WP Cerber Security Review: A WordPress Plugin to Keep Your Site Safe

This article was researched and written by our experts using our in-depth Analysis Methodology.
A security breach at your WordPress site is a nightmare scenario - all your hard work, gone up in a puff of smoke (or, more likely, a puff of pharmacy SEO link spam or weird redirects). In today's WP Cerber Security review, I'm going to take a look at a freemium WordPress plugin that aims to greatly decrease the chances that such a breach happens to you.
Table of Contents
WP Engine High Performance Hosting
BionicWP Hosting

A security breach at your WordPress site is a nightmare scenario – all your hard work, gone up in a puff of smoke (or, more likely, a puff of pharmacy SEO link spam or weird redirects).

In today’s WP Cerber Security review, I’m going to take a look at a freemium WordPress security plugin that aims to greatly decrease the chances that such a breach happens to you. This plugin is brought to you by Cerber Tech Inc.

I’ll tell you all about the features WP Cerber Security implements to keep you safe. Then, I’ll take you hands-on at my site and show you how everything works.

WP Cerber Security Review: How it Keeps Your Site Safe

Before I go hands-on and show you how WP Cerber Security works, let me take you through everything it’s doing to keep your site safe.

WP Cerber Security brands itself as “Security, Antispam & Malware Scan”, which is a pretty good summary of how it protects your site.

Let’s start with that first part – security. WP Cerber Security helps you implement a lot of the techniques you see in blog posts about WordPress security:

  • Protect from a variety of common attacks, including code injection, REST API and ordinary user enumerations, and more
  • Implement a web application firewall, called Traffic Inspector
  • Limit login attempts
  • Monitor login attempts
  • Create IP whitelists or blacklists to restrict access
  • Change your login page URL.
  • Use two-factor authentication, including options for controlling who has to use two-factor
  • Disable XML-RPC and REST API (optional – your site might actually need the API to function)
  • A special “Citadel mode” that helps protect you from brute force attacks by blocking login functionality

This is not the full list of security features – it implements lots of smaller tweaks as well.

Then, you get a number of antispam features like:

  • Protect all forms on your site, including registration, login, lost password, WooCommerce checkout, etc.
  • Clean up spam comments
  • Add ReCaptcha
  • Create country-based anti-spam rules

Finally, you get the malware scanning. WP Cerber Security…

  • Verifies the integrity of the WordPress core, as well as your plugins and themes
  • Monitors for file changes, including an option to receive email notifications when files are changed
  • Runs automatic malware scans, including removal

Overall, there’s a lot going on there! And all that functionality helps explain why WP Cerber Security is active on over 100,000 sites with a 4.9-star rating on over 350 reviews, according to WordPress.org.

Let’s go hands-on and I’ll show you how it works…

WP Cerber Security Dashboard

The main WP Cerber Security dashboard gives you a high-level look at all the important stuff at your site.

For example, you can see how, after having left the plugin running for a week or so, I had a bunch of malicious requests originating in Russia:

Only the last login from Vietnam is me – so there’s definitely some malicious stuff going on…or at least being attempted.

If you explore those tabs at the top, you can get a deeper look at what’s happening. For example, you can see how I accidentally entered the wrong password, as well as the specific files that the malicious actor from Russia was probing (and which WP Cerber Security blocked):

cerber detailed traffic analysis

Beyond letting you see what’s happening at your site, the main dashboard also lets you configure some basic settings for your site.

Main Settings

The Main Settings tab lets you configure how the built-in limit login attempts functionality works. There’s also a nice Aggressive lockout option that lets you be more strict during times when you’re under attack.

If you want, you can also whitelist specific IP addresses (like your own) to avoid the chance of locking yourself out:

Further down, there are also some proactive security measures you can enable:

cerber ip ban

And you can also set up a custom login page and display a 404 for the original page. While I’ve seen the security merits of this tactic debated, one thing everyone seems to agree on is that this is still a great way to avoid wasting resources on bot traffic:

cerber custom login

Then, at the bottom, you can configure Citadel Mode, which is helpful when you’re under attack. When triggered, it makes it so that only IP addresses that you’ve specifically white listed can log in for the duration that you set:

Basically, the Main Settings area is giving you a lot of options for locking down your site’s login process.

Access Lists

If you hop over to the Access Lists tab, you’ll be able to manage both IP whitelists (always allowed) and blacklists (never allowed).

In addition to specific IP addresses, you can also specify ranges or subnets:


As the name suggests, the Hardening tab helps you implement some basic security hardening tactics. It’s super simple to use, just make sure you don’t disable something you need.

For example, if you’re using something that relies on the REST API, you might not want to completely disable it. Thankfully, WP Cerber Security also lets you conditionally disable the REST API, which lets you allow it sometimes, but not indiscriminately:


Finally, the Notifications tab lets you control the notifications that you receive. You can even set it up to receive push notifications, which is pretty cool if you want to keep a close eye on your site:

Traffic Inspector

The main dashboard gives you a high-level look at what’s happening on your site, but Traffic Inspector takes things even further, letting you look in detail at every single request.

You can also use filters to, say, only look at suspicious activity from not logged in visitors:

Cerber Security review of traffic

There’s also a settings area where you can:

  • Choose how aggressive you want traffic inspection to be
  • Add a whitelist
  • Choose what and how much to log

Security Rules

The Security Rules area houses a powerful feature that lets you set up geo-specific rules for who can:

  • Log in
  • Register
  • Submit forms
  • Post comments
  • Use XML-RPC
  • Use REST API

For example, you already saw how my test site was experiencing some malicious form submissions from Russia.

If I wanted to, I could set up a rule that blocks all Russian visitors from submitting forms:

While you’ll want to be deliberate about setting up these rules, having this functionality gives you more proactive control over security at your site.

User Policies

The User Policies area helps you set up rules for specific user roles, as well as your site as a whole.

First, you can set up these Role-based rules for:

  • Redirect
  • Session expiration
  • Two-factor authentication use

For two-factor, you can either always enable it, or only do so conditionally, like when someone tries to log in from a new country.

And again, you can do this on a per-role basis. So you could make all your Editors use two-factor, but not Authors:

Beyond the role-specific restrictions, you can also set global limits for things like:

  • Prohibited emails and usernames
  • Max registration limits
  • Session expiration time

Site Integrity Scans

The Site Integrity tab lets you run scans to:

  • Verify the integrity of your files by monitoring for new files and changes
  • Find malware or other malicious code

You can manually run these scans or set them up to automatically run on a schedule. And you also get options to exclude certain content from the scans.

On my test site, WP Cerber Security did seem to mark a lot of legitimate files as “Suspicious code found”, so you will still need to manually sift through the results. For example, I used Bluehost‘s staging functionality to create a staging site in a subdirectory, which triggered a lot of warnings in WP Cerber Security:

cerber security scan


The Antispam tab helps you stop spam in all the forms on your site, including:

  • Comments
  • Registration
  • Other forms

You can add a whitelist and choose what to do with any spam comments:

cerber security engine

WP Cerber Security can also help you set up reCAPTCHA if you want. And a nice feature here is that you’re able to choose exactly which forms you’d like to add it to.


If you have multiple sites running WP Cerber Security, the Cerber.Hub tab lets you manage multiple sites from one spot.

You can either set it up so that your site is the:

  • Master – it will manage other sites.
  • Slave – it will be managed by another Master site.

You might find this convenient if you’re dealing with a lot of different sites.

WP Cerber Security Pricing

WP Cerber Security has a limited free version at WordPress.org that helps you implement some of the basic security tweaks.

However, for access to the more proactive features – like malware scans, the firewall, integrity checks, and a lot more – you’ll need to go Pro.

For a single site, you can either pay $29 per quarter or $99 per year. You can also purchase a 5-site license for $39 per month or $399 per year.

Final Thoughts on WP Cerber Security

While I didn’t intentionally infect my site with malware to test WP Cerber Security, I think I can make a few conclusions:

  • The interface is really well done. It’s not flashy, but the design is clean and makes it easy to access important information.
  • It implements a lot of WordPress security best practices, especially when it comes to your login processes and basic hardening.
  • You have lots of options for configuring security policies that make sense for your specific site, with the ability to set up geographic restrictions and role-based login policies.
  • It was able to pick up malicious bot traffic that I had no idea was happening, which is scary by itself.

While the free version at WordPress.org can help you implement basic security hardening, I think you’ll want to go with the Pro version for the most proactive security.

Finally – always remember that, while a good WordPress security plugin like WP Cerber Security is a great first step, a WordPress security plugin alone cannot 100% protect your site.

Colin Newcomer

Colin has been using WordPress for over a decade and is on a quest to test all 60,000+ plugins at WordPress.org. He has been a Writer and Product Review Expert for WP Mayor since 2017, testing well over 150 products and services throughout that time.

Discover more from our archives ↓

Popular articles ↓

7 Responses

  1. I like WP-Cerber and have been using it for years, but today I received a notice from them that said the following:

    “The plugin is temporarily closed on wordpress.org because its code unexpectedly does not meet internal wordpress.org requirements changed this summer. No information regarding the changes has ever been disclosed or published. We faced it when we released WP Cerber 9.1. Over the last few weeks, we have been spending a decent amount of time negotiating the terms of returning the plugin to the wordpress.org repository and making changes to the WP Cerber’s code. The time we could spend on the plugin development. The process is still in progress, the exact date of return is unclear.”

    For the time being, one must go to their we site for the plugin:

    Does anyone know what the violations were? The e-mail did not enumerate them.

  2. I think this is the best security plugin, installed on 3 wordpress. The article guide is very useful and well described. thank you

  3. This plugin broke some things on my site, I do not know if it was because I configured it wrong or if it is a reason for compatibility with other plugins and theme. Almost all WordPress security plugins have caused some error for me, anyone else with this problem?

    1. We should understand that any security solution is a double-edged sword by its nature. You might come across a false positive or a conflict with another plugin. It’s simply unavoidable because a typical website has a whole lot of plugins developed by different developers. Some of those developers have no skills to develop a reliable solution or at least to reduce possible conflicts. We went extra miles in reducing the possibility of false positives or blocking access to the website content. Being properly configured WP Cerber Security provides proven protection with a number of useful security features.

      Here is what you need to do

      1. Follow the getting started guide:

      2. In case of a software error, check the server error log

      3. In case of a security issue, follow troubleshooting guidance:

      4. Visit the support forum; sometimes your issue is already solved:

      P.S. The professional version of WP Cerber Security includes professional support provided by a team that is ready to help our customers 24/7/365.

  4. I installed Cerber on my 7 websites and it works really well. No issues for 2 years. And the last update with a role-based access module is what I needed more.

  5. I used this plugins really awesome security plugins and safe your website safe from backdoor /malware its really awesome plugins.

Share Your Thoughts

Your email address will not be published. Required fields are marked *

Claim Your Free Website Tip 👇

Leave your name, email and website URL below to receive one actionable improvement tip tailored for your website within the next 24 hours.

"They identified areas for improvement that we had not previously considered." - Elliot

By providing your information, you'll also be subscribing to our weekly newsletter packed with exclusive content and insights. You can unsubscribe at any time with just one click.