Security Blog
Security Blog

Traffic Inspector in a nutshell

Traffic Inspector is a specialized web application firewall (WAF) that protects WordPress by inspecting incoming HTTP requests

Traffic Inspector constantly screens all suspicious requests and blocks them before they can harm a website. This security algorithm is enabled by default and in the vast majority of cases requires no configuration. It is improved based on the knowledge we get during analyzing attempts to break-in and hacker attacks in our Cerber Lab.

If Traffic Inspector is enabled, the firewall inspects and filter out potentially harmful requests only. Those are included form submissions, requests with GET and POST parameters, requests to PHP scripts. The firewall doesn’t inspect ordinary requests like a normal visitor browser does or search engine crawlers do. That’s why traffic inspection does not slow down website performance or affects your website’s SEO ranking and indexation in a way.

If the firewall detects a malicious or a possible harmful request, the IP will be blocked, the processing of the request will be aborted and the 403 Access Forbidden response will be generated. The event will be logged to the Activity log and if the traffic logging is not disabled, requests details will be logged to the traffic log.

How to exclude a request from inspection?

Sometimes, especially when you have a customized WordPress environment, you might need to permit access to a particular PHP script without inspection by the firewall. In this case, if the plugin recognizes and marks a legitimate request as “Probing for vulnerable PHP code”, you have to specify an exception.

Read more: I’m getting “Probing for vulnerable PHP code”.

Alternatively, you can permit all requests from a particular IP address:

  1. Add an IP address you trust to the White IP Access List
  2. Go to the Traffic Inspector Settings page and enable Use White IP Access List

Live traffic view and logging

Traffic Inspector not only inspects suspicious HTTP requests but also can optionally log them, so you can inspect them manually. It uses a carefully crafted high performance logging engine.

Is it possible that the logging slows down website performance? In rare circumstances it’s possible on a free hosting with slow database if the logging All traffic is enabled, Ignore search engine crawlers is disabled and Saving requests fields is enabled.

The most optimal and recommended logging mode is Smart.

What traffic is logged when Smart logging mode is enabled?

  1. All logged in (authorized) users requests
  2. If a particular activity has been detected and logged to the Activity log.
  3. Requests with non-default, WordPress GET parameters
  4. Form submissions (POST requests)
  5. XML-RPC and REST API requests
  6. Any request that generates an error HTTP code (400 and higher)
  7. Search requests
  8. Requests to a PHP script that doesn’t exist or loads WP environment programmatically.

Note: the plugin doesn’t log standard admin dashboard requests including scheduled tasks (/wp-cron.php) and AJAX requests (/wp-admin/admin-ajax.php).

How to…

How to disable traffic logging

To completely turn off the logging set Logging mode to Logging disabled.

How to disable Traffic Inspector

To completely turn off the inspection go to the Traffic Inspector Settings page and disable Enable traffic inspection. Note: it’s not recommended, you just turn off an essential protection layer for your WordPress. If you come across some issue with some php script, use the Request whitelist setting as described above.

How to exclude passwords or any other sensitive information from logging

The Cerber Security plugin always masks the password field on the default WordPress login form and the following form fields: ‘pwd’, ‘pass’, ‘password’. If you’ve enabled saving form fields to the log (Save request fields is enabled) and you use a plugin that generates the login page like some membership plugins do, you have to add the name of the password field(s) to the Mask these form fields field on the Traffic Inspector settings page. Before saving to the WordPress DB these fields are filled with asterisks and sensitive data are not saved. That prevents user passwords compromising in case of any data leaking.

How to delete all Traffic Inspector log records

To completely delete all Traffic Inspector log records you need to manually clean up just one table in the WordPress DB. That’s easy. Go to the Tools / Diagnostic admin page. In the Database info section find the following title: Table: cerber_traffic, rows: xxxx. Click the Delete all rows button next to it. Note: this operation cannot be rolled back.

Check out other WordPress security How to’s

Last posts from WordPress security blog

I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments