Changed: Renamed the "White IP Access List" and "Black IP Access List" terms to "Allowed IP Access List" and "Blocked IP Access List" across the admin UI for clearer access-control terminology.
Changed: Client IP address detection now converts IPv4-mapped IPv6 addresses to standard IPv4 notation in proxy and IPv6 environments. ACL entries using mapped IPv6 notation no longer match these normalized client IP addresses.
Changed: Client IP address detection no longer falls back to the `HTTP_CLIENT_IP` header when the `X-Forwarded-For` proxy header is empty or does not contain a valid address.
Improved: The integrity scanner now records detailed database error information in the log when diagnostic logging is enabled in the settings.
Fixed: Geolocation data for IPv6 addresses is now cached correctly, so country names appear immediately in the Activity log and Traffic log instead of being re-fetched from the geolocation service on each view, which previously caused extra AJAX requests and a noticeable delay.
Fixed: Eliminated the `ERROR 1062` ("Duplicate entry") messages that the IPv6 geolocation caching bug wrote to the server error log on each IPv6 lookup.
Fixed: If more than one IPv6 range or IPv6 network defined in IP Access Lists, the Traffic and Activity logs could display comments or labels belonging to a different IPv6 Access List entry, for example showing the label "IP whitelisted" for a request that was actually denied. The logs now show details that match the Access List entry involved.
Fixed: Database operations now compatible with WordPress table prefixes starts with a digit, such as `123_`. This resolves a regression introduced by the stricter database operation validation in WP Cerber 9.7.4, where affected sites could fail to run integrity scanner.
New: Timestamps in the fail2ban log now follow the operating system timezone instead of UTC, so fail2ban can correctly evaluate failed login attempts on servers using a non-UTC timezone.
New: Added the constant CERBER_LOG_TIMEZONE to force an explicit timezone identifier for the fail2ban log when automatic detection cannot determine the system timezone.
Improved: Hostnames written to the fail2ban log on failed login attempts are now sanitized to strip log-forging characters, allow only hostname-safe characters, and keep each entry on a single well-formed line.
Improved: WP Cerber's admin interface now uses WordPress's --wp-admin-theme-color custom property instead of hardcoded accent colors, aligning tabs, focus states, and changelog callouts with the selected admin color scheme.
Improved: The Tools / License page now shows localized, non-contradictory notices for empty, malformed, invalid, expired, or temporarily unverifiable license keys.
Improved: Refactored database operations with the new CRB_Database and CRB_Query_Builder classes for more consistent query execution, transactions, safe value quoting, and validation.
Improved: Added the Revalt result/error type as an internal foundation for more consistent operation results, diagnostic chains, and error logging.
Improved: Traffic Inspector now validates decoded JSON request payloads and captures decoding errors for more reliable request logging.
Improved: Sensitive-field masking and request-field preparation now use stricter validation, normalization, and escaping before database insertion.
Improved: Admin notices emitted by WP Cerber are now rendered through crb_purify_message(), which allows only a defined set of HTML elements and attributes.
Changed: The login security setting "Write failed login attempts to the system log file" has been renamed to "Log failed logins in a syslog-style format for automated IP banning tools". Behavior is unchanged.
Improved: Plugin settings that accept REGEX patterns are now validated for syntax errors when an administrator saves settings, helping detect invalid patterns before they cause configuration problems.
Improved: The Readiness widget now detects when required PHP functions are disabled even if a required extension is installed, and they provide more precise diagnostic messages.
Fixed: Translation updates no longer attempt to download non-existent locales, which prevents the misleading error message Updating translations for WP Cerber Security (haz)… Download failed. Not Found.
Fixed: Regular expression patterns in the Traffic Inspector setting "Do not log these locations" now work correctly when they contain forward slashes, so matching requests are excluded from logging as intended.
Fixed: A minor bug that could cause the server error log message preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated.
Fixed: A minor bug that could cause the server error log message Constant CRB_DOING_BG_TASK already defined. Fixed: A minor bug that could cause the server error log message Attempt to read property "ID" on null.
Fixed: A minor bug that could cause the server error log message Call to undefined function curl_init().
Fixed: A minor bug that could cause the server error log message Undefined array key "primary_ip".
Fixed: A minor bug that could cause the server error log message Undefined array key "local_ip".
New: Implemented a "System Readiness" dashboard widget that surfaces configuration and environment issues impacting security and stability, with quick links to relevant settings and documentation.
Improved: Enforced stricter Content-Security-Policy (CSP) measures in the plugin admin area by adding additional security directives.
Improved: Enhanced the detection of obfuscated malicious JavaScript to better identify hidden security threats.
Improved: More efficient analysis of suspicious requests by the firewall, resulting in better performance and fewer false positives.
Improved: Updated HTTP header validation methods used for whitelisting requests in the anti-spam engine and traffic firewall settings. These settings now support entries with an empty value after the colon.
Improved: Refactored database operations to use stricter identifier validation, improving SQL safety and compliance with MySQL standards.
Improved: Implemented batch processing and timestamp formatting for spam comment cleanup to improve performance and prevent resource issues.
Improved: Added exception logging and enhanced error handling to the continuous code quality assurance process.
Improved: File handling operations are now more fault-tolerant with the implementation of explicit permission checks and thread-safe file locks.
Changed: To prevent accidental movement dashboard widgets can now be reorganized using drag-and-drop via their headings only.
Compatibility: Refactored code to address deprecated features and ensure compatibility with PHP 8.5.
Fixed: A minor bug where escaped HTML tags were not properly handled when rendering the settings pages user interface.
Fixed: A minor bug that caused the server error log message: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /wp-cerber/cerber-common.php:4267.
Fixed: A minor bug that caused the server error log message: preg_match(): Passing null to parameter #2 ($subject) of type string is deprecated.
Fixed: A minor bug that caused the server error log message: Undefined array key "REQUEST_METHOD".
Fixed: A minor bug that caused the server error log message: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated.
Fixed: A minor bug that caused the server error log message: Undefined array key "HTTP_HOST".
New: Added detection of AI bots and LLM scrapers (OpenAI, Claude, Meta, Apple, etc.) to easily identify AI-driven traffic in logs and alerts.
Improved: Browser detection now provides better accuracy in the logs, triage, and email notifications.
Improved: Enhanced precision in identifying mobile OS and their versions, including better support for iOS and Android.
Improved: Better detection of service agents (PayPal, Stripe) and automation tools (curl, Python, Wget) for more efficient analysis of background requests.
Improved: Localization and translation logic has been rebuilt for better translation quality in non-English languages.
Improved: Optimized server security by rewriting .htaccess rules to mitigate CVE-2018-6389.
Important: WP Cerber now requires PHP 7.4 or newer to run, with PHP 8.x recommended for optimal performance and security.
Improved: Optimized email alert links and admin navigation, improved handling of admin URLs for Cerber.Hub sites, and refined escaping in rare edge cases.
Bug fix: When a user entered a wrong password in the login form, the message showing how many login attempts remained would disappear.
Bug fix: When the site was restricted to logged-in users only, the custom message above the login form would disappear after a user entered a wrong password.
Important: The behavior of the 'authenticate' hook has been reverted to restore the behavior from versions before WP Cerber 9.6.6. Custom login workflows may be affected.
New: Added RDAP protocol support for retrieving IP address data. This is a modern and efficient replacement for WHOIS.
New: Added a setting to configure an optional message shown when a user’s email address is not allowed for registration.
New: New setting for handling login attempts with prohibited usernames: administrators can choose to silently deny access or also block the IP address.
Improved: Hardened .htaccess rules to prevent file execution in the WordPress uploads folder, even in edge-case scenarios.
Improved: Updated the plugin upgrade process to correctly handle copying and deleting obsolete settings.
Improved: Optimized log table rendering by replacing esc_url() with the faster crb_escape_url().
Improved: Enhanced diagnostic messaging in the "Upload a reference ZIP archive" dialog on the scanner page.
Improved: Hardened code of crb_escape_url() — bulletproof just got tougher.
Fixed bug: Warning: Undefined array key 'title' in cerber-load.php on line 9157.
Fixed bug: Undefined property: stdClass::$plugin in cerber-common.php on line 5853.
Fixed bug: The notification threshold setting was being reset to its default value after upgrading the plugin.
Fixed bug: The integrity scanner could stop scanning if the WP Cerber data folder became write-protected.
Minor: The setting "Non-existing users are strictly prohibited" has been moved from "Main Settings" to the "Global User Policies" tab.
Minor: The "Disable login language switcher" checkbox has been moved from "Main Settings" to the "Global User Policies" tab.
Fixed: A fatal PHP error triggered by a conflict with InfiniteWP.
Fixed: A bug that prevented language translations from loading when the main website's language was set to English.
Fixed: An issue within Cerber.Hub where new client websites were incorrectly added to the main website with extraneous quotation marks in the client website URL and website name.
Improved: Cerber.Hub now renders client websites using the language specified in WP Cerber settings, allowing you to choose any language when managing a client website remotely.
Removed: The deprecated FILTER_SANITIZE_STRING constant, ensuring compatibility with modern PHP versions.
Important: The minimum required PHP version is now 7.3, with PHP 8.x recommended for optimal performance and security.
New: WP Cerber’s admin interface can now be displayed in any language independently of the site's language, with automatic translations available when enabled in settings.
New: The Live Traffic log now highlights 301 and 302 HTTP redirections and separately marks those triggered by WP Cerber for better visibility.
New: All redirections caused by WP Cerber are now always logged in Traffic Inspector when any logging level is enabled, improving security monitoring.
Improved: Database table update code has been optimized to reduce unnecessary SQL queries, improving performance and reducing server load.
Improved: SQL queries for WP Cerber’s admin pages are now cached in WordPress’s persistent object cache, reducing database requests and speeding up page loads.
Improved: Messages related to dates and versions have been refined for better clarity and consistency.
Improved: Duplicate log links in Activity Log pop-ups have been removed for a cleaner user experience.
Improved: WP Cerber cookies now use the SameSite=Strict attribute.
Fixed: A bug that caused repeated translation file update requests has been fixed. WP Cerber now correctly manages translation updates without failed requests.
New: Introduced automatic translation of the plugin interface and messages for non-English websites, powered by AI and delivered via the WP Cerber cloud.
Improved: Enhanced plugin interoperability by allowing third-party plugins to integrate with WordPress and WP Cerber's authentication, enforcing their rules during login attempts.
Improved: Enhanced compatibility with alternative WordPress directory structures, such as those used by Bedrock.
Improved: Refined error messages on WordPress and WooCommerce login/password reset forms for better compatibility with third-party plugins.
Improved: Streamlined error reporting by automatically logging PHP errors and displaying them in a developer-friendly format on the Diagnostic tab.
Fixed: Resolved incorrect Anti-spam settings links displayed in Activity log pop-up windows.
Fixed: Addressed missing translations for tab titles on WP Cerber admin pages for non-English websites.
Fixed: Resolved a fatal PHP error triggered when saving add-on settings.
Fixed: Corrected URL display in Activity and Traffic logs when WordPress is installed in a separate directory.
Fixed: Resolved an issue where CTRL + clicking a link failed to open it in a new window/tab.
Fixed: Repaired broken "View details" links on the WordPress Plugins admin page.
Other: Removed the obsolete "Cerber Security Cloud protocol" setting.