WP Cerber Security 9.7.4

A short note from the team behind WP Cerber: this release is a focused round of stability, security, and admin-experience work.

Key Highlights

A deterministic fix for fail2ban log timestamps on servers where the system clock and WordPress clock disagree.
Hardened sanitization of values written into the fail2ban log file.
Visual alignment with your chosen WordPress admin color scheme.
Safer rendering of WP Cerber’s own admin notices.
Visual alignment with your chosen WordPress admin color scheme.
Foundational work on a new database abstraction layer and a unified result/error type for future releases.

Security and Access Control Changes

fail2ban timestamps now follow the operating system timezone

Previously, entries in fail2ban log were timestamped using WordPress’s current_time(), which WordPress forces to UTC at runtime. On servers where the OS timezone differs from UTC, those timestamps did not line up with what fail2ban expects, and authentication failures could fall outside fail2ban’s findtime window. WP Cerber now automatically resolves the system timezone. If you run a server where automatic detection cannot determine the system timezone, you can define a new constant. Read more on this.

Hardened hostname sanitization for fail2ban log entries

Hostnames written to the fail2ban log on failed login attempts now go through dedicated sanitization. CR, LF, and other log-forging characters are stripped, only hostname-safe characters are allowed through, and the value is truncated to the DNS hostname length limit so each log entry stays on a single, well-formed line.

Safer rendering of WP Cerber’s admin notices

Admin-side messages emitted by WP Cerber are now passed through a sanitization filter that allows only a specific set of HTML elements and attributes in the rendered output. The allowlist covers all HTML that WP Cerber actually uses in admin notices, ensuring legitimate notices continue to render correctly under the stricter policy.

Admin Experience and UI

Honest, localized feedback when installing or validating a license key

The Tools / License page used to be unhelpfully quiet in several situations: submitting an empty license field produced no feedback at all, submitting a key of incorrect length silently did nothing, and a transient connectivity error during validation could produce two contradictory admin notices at the same time.

Better visual consistency with your WordPress admin color scheme

WP Cerber’s admin interface previously used hardcoded accent colors that did not always match the admin theme you had chosen in your WordPress profile. Those values have been replaced with WordPress’s own custom colors.

Reliability Improvements

We engineered a new database abstraction layer

WP Cerber now ships with a CRB_Database class that centralizes database connections, query execution, transactions, and safe value quoting, together with a CRB_Query_Builder class that builds and executes safe database queries with built-in validation and safety mechanisms. This gives WP Cerber a safer, more consistent foundation for the database operations that power activity logging, traffic inspection, and access lists.

A unified result and error type

A new Revalt class is being introduced as WP Cerber’s internal standard for handling operation results and errors, gradually replacing the legacy WP_Error-based approach. It encapsulates operation results, errors, optional diagnostic chains for multi-level architecture, and flexible error logging.

More reliable Traffic Inspector logging

The Traffic Inspector’s request-field processing has been refactored for clarity and stricter handling. JSON request payloads are now validated when decoded, and any decoding errors are captured. Sensitive-field masking has been reworked with better validation and customization to prevent information leaks. Recursive processing for database field preparation uses stricter type handling and normalization, and request fields are consistently escaped before insertion into the database.

Bugfixes

License state is no longer overwritten by an unverified key. When a user entered an invalid or unverifiable new license key on the license page, the existing stored license status could be cleared. In 9.7.4, a candidate license key is stored only after successful validation.

Breaking Changes

Renamed fal2ban setting

The setting previously labeled “Write failed login attempts to the system log file” has been renamed to “Log failed logins in a syslog-style format for automated IP banning tools”. The setting still controls logging of failed login attempts to the dedicated file consumed by tools such as fail2ban; only the label has changed, so if you maintain internal documentation or screenshots for your team, this is the moment to update them.

Wonder what WP Cerber got in the previous version?

Review the release note for WP Cerber Security 9.7.3.

How to update WP Cerber

We recommend enabling automatic updates to ensure you always have the latest security features and performance improvements: how to enable automatic updates in the plugin settings.