 9.6 New: You can control the amount of sign-in attempt details that are shown in 2FA email messages. You can also disable this section completely. Improved: You can have individual 2FA email configuration for each role on your WordPress and configure per-user settings as well. Improved: A new "Login Security" section on the user edit page in the professional version of WP Cerber. Improved: New status for activity log entries: "Access denied by plugin settings." It indicates that a given request is denied based on settings within the WP Cerber configuration. Breaking changes: The feature to use a separate user email address for receiving 2FA codes is available in the professional version of WP Cerber only. Fixed: A fatal PHP error occurs when "Data Shield" is enabled, and a plugin tries to change WordPress settings without loading pluggable PHP functions: "Uncaught Error: Call to undefined function wp_get_current_user() in /wp-cerber/cerber-common.php:1820" 9.5.8 New: Mitigating excessive use of the WordPress password reset form. Whenever WP Cerber detects multiple attempts to reset password for non-existing users, the IP address gets blocked. Fixed: Erroneous events "Password reset request denied" are logged to the Activity log. Fixed: If WP Cerber is unable to create its diagnostic log, it produces the software error "PHP Fatal error: Uncaught ValueError: Path cannot be empty in". Fixed: When browsing plugin updates on the Dashboard / Updates page, no details about the last release of WP Cerber is shown in the pop-up window. 9.5.7 New: When two-factor authentication is enabled, users can now optionally click a checkbox on the 2FA form to remember their devices for a predefined period of days. Available in the professional version of WP Cerber. Improved: Enhanced details about generated 2FA PIN codes on the user profile page. Improved: The tabs labeled "Role-based" and "Global" are now renamed to "Role Policies" and "Global Policies" respectively. Fixed: The 2FA email address set on the user profile page is ignored when sending 2FA codes. Fixed: A fatal error occurs when using Cerber.Hub and switching to a managed website where automatic updates for WP Cerber were enabled. 9.5.6 New: WP Cerber now sends 2FA verification codes via SMTP. If an SMTP server is set up in the WP Cerber settings, it will be used to send these codes. New: Implemented a backup method for sending emails via an SMTP server. If an attempt to send an email through the SMTP server fails, WP Cerber will resort to using the default WordPress mailer. New: Email error reporting has been introduced. If an error occurs while WP Cerber is sending an email, the error details are captured and shown as a warning on the WP Cerber dashboard. Improved: If your website crashes and displays the WordPress message "There has been a critical error on this website", WP Cerber captures and logs fatal PHP errors. Improved: WP Cerber now identifies and shows the name, version and author of a plugin or a theme that produced PHP errors. Improved: All users with prohibited usernames (logins) are marked with the red label "PROHIBITED" on the Users admin page. Improved: The limits on the maximum length of SMTP setting fields have been increased from 28 characters to 64. Fixed: If HTTP redirection is set to handle attempts to access protected areas, and WP Cerber blocks an intruder's IP address, no email alerts are sent even if lockout alerting is enabled. 9.5.5 New: WP Cerber now supports establishing outgoing network connections via a proxy server that is configured for WordPress. Improved: File operations and error handling in the WP Cerber scanner have been enhanced. Any unsuccessful file recoveries are displayed in the scan results. Improved: If a file recovery requires creating missing folders, the scanner create them. Improved: To prevent altering source files, the scanner recovery folders are emptied before starting a scan. Improved: When email notifications for new versions of installed plugins are enabled, you will receive an alert as soon as either WP Cerber or WordPress detects an update. Improved: You can enable automatic updates for WP Cerber in the main plugin settings now. Fixed: If a file is missing, the scanner does not recover it. 9.5.4 Improved: The breaking changes introduced in WooCommerce 7.5.1 interfered with the WP Cerber anti-spam engine when enabled, causing issues with AJAX-based functionality in WooCommerce. Fixed: Multiple admin notices to appear when a new version of WP Cerber is available but not installed. Fixed: A PHP error message can appear while viewing log entries filtered by an IP address. 9.5.3 New: You can define a more secure location of the protected WP Cerber directory by using a PHP constant. Improved: JSON payload of REST API and other requests is decoded and saved to the "Live Traffic" log. Improved: The "Form submissions" filter, located on the Live Traffic tab, filters out conventional form submissions and no longer includes REST API requests. Improved: The activity export file now includes a new column, "By User," which contains the user ID of the user who initiated the row event. Improved: The names of export files are now unified and include the website URL, making it easier to identify which website the file was downloaded from. Improved: Prevent Jetpack’s Asset CDN from destroying the layout and style of WP Cerber admin pages. 9.5 New: Get an email notification whenever a new version of a plugin is available. New: An additional option for granting access to users’ data via REST API for selected user roles. New: An additional option for sending activity alerts. Email alerts can be sent to an email address you have on your WordPress account. Improved: WP Cerber now permanently stores users’ last login data (IP address, time, user’s country) for all users. The data can be erased by website admin. Improved: To prevent having insecure plugin configuration, WP Cerber validates required HTTP headers before enabling the behind a proxy mode in the WP Cerber settings. Fixed: A specially formatted request can bypass the disabled redirection from a /wp-admin/ locations to the custom login page. Fixed: The integrity scanner labels a file as "File is missing" if the folder containing the file is on the "Directories to exclude" list. Fixed: After clicking "Apply" on the "Screen Options" on the Cerber.Hub admin page, a blank page is displayed. 9.4 New: In addition to weekly reporting, WP Cerber can be configured to generate and send monthly activity reports once a month. New: Weekly activity reports now can be generated either for the last 7 days or the previous calendar week. New: Redirecting requests to a specified URL instead of generating a 404 page when attempting to access prohibited locations on a website. New: The "Remember Me" checkbox on the WordPress login form can be disabled. Improved: No access to author archives via any possible URLs if "Block access to user pages via their usernames" is enabled. Improved: The default period of weekly reports is the previous calendar week. Fixed: If WordPress is installed in a subfolder and the custom login page is configured, submitting the password reset form doesn’t redirect users to the page with a success message showing "Not Found" instead. Fixed: If the custom login page is configured, disabling the login language switcher has no effect on the login form and the language switcher is still displayed. Fixed: On some multi-site WordPress installations, WP Cerber can produce warning messages about using undefined UPLOADBLOGSDIR constant Fixed: If the access lists contain IPv6 addresses and the Activity log contains entries with IPv6 addresses, viewing those entries causes PHP warnings "undefined property: stdClass::$comments". Fixed: If Pushbullet mobile notifications are enabled and the list of available devices contains inactive (removed) devices, WP Cerber produces PHP notices "Undefined index: nickname" while parsing the list. 9.3.2 9.3 9.2 9.1 9.0 8.9.6 8.9.5 8.9.3 8.9 8.8.6 8.8.5 8.8.3 8.8 8.7 8.6.8 8.6.7 8.6.6 8.6.5 8.6.3 8.6 8.5.9 8.5.8 8.5.6 8.5.5 8.5.3 8.5 8.4 8.3 8.2 8.1 8.0 7.9.7 7.9.3 7.9 7.8.5 7.8 7.7 7.6 7.5 7.2 7.0