Traffic Inspector in a nutshell
Traffic Inspector is a specialized request inspection algorithm that acts as an additional protection layer for your WordPress
Traffic Inspector screens all suspicious requests and blocks them before they can harm a website. This security algorithm is enabled by default and in the vast majority of cases requires no configuration. It will be improved based on the knowledge we get during collecting and analyzing hacker attack patterns in our Cerber Lab.
If Traffic Inspector is enabled, the plugin inspects suspicious requests only. Those are included requests with GET parameters, form submissions, requests to PHP scripts. The plugin doesn’t inspect ordinary requests like a normal visitor browser does or search engine crawlers do. That’s why traffic inspection does not slow down website performance or affects your website’s SEO ranking and indexation in a way.
The plugin doesn’t inspect admin dashboard requests as well as WordPress cron and WP CLI requests.
If the plugin detects a malicious or a possible harmful request, the IP will be blocked, the execution of the request will be aborted and the 403 Access Forbidden response will be returned. The event will be logged to the Activity log and if logging is not disabled, to the traffic log.
How to exclude a request from inspection?
Sometimes, especially when you have a customized WordPress environment, you might need to permit access to a particular PHP script without inspection by the plugin.You have to use an exception if the plugin identifies a legitimate request as Probing for vulnerable PHP code only.
Use the Request whitelist setting which is located on the Traffic Inspector Settings admin page. To exclude a particular request from inspection specify a request string without the website domain and query string (GET parameters). In other words, you need to take a part of the URL that starts right after the domain name and ends on a question mark if it’s present.
Take a look at this example. You need to exclude from inspection all requests with legitimate URL like this:
https://wpcerber.com/some-path/some-script.php?do=action. In the Request whitelist setting you need to specify the following string:
Alternatively, you can exclude all requests from a specific IP by adding it to the White Access list.
Live traffic view and logging
Traffic Inspector not only inspects suspicious HTTP requests but also can optionally log them, so you can inspect them manually. It uses a carefully crafted high performance logging engine.
Is it possible that the logging slows down website performance? In rare circumstances it’s possible on a free hosting with slow database if the logging All traffic is enabled, Ignore search engine crawlers is disabled and Saving requests fields is enabled.
The most optimal and recommended logging mode is Smart.
What traffic is logged when Smart logging mode is enabled?
- All logged in (authorized) users requests
- If a particular event has been recognized by the plugin and logged to the Activity log.
- A request with non-default, WordPress GET parameters
- Form submissions (POST requests)
- XML-RPC and REST API requests
- Any request that produces an error HTTP code (400 and higher)
- Search requests
- Direct request to a PHP script that doesn’t exist or loads WP environment programmatically.
The following activity will never be logged in a normal WordPress environment.
- Login failed
- Attempt to log in with non-existent username
- Standard admin dashboard requests including scheduled tasks (/wp-cron.php) and AJAX requests (/wp-admin/admin-ajax.php)
How to disable traffic logging
To completely turn off the logging set Logging mode to Logging disabled.
How to disable Traffic Inspector
To completely turn off the inspection go to the Traffic Inspector Settings page and disable Enable traffic inspection. Note: it’s not recommended, you just turn off an essential protection layer for your WordPress. If you come across some issue with some php script, use the Request whitelist setting as described above.
How to exclude passwords or any other sensitive information from logging
The Cerber Security plugin always masks the password field on the default WordPress login form and the following form fields: ‘pwd’, ‘pass’, ‘password’. If you’ve enabled saving form fields to the log (Save request fields is enabled) and you use a plugin that generates the login page like some membership plugins do, you have to add the name of the password field(s) to the Mask these form fields field on the Traffic Inspector settings page. Before saving to the WordPress DB these fields are filled with asterisks and sensitive data are not saved. That prevents user passwords compromising in case of any data leaking.
How to delete all Traffic Inspector log records
To completely delete all Traffic Inspector log records you need to manually clean up just one table in the WordPress DB. That’s easy. Go to the Tools / Diagnostic admin page. In the Database info section find the following title: Table: cerber_traffic, rows: xxxx. Click the Delete all rows button next to it. Note: this operation cannot be rolled back.
Check out other WordPress security How to-s
Last posts from WordPress security blog
- How to clean up activity and live traffic logs February 16, 2018
- How to protect WordPress against CVE-2018-6389 DoS attacks February 11, 2018
- WP Cerber Security 6.2 February 7, 2018
- Traffic Inspector and logging how to February 5, 2018
- Development version 6.1.3 February 1, 2018