Releases
Posted By Nick

WP Cerber Security 9.9


At a Glance

This release is about resilience. We spent the last development cycle making WP Cerber harder to break, harder to bypass, and easier to run on hosting environments that are far from ideal. The headline change is a new self-healing mechanism for plugin settings, backed by a set of security fixes in our Traffic Inspector and compatibility work for legacy database drivers.

Key Highlights

  • A new automatic backup and recovery system for plugin settings that restores a last-known-valid configuration if the stored settings become corrupted.
  • Hardened detection of obfuscated JavaScript in Traffic Inspector, closing coverage gaps attackers could use to slip encoded payloads past inspection.
  • Full compatibility with legacy hosting environments where PHP lacks the modern mysqlnd database driver, including a new advisory notice in the System Readiness widget.
  • Fixes for a fatal error caused by corrupted settings data and a detection regression in the JavaScript inspector.

Automatic Backup and Recovery for Plugin Settings

Plugin settings live in your WordPress database, and databases are not immune to trouble. A crashed server, a botched migration, or a misbehaving plugin can leave a stored configuration unreadable. Until now, the only fallback in that situation was resetting to default settings, which meant losing your carefully tuned security configuration.

If the existing corruption detector finds an unreadable stored value, WP Cerber restores the backup automatically and tells you about it. A successful restoration registers a dismissible warning in the admin area that explains what happened, what action was taken, and what you should review. The notice is resolved once you review and save your settings.

Advisory Notice for Hosts Without the mysqlnd Driver

WP Cerber now detects servers where the PHP mysqli extension is built against the legacy libmysqlclient library instead of the modern mysqlnd driver. When that is the case, a new advisory notice appears in the System Readiness widget. The notice is informational. It confirms that WP Cerber keeps working through a compatible fallback and recommends enabling mysqlnd for full compatibility and better performance. If you are on managed hosting and see this notice, it is a good conversation to have with your hosting provider.

Hardened Detection of Obfuscated JavaScript in Traffic Inspector

Attackers rarely send readable JavaScript in malicious requests. They encode it. Traffic Inspector includes a detector for obfuscated JavaScript in request fields, and this release extends its coverage while preserving its low false-positive model.

The detector now recognizes fully escaped strings that use the \uNNNN and \u{…} Unicode escape formats in addition to the previously supported \xNN hex escapes, including strings that mix these formats. It also detects execution, DOM, network, and system primitives that are decoded from explicit fromCharCode() calls, applying JavaScript ToUint16 semantics when decoding character codes and restricting decoding to validated decimal and hexadecimal literals. Multiple calls, uppercase 0X prefixes, and optional trailing commas are handled correctly.

Just as important is what the detector deliberately ignores. Primitive matching is now token-aware, so ordinary words like “description” and “evaluation” are no longer flagged on the “script” or “eval” substrings. Partial escapes, arbitrary expressions, and bare numeric arrays stay out of scope. For a site owner, the practical outcome is straightforward: encoded attack payloads that previously slipped through are now caught, and legitimate traffic is not punished for looking vaguely suspicious.

WP Cerber Now Runs on Hosts Without mysqlnd

Some hosting environments still ship PHP with mysqli compiled against the legacy libmysqlclient library. On those hosts, the mysqli_result::fetch_all() function simply does not exist. WP Cerber’s database layer now checks for that capability before taking the fast path. When it is unavailable, result sets are fetched row by row through a compatible retrieval method, preserving row order, result shapes, and the existing error-handling contract. Database queries fall back to a slower but fully compatible method instead of causing a fatal error. If your host is stuck on a legacy PHP build, WP Cerber now works correctly out of the box.

Bugfixes

  • Fixed a fatal error caused by corrupted settings data. A corrupted, non-unserializable configuration value in the database caused a fatal TypeError in array_merge() at plugin load time on PHP 8, taking the whole site down. The failure is registered as a persistent critical issue that is resolved automatically once the administrator re-saves the settings.
  • Fixed a detection regression in the JavaScript inspector. A string-trimming quirk in the hex-escape heuristic stripped the leading backslash of the first \xNN escape together with the opening quote, producing an odd-length string that the decoder then skipped. As a result, JavaScript strings made solely of hex escapes went undecoded, and obfuscated primitives such as eval, script, and XMLHttpRequest could go undetected on the default-enabled Traffic Inspector request-field path (activity status 24). Detection of these payloads now works as designed.
  • Fixed an error on hosts without the mysqlnd driver. Fetching database query results called a function that requires mysqlnd and does not exist on hosts running mysqli against libmysqlclient, causing a fatal error. The fix is covered in detail in the Reliability section above.

Summary

For a WordPress administrator, this release means fewer scenarios where things go badly wrong and clearer information when they do. A corrupted database value no longer takes your site down or silently wipes your security configuration. Legacy hosting environments no longer trigger errors. Encoded attack payloads that used to evade Traffic Inspector are now detected, without new false positives on ordinary traffic.

Wonder what WP Cerber got in the previous version?

Review the release note for WP Cerber Security 9.8.3.

How to update WP Cerber

We recommend enabling automatic updates to ensure you always have the latest security features and performance improvements: how to enable automatic updates in the plugin settings.

How to install WP Cerber

New to WP Cerber? Follow this step-by-step guide to install WP Cerber on your WordPress.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, ask it in the comments below or find answers on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments
There are currently no comments.