WordPress Security How To
Posted By Gregory

Changing the location of the WP Cerber directory


WP Cerber uses its own directory to store quarantined files, diagnostic logs, and temporary files created and deleted by the integrity and malware scanner. By default, this directory is created as a hidden subdirectory within the WordPress uploads directory and is protected by an .htaccess file.

Since WP Cerber 9.5.3 you can change its location to a more secure place by using a PHP constant. To do this, you need to define the PHP constant CERBER_FOLDER_PATH in the wp-config.php file. Avoid using the functions.php file in the active theme folder for defining the constant.

Note: WP Cerber creates its directory as a subdirectory within the given path.

You have three methods to define a new location: an absolute path, a path relative to the WordPress home directory, or a traversal path above the WordPress home directory. Let’s see those methods separately.

Using an absolute path

This method is generally secure if the new location is not accessible from the internet, but it may require updating the defined path after the website has been moved. The path begins with a directory separator, which is typically ‘/’ on most WordPress hosting platforms. Here is an example:

define( 'CERBER_FOLDER_PATH', '/var/www/my-secure-path/' );

Using a traversal path relative to the WordPress home directory

It’s a recommended compromise between security and compatibility if you are going to move the website. The path starts with two dots. Here is an example:

define( 'CERBER_FOLDER_PATH', '../my-secure-path/' );

Using a path relative to the WordPress home directory

Although it is a less secure method, it is fully compatible with any new location of the website if you are going to move the website because the directory resides within the WordPress directory. The path does not begin with a directory separator or two dots. Here is an example:

define( 'CERBER_FOLDER_PATH', 'my-secure-path/' );

Once you’ve defined the path, it will be shown on the Diagnostic tab in the WP Cerber Constants section.

The value of WP Cerber constants

The values of WP Cerber constants

How to move an existing WP Cerber directory

When you define the constant, an existing WP Cerber directory and its contents is not moved automatically. If you need to move the directory and keep its contents intact, follow these steps in the given order:

  1. Locate the existing WP Cerber directory. By default, it resides in the WordPress uploads folder. The name of the WP Cerber folder is displayed on the Diagnostic tab. The folder name always begins with “wp-cerber-” followed by a random string, e.g., wp-cerber-6P8QNB3U7TAWH1ZGS.
  2. Copy the entire WP Cerber directory to the new location by using a file manager in your hosting control panel or an SFTP client.
  3. Define the constant with the path to the new location.
  4. Delete the WP Cerber directory in the old location.

Final notes

It is essential to ensure that there is no direct access to the WP Cerber folder within the new path from the internet; otherwise, defining a new path makes no sense.

Make sure the defined path is not within a regularly cleaned temporary folder; otherwise you can lose your quarantined files and diagnostic logs.

Do not use the functions.php file in the active theme folder for defining the constant.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments
There are currently no comments.