= 9.5.7 =
New: When [two-factor authentication](https://wpcerber.com/two-factor-authentication-for-wordpress/) is enabled, users can now optionally click a checkbox on the 2FA form to remember their devices for a predefined period of days. Available in the professional version of WP Cerber.
Improved: Enhanced details about generated 2FA PIN codes on the user profile page.
Improved: The tabs labeled "Role-based" and "Global" are now renamed to "Role Policies" and "Global Policies" respectively.
Fixed: The 2FA email address set on the user profile page is ignored when sending 2FA codes.
Fixed: A fatal error occurs when using [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/) and switching to a managed website where automatic updates for WP Cerber were enabled.
= 9.5.6 =
New: WP Cerber now sends 2FA verification codes via SMTP. If an SMTP server is set up in the WP Cerber settings, it will be used to send these codes.
New: Implemented a backup method for sending emails via an SMTP server. If an attempt to send an email through the SMTP server fails, WP Cerber will resort to using the default WordPress mailer.
New: Email error reporting has been introduced. If an error occurs while WP Cerber is sending an email, the error details are captured and shown as a warning on the WP Cerber dashboard.
Improved: If your website crashes and displays the WordPress message "There has been a critical error on this website", WP Cerber captures and logs fatal PHP errors.
Improved: WP Cerber now identifies and shows the name, version and author of a plugin or a theme that produced PHP errors.
Improved: All users with prohibited usernames (logins) are marked with the red label "PROHIBITED" on the Users admin page.
Improved: The limits on the maximum length of SMTP setting fields have been increased from 28 characters to 64.
Fixed: If HTTP redirection is set to handle attempts to access protected areas, and WP Cerber blocks an intruder's IP address, no email alerts are sent even if lockout alerting is enabled.
= 9.5.5 =
New: WP Cerber now supports establishing outgoing network connections via a proxy server that is configured for WordPress.
Improved: File operations and error handling in the WP Cerber scanner have been enhanced. Any unsuccessful file recoveries are displayed in the scan results.
Improved: If a file recovery requires creating missing folders, the scanner create them.
Improved: To prevent altering source files, the scanner recovery folders are emptied before starting a scan.
Improved: When email notifications for new versions of installed plugins are enabled, you will receive an alert as soon as either WP Cerber or WordPress detects an update.
Improved: You can enable automatic updates for WP Cerber in the main plugin settings now.
Fixed: If a file is missing, the scanner does not recover it.
= 9.5.4 =
Improved: The breaking changes introduced in WooCommerce 7.5.1 interfered with the WP Cerber anti-spam engine when enabled, causing issues with AJAX-based functionality in WooCommerce.
Fixed: Multiple admin notices to appear when a new version of WP Cerber is available but not installed.
Fixed: A PHP error message can appear while viewing log entries filtered by an IP address.
= 9.5.3 =
New: You can define a more secure location of the protected WP Cerber directory [by using a PHP constant](https://wpcerber.com/changing-location-wp-cerber-directory/).
Improved: JSON payload of REST API and other requests is decoded and saved to the "Live Traffic" log.
Improved: The "Form submissions" filter, located on the Live Traffic tab, filters out conventional form submissions and no longer includes REST API requests.
Improved: The activity export file now includes a new column, "By User," which contains the user ID of the user who initiated the row event.
Improved: The names of export files are now unified and include the website URL, making it easier to identify which website the file was downloaded from.
Improved: Prevent Jetpack’s Asset CDN from destroying the layout and style of WP Cerber admin pages.
= 9.5 =
New: Get an email notification whenever a new version of a plugin is available.
New: An additional option for [granting access to users’ data via REST API](https://wpcerber.com/restrict-access-to-wordpress-rest-api/) for selected user roles.
New: An additional option for [sending activity alerts](https://wpcerber.com/wordpress-notifications-made-easy/). Email alerts can be sent to an email address you have on your WordPress account.
Improved: WP Cerber now permanently stores users’ last login data (IP address, time, user’s country) for all users. [The data can be erased by website admin](https://wpcerber.com/delete-personal-data/).
Improved: To prevent having insecure plugin configuration, WP Cerber validates required HTTP headers before enabling [the behind a proxy mode](https://wpcerber.com/wordpress-ip-address-detection/) in the WP Cerber settings.
Fixed: A specially formatted request can bypass the disabled redirection from a /wp-admin/ locations to the [custom login page](https://wpcerber.com/how-to-rename-wp-login-php/).
Fixed: The [integrity scanner](https://wpcerber.com/wordpress-security-scanner/) labels a file as "File is missing" if the folder containing the file is on the "Directories to exclude" list.
Fixed: After clicking "Apply" on the "Screen Options" on the [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/) admin page, a blank page is displayed.
= 9.4 =
New: In addition to weekly reporting, WP Cerber can be configured to generate and send monthly activity reports once a month.
New: Weekly activity reports now can be generated either for the last 7 days or the previous calendar week.
New: Redirecting requests to a specified URL instead of generating a 404 page when attempting to access prohibited locations on a website.
New: The "Remember Me" checkbox on the WordPress login form can be disabled.
Improved: No access to author archives via any possible URLs if "Block access to user pages via their usernames" is enabled.
Improved: The default period of weekly reports is the previous calendar week.
Fixed: If WordPress is installed in a subfolder and the custom login page is configured, submitting the password reset form doesn’t redirect users to the page with a success message showing "Not Found" instead.
Fixed: If the custom login page is configured, disabling the login language switcher has no effect on the login form and the language switcher is still displayed.
Fixed: On some multi-site WordPress installations, WP Cerber can produce warning messages about using undefined UPLOADBLOGSDIR constant
Fixed: If the access lists contain IPv6 addresses and the Activity log contains entries with IPv6 addresses, viewing those entries causes PHP warnings "undefined property: stdClass::$comments".
Fixed: If Pushbullet mobile notifications are enabled and the list of available devices contains inactive (removed) devices, WP Cerber produces PHP notices "Undefined index: nickname" while parsing the list.
= 9.3.3 =
* Fixed: A bug that prevents loading default values of some WP Cerber settings upon the plugin activation. On some websites the bug can cause plugin configuration inconsistency and suboptimal security.
= 9.3.2 =
* Improved: Every locked-out IP address on the "Lockout" tab has a link to check its suspicious activity in the Activity log.
* Improved: The activity log provides more details on [two-factor authentication (2FA)](https://wpcerber.com/two-factor-authentication-for-wordpress/) events with several new statuses that are logged if an attempt to log in using 2FA was aborted.
* Improved: The activity log provides more details when a user was forcefully logged out (user session has been terminated) due to a restriction.
* Fixed minor vulnerability: If WordPress is installed in a subfolder and [access to WordPress REST API has been blocked on the "Hardening" tab](https://wpcerber.com/restrict-access-to-wordpress-rest-api/), a bad actor can get access to REST API by using a specially formatted request.
* Fixed minor bug: Multiple duplicate notifications are sent via email and [Pushbullet](https://wpcerber.com/wordpress-mobile-and-browser-notifications-pushbullet/) if an IP address is permanently getting blocked due to multiply consequent malicious requests and the notification limit is set to 0.
= 9.3 =
* Fixed: Unable to remove a blocked IP network class C (with an asterisk) from the list of locked out IP addresses by clicking the "Remove" link on the Lockouts tab.
* Fixed: "Fatal error: Uncaught Error: Cannot use object of type WP_Error as array in … /cerber-common.php on line 4634". The bug occurs if the PHP constant WP_ACCESSIBLE_HOSTS is defined and it does not contain 'downloads.wpcerber.com'.
= 9.2 =
* New: Custom login error message. If showing the default WordPress login error message is disabled, you can optionally specify your own login error message. Available in the professional version.
* New: Custom password reset error message. If showing the default WordPress password reset error message is disabled, you can optionally specify your own password reset error message. Available in the professional version.
* Improved: Implemented Content-Security-Policy HTTP header as an extra layer of protection for the WP Cerber admin pages.
* Fixed: A critical vulnerability.
* Fixed: Fatal error "Call to a member function is_block_editor() on null" that occurs when attempting to load any admin page (starting with /wp-admin/) by an unauthorized request. The bug only occurs if the two following settings are configured as: "Disable dashboard redirection" is enabled and "Display 404 page" is set to "Use 404 template from the active theme".
* Fixed: No country flags are shown in some log rows while viewing WP Cerber logs on the managed website via [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/).
* Fixed: The file viewer doesn't show the content of a file while viewing the results of a scan on the managed website via [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/).
= 9.1 =
* New: A new feature that prevents exposing user’s first name, last name, and ID via an HTTP request with a username (login) in an author_name parameter.
* New: A new user status report while viewing the user activity/requests log.
* Improved: When renders admin pages, WP Cerber uses the language selected on the user profile.
* Improved: Improved the speed of rendering of the "Users" admin page. Reduced the number of HTTP requests if some columns on the page are hidden.
* Improved: Implemented support for rate limiting when the scanner retrieves checksum data from remote servers.
* Fixed: A bug that allows an attacker to bypass the "Stop user enumeration" feature if it’s enabled.
* Fixed: A bug that produces incorrect messages in the server error log when the WordPress database connection is lost.
* Fixed: A bug with not escaping comments in the IP access lists entries.
= 9.0 =
* New: Different [alerts](https://wpcerber.com/wordpress-notifications-made-easy/) can be sent through different channels. You can select delivering notifications through Pushbullet and email simultaneously, Pushbullet only, or email only. The settings are configured on a per-alert basis in the alert creation form.
* New: Implemented a new "Message format" feature and setting. You can reduce the number of links in WP Cerber’s messages or disable them completely to prevent sending sensitive data.
* New: Implemented separate rate limiting settings for email and [Pushbullet notifications](https://wpcerber.com/wordpress-mobile-and-browser-notifications-pushbullet/).
* New: Lockout notifications and appropriate threshold can be enabled for Pushbullet and emails separately.
* New: Email reports and alerts can be sent via a separate SMTP server configured in the WP Cerber settings.
* New: Implemented masking IP addresses and usernames (logins) in emails and mobile alerts.
* New: Disabling login language switcher. If enabled, removes language switcher on the standard WordPress login page introduced in WordPress 5.9.
* Improved: If WP Cerber is unable to load its saved settings from the website database, it uses hard-coded default values.
* Improved: If you have configured the [list of prohibited usernames](https://wpcerber.com/using-list-of-prohibited-logins-to-catch-stupid-bots/) (logins) and the username of an existing user is among prohibited ones, the user is now shown as BLOCKED on the "Users" admin page, user edit page, Activity tab, and Live Traffic tab.
* Improved: When multiple email addresses are specified for notifications, each email will be sent separately. No multiply recipients in a single email are used anymore.
* Improved: The subjects of alerts now contain corresponding event labels.
* Improved: The subject of WP Cerber’s emails have been unified. It begins with website name in square brackets plus the "WP Cerber" string.
* Improved: All test alerts and messages manually sent from the WP Cerber admin dashboard now contain *** TEST MESSAGE *** in the subject.
* Improved: Displaying detailed information about PHP generated by phpinfo(). A new link is on the Diagnostic tab in the System Info section.
* Fixed: An issue with multiple "IP blocked" in the log if the reason for a lockout is changing.
* Fixed: An issue with "Site title" containing apostrophes.
= 8.9.6 =
* New: A new [alert creation dialog with a set of new alert settings](https://wpcerber.com/wordpress-notifications-made-easy/) enables you to create alerts with new limits: an expiration time, the maximum number of alerts allowed to send, and optional rate-limiting. The alert conditions can include the URL of a request now.
* New: Deleting of [WordPress application passwords](https://wpcerber.com/wordpress-application-passwords-how-to/) is logged now.
* New: Ability to monitor [anti-spam](https://wpcerber.com/antispam-for-wordpress-contact-forms/), reCAPTCHA, and several other setting-specific events using links on the settings pages.
* Improved: Meaningful and actionable messages on the log screens if no activity has been found in the logs using a given search filter.
* Improved: If a WP Cerber feature requires a newer version of WordPress, such a feature will not be shown in the plugin admin interface anymore.
* Fixed: A fatal PHP error occurs while logging in on a version of WordPress older than 5.5 and a user has more than one active session.
* Fixed: A fatal PHP error occurs while using the reset password form on a version of WordPress older than 5.4.
* Fixed: While opening the Tools admin page, a PHP error might occur on some web servers.
* Fixed: While rendering the Activity tab, depending on the activities logged, the PHP warning can be logged in the server error log.
* Fixed: When [managing WP Cerber on a remote website via [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/), the admin page footer incorrectly displays the version of WP Cerber installed on the main website.
* Fixed: If the Site Title of a website contains some special characters like apostrophes, the subject of [email alerts and notifications](https://wpcerber.com/wordpress-notifications-made-easy/) contains such characters in encoded form.
= 8.9.5 =
* New: A new setting for [WP Cerber's anti-spam engine](https://wpcerber.com/antispam-for-wordpress-contact-forms/): "Disable bot detection engine for IP addresses in the White IP Access List".
* New: A new setting for [the reCAPTCHA module](https://wpcerber.com/how-to-setup-recaptcha/): "Disable reCAPTCHA for IP addresses in the White IP Access List".
* Improved: Logging all user session terminations including those that occurred when an admin manually terminate user sessions or [block users](https://wpcerber.com/how-to-block-wordpress-user/).
* Improved: If a user session has been terminated by a website admin, the admin’s name is logged and shown in the Activity log.
* Improved: Logging all user password changes including those made on the edit user admin page, and the WooCommerce edit account page.
* Improved: Logging [application passwords](https://wpcerber.com/wordpress-application-passwords-how-to/) changes.
* Improved: New status labels in the Activity log: "reCAPTCHA verified" is shown when a user solves reCAPTCHA successfully
* Improved: New status labels in the Activity log: "Logged out everywhere" is shown when a user has completely logged out on all devices and of all locations.
* Improved: Failed reCAPTCHA verifications are logged with form submission events they are linked to.
* Improved: A new event is logged: "Password reset request denied". With possible statuses "reCAPTCHA verification failed", "User blocked by administrator", "Username is prohibited".
* Improved: Handling reset of user passwords is improved to support changes in the WordPress core.
* Fixed: A cookie-related bug that causes a fatal software error if a user has been deleted or their password has been changed in the WordPress dashboard by the website administrator while the user is being logged in.
* Fixed: A bug with the WordPress lost password (reset password) form that prevents displaying error messages to a user.
* Fixed: When the [limit on the number of allowed concurrent user sessions](https://wpcerber.com/limiting-concurrent-user-sessions-in-wordpress/) is set to one, an attempt to log in with the user name and incorrect password terminates the existing session of the user.
= 8.9.3 =
* Improved: The scanner: now checksums generated using manually uploaded ZIP archives have priority over the remote ones.
* Improved: You can configure exceptions for WP Cerber's anti-spam by disabling its code on selected WordPress pages.
* Improved: New diagnostic messages were added for better troubleshooting issues with ZIP archives uploaded in the scanner.
* Fixed: A vulnerability that affects WP Cerber's two-factor authentication (2FA) mechanism.
* Fixed: A bug that prevents uploading ZIP archives on the scan results page if the filename contains multiple dots.
* Fixed: Fixed admin message "Error: Sorry, that username is not allowed." which is wrongly displayed on the user edit page while updating users with prohibited usernames.
* Fixed: Not detecting malformed REST API requests with a question mark in this format: /wp-json?
= 8.9 =
* Improved: An updated scan statistic and filtering widget. Dynamically displays the most important issues with sorting.
* Improved: The percentage of completion of a scanner step is shown now.
* Improved: Sanitizing of malformed filenames in the scanner reports has been improved to avoid possible issues with the layout of the scan results page if malware creates malformed filenames to hinder their detection.
* Improved: Handling of WordPress locales and versions on websites with multilanguage plugins has been improved.
* Improved: A missing wp-config-sample.php file is not reported as an issue in the results of the scan anymore.
* Improved: Handling REGEX patterns for the setting fields "Restrict email addresses" and "Prohibited usernames". Now they support REGEX quantifiers.
* Improved: You can specify the "User-Agent" string for requests from the main [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/) website by defining the PHP constant CERBER_HUB_UA in the wp-config.php file.
* Improved: Diagnostic logging for network requests to the WP Cerber cloud. To enable logging, define the PHP constant CERBER_CLOUD_DEBUG in the wp-config.php file. Logging covers admin operations on the WP Cerber admin pages only.
* Improved: Text on the forbidden page is translatable now.
* Fixed bug: Some long filenames in the scan results break the layout of the scan results page, making it hard to navigate and use.
* Fixed bug: Unwanted file extensions are not detected if a file is identified as malicious.
* Fixed bug: If a file is missing, the full filename is not shown in the scan results when clicking the "Show full filenames" icon.
* Fixed bug: "PHP Deprecated: Required parameter $function follows optional parameter $pattern in /plugins/wp-cerber/cerber-scanner.php".
* Fixed bug: "PHP Fatal error: Call to undefined function crb_admin_hash_token() in cerber-load.php:1521".
* Fixed bug: "PHP Notice: Undefined property: WP_Error::$ID in cerber-load.php on line 1131".
* Breaking changes on the plugin admin pages: all versions of Internet Explorer browser and Safari browser version 13.0 and older are not supported anymore, meaning some elements might not work as expected.
= 8.8.5 =
* New: Quick user activity analytics (user insights) with filtering links on the Activity and Live Traffic log pages. Select a user to see how it works.
* New: Quick IP address activity and analytics (IP insights) with filtering links on the Activity and Live Traffic log pages. Select an IP address to see how it works.
* Improved: The selected user profile is displayed when filtering log entries by the user login or using the username search on the Activity log page.
* Improved: The IP address details and analytics are displayed when filtering log entries by the IP address or using the IP address search on the Activity log page.
* Improved: Implemented AJAX rendering of the plugin admin pages for faster loading and more convenient navigation through WP Cerber’s admin pages
* Improved: To load the Users admin page faster, the user table columns generated by WP Cerber are now loaded via AJAX.
* Improved: Highlighting the selected filtering link in the navigation bar on the Activity and Live Traffic log pages.
* Improved: You will not see false DB errors on the Diagnostic page anymore.
* Fixed bug: When scanning, you can come across the software error "Process has been aborted due to server error. Check the browser console for errors." and "Too few arguments" error in the server error log.
= 8.8.3 =
* New: Mimicking the default WordPress user authentication through the wp-login.php to detect slow brute-force attacks.
* New: Prevent guessing valid usernames and user emails by disabling WordPress hints in the login error message when attempting to log in with non-existing usernames and emails.
* New: Prevent guessing valid usernames and user emails by disabling WordPress hints in the password reset error message when attempting to reset passwords for non-existing accounts.
* New: Prevent username discovery via oEmbed and user XML sitemaps.
* New: User and malicious activity are displayed separately in two different areas on WP Cerber’s main dashboard page.
* New: More convenient navigation through the WP Cerber admin pages by having the admin menu at the top.
* New: A new quick link "Login issues" to view all login issues such as failed logins, denied attempts, attempts to reset passwords, and so forth.
* Improved: Reduced the number of false positives when the malware scanner inspecting directives with external IP addresses in .htaccess files.
* Improved: Better [Two-factor authentication (2FA)](https://wpcerber.com/two-factor-authentication-for-wordpress/) emails: the wording of the verification email has been updated and can be translated. The email subject includes the site name.
* Improved: The size of the database tables used by the integrity checker and malware scanner has been reduced.
* Improved: Implemented a strictly secure way of utilizing the unserialize() PHP function known for being used to deliver and run malicious code.
* Improved: Implemented a backup way of running WP Cerber maintenance tasks if WordPress scheduled tasks are not configured properly.
* Fixed bug: Two-factor authentication (2FA) PINs are not displayed on the edit user admin pages in the WordPress dashboard.
* Fixed bug: The "API request authorization failed" event was logged as "Login failed".
= 8.8 =
* New: [You get control over the WordPress application passwords and the ability to monitor related events in the log with email and mobile notifications.](https://wpcerber.com/wordpress-application-passwords-how-to/)
* New: A custom comment URL feature improves the efficiency of spam protection of the WordPress comment form. Available in the professional version of WP Cerber.
* Improved: Handling user authentication and authorization by WP Cerber’s access control mechanism has been significantly improved and optimized to allow using external user authentication via third-part solutions and connectors.
* Improved: You can now specify a user message to be displayed if [the configured limit to the number of concurrent user sessions](https://wpcerber.com/limiting-concurrent-user-sessions-in-wordpress/) has been reached and an attempt to log in is denied.
* Improved: Traffic log settings and features: "Log all REST API requests", "Log all XML-RPC requests", "Save response headers", and "Save response cookies".
* Improved: For better compatibility with different web server configurations, [the anti-spam query whitelist](https://wpcerber.com/antispam-exception-for-specific-http-request/) now ignores trailing slashes if a list entry or a requested URI has no GET parameters.
* Improved: Processing of extended and invalid UTF-8 characters in the Traffic Inspector log has been improved.
* Improved: Displaying of invalid UTF-8 characters (invalid byte sequences) in the WP Cerber’s logs throughout the admin interface has been improved.
* Improved: WP Cerber's dashboard code is updated and now fully jQuery 3 compatible.
* Fixed: A bug that prevented activating the [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/) main mode on PHP 8.
* Fixed: A fatal PHP error occurs while saving some WP Cerber settings when using [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/) on a remote website with "Standard mode" enabled.
* Fixed: A bug that generated warning messages in the web server error log: Use of undefined constant LOGGED_IN_COOKIE – assumed ‘LOGGED_IN_COOKIE’
* Fixed: A bug that blocked theme preview if the anti-spam engine is enabled for all forms on the website.
= 8.7 =
* New: [Limiting the number of allowed concurrent user sessions.](https://wpcerber.com/limiting-concurrent-user-sessions-in-wordpress/) Depending on settings, WP Cerber will either block new logins or terminate the oldest ones.
* New: Enforcing [two-factor authentication (2FA)](https://wpcerber.com/two-factor-authentication-for-wordpress/) if the number of concurrent user sessions is greater than the specified threshold.
* Improved: [The integrity checker and malware scanner](https://wpcerber.com/wordpress-security-scanner/) now more effectively handle and log I/O errors that might occur during a scan.
* Improved: [The Traffic Inspector firewall](https://wpcerber.com/traffic-inspector-in-a-nutshell/) now processes files uploaded via nested, grouped, and obfuscated form fields in a more effective way.
* Improved: WP Cerber got necessary code improvements, and now it is fully compatible with PHP 8.
* Improved: [The default list of allowed REST API namespaces](https://wpcerber.com/restrict-access-to-wordpress-rest-api/) now includes "wp-site-health".
* Improved: Downloadable files generated by WP Cerber are generated with appropriate HTTP Content-Type headers now.
* Fixed: Misalignment of Cerber’s table footer labels on the "Users" admin page.
* Fixed: If the diagnostic log contains invalid Unicode (UTF-8) codes, it is not displayed on the Diagnostic log tab.
= 8.6.8 =
* New: [A shortcode to display WP Cerber’s cookies. You can display a list of cookies set by WP Cerber on any page.](https://wpcerber.com/browser-cookies-set-by-wp-cerber/)
* New: [Deferred rendering of the custom login page. This new feature can help you if you need to solve plugin compatibility issues.](https://wpcerber.com/user-switching-with-wp-cerber/)
* Improved: The style of the scanner email reports has been improved.
* Fixed: A bug with displaying the status icon of an IP address on the Activity and Live Traffic admin pages.
* Fixed: If the name of a commercial plugin contains a special HTML symbol like ampersand, it cannot be uploaded to verify the integrity of the plugin.
= 8.6.7 =
* New: In the professional version of WP Cerber, you can now permit user registrations for IP addresses in the [White IP Access List only](https://wpcerber.com/using-ip-access-lists-to-protect-wordpress/).
* New: All URLs in the logs are displayed in a shortened form without the website’s domain. There is no much value having see known things.
* New: A new label "IP Whitelisted" with green borders has been introduced. It is displayed in a log row on the Live Traffic if the IP address was in the White IP Access List, but the appropriate setting "Use White IP Access List" was not enabled at the moment when the event was logged.
* New: If you now hover the mouse over a red square icon in the Activity or Live Traffic log, you see the reason why the IP address in the row is currently locked out.
* New: If you now hover the mouse over a green or black square Access List icon in the Activity or Live Traffic log, you see the comment you’ve previously specified for that Access List entry.
* Improved: All non-REGEX entries [in the list of prohibited usernames (logins)](https://wpcerber.com/using-list-of-prohibited-logins-to-catch-stupid-bots/) are case-insensitive now. This applies to standard Latin-based (ASCII) WordPress usernames only.
* Improved: The name of a group in the Group column on [Cerber.Hub’s](https://wpcerber.com/manage-multiple-websites/) website list is a link that takes you to the list of websites in the group.
* Improved: The launch time of the daily maintenance tasks is now set to the night-time at 02:20. If you need them to get rescheduled, you can manually delete the "cerber_daily" cron task via a plugin or deactivate/activate WP Cerber.
* Fixed: Configured [REST API restrictions](https://wpcerber.com/restrict-access-to-wordpress-rest-api/) have no effect if a WordPress is installed not in the root folder of a website (there is a path in the site URL). Affected versions: 8.6.1 and newer.
* Fixed: A bug in the logging subsystem: depending on server configuration, submitted form fields are not saved into the DB (if it is enabled in the logging settings).
* Fixed: A bug with Cerber’s admin CSS styles that were added in the previous version and hid the top pagination links on the "All posts" and "All posts" admin pages.
= 8.6.6 =
* New: On the user sessions page, you can now search sessions by a user name, email, and the IP address from which a user has logged in.
* New: You can specify locations (URL Paths) to exclude requests from logging. They can be either exact matches or regular expressions (REGEX).
* New: You can exclude requests from logging based on the value of the User-Agent (UA) header.
* New: A new, minimal logging mode. When it is set, only HTTP requests related to known activities are logged.
* Improved: The layout of the Live Traffic log has been improved: now all events that are logged during a particular request are shown as an event list sorted in reverse order.
* Improved: The user sessions page has been optimized for performance and compatibility and now works blazingly fast.
* Improved: If your website is behind a proxy, IP addresses of user sessions now are detected more precisely.
* Improved: When you configure the request whitelist in the Traffic Inspector settings, you can now specify rules with or without trailing slash.
* Improved: A new version of [Cloudflare add-on for WP Cerber](https://wpcerber.com/cloudflare-add-on-wp-cerber/) is available: the performance of the add-on has been optimized.
= 8.6.5 =
* New: File system analytics. It's generated based on the results of the last full integrity scan.
* New: Logging user deletions. The user’s display name and roles are temporarily stored until all log entries related to the user are deleted.
* New: Faster export with a new date format for CSV log export.
* New: Ability to disable adding the website administrator's IP address to the White IP Access List upon WP Cerber activation.
* Improved: Handling the creation of new users by WooCommerce and membership plugins.
* Improved: Handling user registrations with prohibited emails.
* Improved: Handling secure Cerber‘s cookies on websites with SSL encryption enabled.
* Improved: The performance of the integrity checker and malware scanner on huge websites with a large number of files.
* Fixed: Loading the default plugin settings has no effect. Now it’s fixed and moved from the admin sidebar to the Tools admin page.
= 8.6.3 =
* New: Ability to load IP access list's entries in the CSV format (bulk load).
* Update: A new malware scanner setting allows you to permit the scanner to change permissions of folders and files when required.
* Fixed: The access list IPv4 wildcard *.*.*.* doesn't work (has no effect).
* Fixed: If the anti-spam query whitelist contains more than one entry, they do not work as expected.
* Fixed: Several settings fields are not properly escaped.
= 8.6 =
* New: [An integration with the Cloudflare firewall. It’s implemented as a special WP Cerber add-on.](https://wpcerber.com/cloudflare-add-on-wp-cerber/)
* Update: The malware scanner has got improvements to the monitoring of new and modified files feature.
* Update: Additional search fields for the Activity log. They enable you to find a specific request by its Request ID (RID) or/and to search for a string in the request URL.
* Update: The minimum supported PHP version is 5.6.
= 8.5.9 =
* New: On the Live Traffic log, now you can search and filter our requests with software errors if they occurred.
* Update: The code of WP Cerber has been updated and tested to fully support and be compatible with PHP 7.4.
* Update: The layout of the list of managed websites on the [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/) main page has been improved to display the list more accurately on narrow and mobile screens.
* Update: If a managed website has the professional version of WP Cerber, it has a PRO sign in the "WP Cerber" column. The license expiration date is shown when you hover the mouse over the sign.
* Fixed: A bug with displaying long file names in the Security Scanner Quarantine that makes unavailable deleting or restoring quarantined files manually.
* Fixed: A bug that requires installing a valid license key on a [Cerber.Hub](https://wpcerber.com/manage-multiple-websites/) main website to permit configuring settings on managed websites remotely, which is not intended behavior.
= 8.5.8 =
* New: A personal data export and erase features which can be used through the WordPress personal data export and erase tool. This feature helps your organization to be in compliance with data privacy laws such as GDPR in Europe or CCPA in California
* Update: The performance of the algorithm that handles exporting rows from the Activity log and the Live Traffic log to a CSV file has been improved enabling export larger datasets
* Update: When you block a user you can add an optional admin note now
* Fixed: If a user is blocked, it’s not possible to update the user message
* Fixed: Depending on the logging settings the "Details" links on the Live Traffic log are not displayed in some rows
= 8.5.6 =
* New: Ability to separately set the number of days of keeping log records in the database for authenticated (logged in) website users and non-authenticated (not logged in) visitors.
* New: Now you can completely turn off the Citadel mode feature in the Main Settings
* Update: When you upload a ZIP archive on the integrity scanner page it processes nested ZIP archives now and writes errors to the diagnostic log if it's enabled
* Update: The appearance of the Activity log has got small visual improvements
* Update: If the number of days to keep log records is not set or set to zero, the plugin uses the default setting instead. Previously you can set it to zero and keep log records infinitely.
* Fixed: The blacklisting buttons on the Activity tab do not work showing "Incorrect IP address or IP range".
* Fixed: PHP Notice: Trying to get property "ID" of non-object in cerber-load.php on line 1131
= 8.5.5 =
* New: IP Access Lists now support IPv6 networks, ranges, and wildcards. Add as many IPv6 entries to the access lists as you need. We've developed an extraordinarily fast ACL engine to process them.
* Update: The algorithm of handling consecutive IP address lockouts has been improved: the reason for an existing lockout is updated and its duration is recalculated in real-time now.
* Update: Traffic inspection algorithms were optimized to reduce false positives and make algorithms more human-friendly.
* Update: Improved compatibility with WooCommerce: the password reset and login forms are not blocked anymore if a user’s IP gets locked out due to using a non-existing username by mistake, using a prohibited username, or if a user has exceeded the number of allowed login attempts.
* Update: Improved compatibility with WordPress scheduled cron tasks if a website runs on a server with PHP-FPM (FastCGI Process Manager)
* Update: Very long URLs on the Live Traffic page are now displayed in full when you click the "Details" link in a row.
* Update: [Cerber.Hub's](https://wpcerber.com/manage-multiple-websites/) main website: the server column on the managed websites list page now contains a link to quickly filter out websites on the same server.
* Update: [Cerber.Hub's](https://wpcerber.com/manage-multiple-websites/) main website: now it remembers the filtered list of the managed websites while you’re switching between them.
* Fixed: If the Custom login URL is enabled on a subfolder WordPress installation, the user redirection after logout generates the HTTP 404 error page.
* Fixed: Very long HTTP referrers and request URLs are displayed in a truncated form on the Live Traffic page due to CSS bug.
* Fixed: If the Data Shield security feature is active, the password reset page on WordPress 5.3 doesn’t work properly showing "Your password reset link appears to be invalid. Please request a new link below."
= 8.5.3 =
* New: The malware scanner and integrity checker window has got a new filter that enables you to filter out and navigate to specific issues quickly.
* New in Cerber.Hub: new columns and filters have been added to the list of managed websites. The new columns display server IP addresses, hostnames, and countries where servers are located.
* Fixed: depending on the number of items in the access lists, the IP address 0.0.0.0 can be erroneously marked as whitelisted or blacklisted.
* Fixed in Cerber.Hub: if a WordPress plugin is installed on several managed websites and the plugin needs to be updated on some of the managed websites, the plugin is shown as needs to be updated on all of them.
= 8.5 =
* New: Data Shield module for advanced protection of user data and vital settings in the website database. Available in the PRO version.
* Improvement: Compatibility with WooCommerce significantly improved.
* Update: Strict filtering for the Custom login URL setting.
* Update: Chinese (Taiwan) translation has been added. Thanks to Sid Lo.
* Fixed: Custom login URL doesn't work after updating WordPress to 5.2.3.
* Fixed: User Policies tabs are not switchable if a user role was declared with a hyphen instead of the underscore.
* Fixed: A PHP warning while adding a network to the Black IP Access List from the Activity tab.
* Fixed: An anti-spam false positive: some WordPress DB updates can't be completed.
= 8.4 =
* New: More flexible role-based GEO access policies.
* New: A logged in users' sessions manager.
* Update: Access to users’ data via WordPress REST API is always granted for administrator accounts now.
* Improvement: The custom login page feature has been updated to eliminate possible conflicts with themes and other plugins.
* Improvement: Improved compatibility with operating systems that natively doesn’t support the PHP GLOB_BRACE constant.
= 8.3 =
* New: Two-Factor Authentication.
* New: Block registrations with unwanted (banned) email domains.
* New: Block access to the WordPress Dashboard on a per-role basis.
* New: Redirect after login/logout on a per-role basis.
* Update: The Users tab has been renamed to Global and now is under the new User Policies admin menu.
* Fixed: Switching to the English language in Cerber’s admin interface has no effect.
* Fixed: Multiple notifications about a new version of the plugin in the WordPress dashboard.
= 8.2 =
* New: Automatic recovery of infected files. When the malware scanner detects changes in the core WordPress files and plugins, it automatically recovers them.
* New: A set of quick navigation buttons on the Activity page. They allow you to filter out log records quickly.
* New: A unique Session ID (SID) is displayed on the Forbidden 403 Page now.
* New: The advanced search on the Live Traffic page has got a set of new fields.
* New: To make a website comply with GDPR, a cookie prefix can be set.
* Update: The lockout notification settings are moved to the Notifications tab.
* Update: The list of files to be scanned in Quick mode now also includes files with these extensions: phtm, phtml, phps, php2, php3, php4, php5, php6, php7.
= 8.1 =
* New: On a main Cerber.Hub website you can get a list of active plugins and available plugin updates on a managed website.
* New: Notification about a newer versions of Cerber and WordPres available ot install on a managed website.
* New: On a main Cerber.Hub website, you can select what language to use when a managed website admin page is being displayed.
* Improvement: Long URLs on the Live Traffic page now are shortened and displayed more neatly.
* Improvement: The plugin uninstallation process has been improved and now cleans up the database completely.
* Improvement: Multiple translations have been updated. Thanks to Maxime, Jos Knippen, Fredrik Näslund, Francesco.
* Fixed: The "Add to the Black List" button on the Activity log page doesn't work.
* Fixed: When the "All suspicious activity" button is clicked on the Dashboard admin page, the "Subscribe" link on the Activity page doesn't work correctly.
* Fixed: When you open an email report, the link to the list of deleted files during a malware scan doesn't work as expected.
= 8.0 =
* New: [Manage multiple WP Cerber instances from one dashboard](https://wpcerber.com/manage-multiple-websites/).
* New: A new bulk action to block multiple WordPress users at a time.
* Improvement: The performance of the export feature has been improved significantly.
* Improvement: Multiple code optimizations improve overall plugin performance.
= 7.9.7 =
* New: [Authorized users only mode](https://wpcerber.com/only-logged-in-wordpress-users/).
* New: [An ability to block a user account](https://wpcerber.com/how-to-block-wordpress-user/).
* New: [Role-based access to WordPress REST API](https://wpcerber.com/restrict-access-to-wordpress-rest-api/).
* Update: Added ability to search and filter a user on the Activity page.
* Update: A new, separate setting for preventing user enumeration and user data leaks via WordPress REST API.
* Update: A new Changelog section on the Tools page.
* Update: Improved handling scheduled maintenance tasks on a multi-site WordPress installation.
* Fixed: Several HTML markup errors on plugin admin pages.
= 7.9.3 =
* New: New settings for the Traffic Inspector firewall allow you to fine-tune its behavior. You can enable less or more restrictive firewall rules.
* Update: Troubleshooting of possible issues with scheduled maintenance tasks has been improved.
* Update: To make troubleshooting easier the plugin logs not only a lockout event but also logs and displays the reason for the lockout.
* Update: Compatibility with ManageWP and Gravity Forms has been improved.
* Update: The layout of the Activity and Live Traffic pages has been improved.
* Bug fixed: The malware scanner wrongly prevents PHP files with few specific names in one particular location from being deleted after a manual scan or during the automatic malware removal.
* Bug fixed: The number of email notifications might be incorrectly limited to one email per hour.
= 7.9 =
* New: The plugin monitors suspicious requests that cause 4xx and 5xx HTTP errors and blocks IP addresses that aggressively generate such requests.
* New: A set of WordPress navigation menu links. Login, logout, and register menu items can be automatically generated and shown in any WordPress menu or a widget.
* New: Software error logging. A handy feature that logs PHP errors and shows them on Live Traffic page.
* New: A new export feature for Traffic Inspector. It allows exporting all log entries or a filtered set from the log of HTTP requests.
* Update: Multiple improvements to Traffic Inspector firewall algorithms. In short, the detection of obfuscated malicious SQL queries and injections has been improved.
* Update: Improved handling of malformed requests to wp-cron.php.
* Fix: The number of email notifications per hour can exceed the configured limit.
= 7.8.5 =
* New: A new set of heuristics algorithms for detecting obfuscated malicious JavaScript code.
* New: A new file filter on the Quarantine page lets to filter out quarantined files by the date of the scan.
* New: The performance of the malware scanner has been improved. Now the scanner deletes all files in the website session and temporary folders permanently before the scan.
* Update: If the plugin is unable to detect the remote IP address, it uses 0.0.0.0 as an IP.
* Update: The anti-spam engine will never block the localhost IP
* Update: Performance improvements for database queries related to the process of user authentication.
* Update: Improved handling the plugin settings in a buggy or misconfigured hosting environment that could cause the plugin to reset settings to their default values.
* Update: Translations have been updated. Thanks to Francesco, Jos Knippen, Fredrik Näslund, Slobodan Ljubic and MARCELHAP.
* Fix: Fixed an issue with saving settings on the Hardening tab: "Unable to get access to the file…"
= 7.8 =
* New: An ignore list for the malware scanner.
* New: Disabling execution of PHP scripts in the WordPress media folder helps to prevent offenders from exploiting security flaws.
* New: Disabling PHP error displaying as a setting is useful for misconfigured servers.
* New: English for the plugin admin interface. Enable it if you prefer to have untranslated, original admin interface.
* New: Diagnostic logging for the malware scanner. Specify a particular location of the log file by using the CERBER_DIAG_DIR constant.
* Update: The performance of malware scanning on a slow web server with thousands of issues and tens of thousands of files has been improved.
* Update: PHP 5.3 is not supported anymore. The plugin can be activated and run only on PHP 5.4 or higher.
* Fix: If a malicious file is detected on a slow shared hosting, the file can be shown twice in the results of the scan.
* Fix: A possible issue with the short PHP syntax on old PHP versions in /wp-content/plugins/wp-cerber/common.php on line 1970
= 7.7 =
* New: [Automatic cleanup of malware and suspicious files](https://wpcerber.com/automatic-malware-removal-wordpress/). This powerful feature is available in the PRO version and automatically deletes trojans, viruses, backdoors, and other malware. Cerber Security Professional scans the website on an hourly basis and removes malware immediately.
* Update: Algorithms of the malware scanner have been improved to detect obfuscated malware code more precisely for all types of files.
* Update: Email reports for [scheduled malware scans](https://wpcerber.com/automated-recurring-malware-scans/) have been extended with useful performance numbers and a list of automatically deleted malicious files if you’ve enabled automatic malware removal and some files have been deleted.
* Fix: A possible issue with uploading large JSON and CSV files. When Traffic Inspector scans uploaded files for malware payload, some JSON and CSV files might be erroneously identified as containing a malicious payload.
* Fix: A possible Divi theme forms incompatibility. If you use the Divi theme (by Elegant Themes), you can come across a problem with submitting some forms.
= 7.6 =
* New: The quarantine has got a separate admin page in the WordPress dashboard which allows viewing deleted files, restoring or deleting them.
* New: Now the malware scanner and integrity checker supports multisite WordPress installations.
* Bug fixed: Once an address IP has been locked out after reaching the limit to the number of attempts to log in the "We’re sorry, you are not allowed to proceed" forbidden page is being displayed instead of the normal user message "You have exceeded the number of allowed login attempts".
* Bug fixed: PHP Notice: Only variables should be passed by reference in cerber-load.php on line 5377
* Update: Miscellaneous code improvements for traffic inspector
= 7.5 =
* New: Firewall algorithms have been improved and now inspect the contents of all files that are being tried to upload on a website.
* New: The traffic logger can save headers, cookies and the $_SERVER variable for every HTTP request.
* New: The scanner now scans installed plugins for known vulnerabilities. If you have enabled scheduled automatic scans you will be notified in a email report.
* Update: A set of new malware signatures amd patterns have been added to detect malware submitted through a contact form as well as any HTTP request fields.
* Update: Now the plugin inspects user sign ups (user registrations) on multisite WordPress installations and BuddyPress.
* Update: The search for user activity, as well as enabling activity notifications, is improved.
= 7.2 =
* New: Monitoring new and changed files.
* New: Detecting malicious redirections and directives in .htaccess files.
* New: Automated hourly and daily scheduled scans with flexible email reports.
* Update: Added a protection from logging wrong time stamps on some not correctly configured servers.
* Bug fixed: Unexpected warning messages in the WordPress dashboard.
* Bug fixed: Some file status links on the scanner results page may not work.
= 7.0 =
* Cerber Security Scanner: system integrity checker, malware detector and malware removal tool.
* New: a new setting for Traffic Inspector: Use White IP Access List.
* Update: the redirection from /wp-admin/ to the login page is not blocked for a user that has been logged in once before.
* Bug fixed: the limit to the number of new user registrations is calculated the way that allows one additional registration within a given period of time.
= 6.7.5 =
* A new button View Activity has been added to the user edit page in the WordPress dashboard.
* Miscellaneous code optimizations: performance of database routines and SQL queries are improved.
* A new Swedish translation has been added. Thanks to Fredrik Näslund.
* Bug fixed: The wildcard *.*.*.* entry (all IPv4 addresses) to the Black IP Access List, doesn't work as intended.
= 6.7 =
* New: Regular expressions are now available for the Traffic Inspector Request whitelist and Antispam Query whitelist.
* Update: Antispam engine algorithms have been updated to improve AJAX requests handling and reduce false positives.
* Update: Improved compatibility with WooCommerce, Formidable Forms, Gravity Forms and AJAX file upload.
* Update: Any symbols other than letters, numbers, dashes and underscores are not permitted in Custom login URL anymore.
* Bug fixed: The Safe antispam mode doesn’t work correctly on some website configurations. That may lead to false positives and erroneous spam form submission detection.
= 6.5 =
* New: A new, advanced initialization mode which reinforces overall security performance.
* New: Traffic Inspector's algorithms detect and deny any attempt to upload executable files or an .htaccess file via any POST request.
* New: A new setting to disable email notifications about new versions of the plugin.
* New: Search in the traffic log improved. Search in the User agent string and filter out the HTTP method (GET/POST) are available.
* Update: Performance of the logging subsystem is improved.
* Update: In the Smart mode if a user is not logged in, all requests to the admin dashboard are logged.
* Bug fixed: If a user tries to log in with an email address and an incorrect password, the "Invalid username" message is shown.
* Bug fixed: On a multisite installation with websites in subdirectories a user activation link doesn't work.
= 6.2 =
* New: Protection against (DoS) attacks that exploit recently discovered vulnerability (CVE-2018-6389).
* New: The Traffic Inspector algorithm detects malformed and double extensions like .php.jpg more precisely.
* New: The Access Lists now accept IPv6 addresses in any form and handle them in a shortened form. All existing IPs will be converted.
* Bug fixed: If the WP REST API is blocked, a request with a specially malformed URL can bypass protection. Thanks to Tomasz Wasiak.
* Bug fixed: An IPv4 range in the Access Lists might not work as expected, depending on server/site settings.
= 6.1 =
* New: Traffic Inspector has got a Request White List setting.
* New: An Activity filter for the Advanced search form on the Traffic Inspector page.
* Bug fixed: Two reCAPTCHA widgets on login/registration forms.
* Bug fixed: A legitimate IP address can be locked out by Traffic Inspector on a Windows hosting (server).
= 6.0 =
* New: Traffic Inspector. It’s a specialized request inspection algorithm that performs inspection all suspicious incoming HTTP requests and block them before they can harm a website.
* New: Traffic Inspector optionally logs all or just suspicious and malicious requests so you can inspect them.
* New: Added ability to clean up Cerber’s DB tables.
* New: If the web server has some issues and those issues can affect plugin functionality, they are shown on the Diagnostic page.
* Added protection to prevent scheduled tasks from being executed multiple times an hour.
* JavaScript antispam code is improved to eliminate excessive fields in GET requests.
* To eliminate possible warning messages, the inet_pton() function has been replaced with filter_var().
= 5.9 =
* New: You can add comments for new entries in the access lists
* Improved compatibility with exotic hosting environments: now the plugin handles URLs with the MultiViews server option enabled.
* Improved compatibility with caching plugins
* Bug fixed: The plugin logs a logout event if the actual logout doesn't happen
= 5.8.6 =
* New: Regular expressions (REGEX) in the list of prohibited usernames.
* New: Enable/disable weekly reports, a new setting to specify email addresses for weekly reports.
* Improved compatibility with non-standard authentication processes, WooCommerce and exotic/outdated hosting environments.
* Bug fixed: Some interface elements of WordPress Customizer might not work.
= 5.8 =
* New: Now the plugin will send a brief security report (activity for past seven days) to specified email addresses.
* Plugin admin interface pages: compatibility with screen readers has been improved.
* REST API: the deprecated rest_enabled filter is used for WordPress older than 4.7.
* Bug fixed: After updating the plugin to the 5.7 version some disabled checkboxes (and corresponding disabled settings) are set to their default, enabled states.
* Bug fixed: An IP address in the white access list may be locked out as a suspicious IP.
= 5.7 =
* New: Limit access to WordPress REST API for logged in users only.
* New: For new users the plugin records the date of registration, the IP address and a user who has added a new user.
* New: Sorting users on the Users admin page by date of registration.
* New: User registration monitoring and activity logging functions has been improved.
* Translations has been updated, thanks to Jon Knippen, Wojciech Górski and Francesco.
* Bug fixed: Stop user enumeration via REST API doesn’t work on a multisite WordPress installation.
= 5.5 =
* New: White list for the WordPress anti-spam engine.
* New: White list for REST API requests.
* New: Disable access to user data via REST API and stop REST API user enumeration.
= 5.2 =
* Bug fixed: Hidden custom login URL may be discovered by using specially formatted URL.
* Bug fixed: Customized CSS styles don’t work on the Custom login page.
= 5.1 =
* New: Anti-spam and anti-bot for contact and other forms. Cerber antispam and bot detection engine now protects all forms on a website. It’s compatible with virtually any form. Tested with Caldera Forms, Gravity Forms, Contact Form 7, Ninja Forms, Formidable Forms, Fast Secure Contact Form, Contact Form by WPForms.
* New: Portuguese of Portugal translation has been added, thanks to Helderk.
* Bug fixed: A user with admin account is unable to approve comments with pending status in the WordPress Dashboard.
= 5.0 =
* New: A new antispam and bot detection engine that protects comment and user registration forms from bot attacks. After several attempts bot IP will be locked out.
* New: You can tell Cerber either to mark detected spam comments as spam or deny them completely.
* New: Cerber can automatically move spam comments older than the specified amount of days to trash.
* New: Added the cerber_404_template filter for specifying an alternative to the default 404 page not found template.
* New: Added code to avoid possible conflict between Custom login URL and REST API.
* New: Italian translation has been added, thanks to Francesco Venuti.
* Bug fixed: WordPress database error: Table '...cerber_lab_net' doesn't exist.
= 4.9 =
* New: Additional details will be logged and displayed on the Activity page: the URL of a request and decision the plugin engine had made.
* New: Added a nice panel with performance indicators showing key events and plugin performance in the last 24 hours.
* New: To improve reliability self check-up code has been added.
* New: Polish translation has been added, thanks to Wojciech Górski.
* New: On a multisite WP installation scheduled tasks will be executed once per hour for the entire network: there will no excess SQL queries when the plugin executes hourly cron tasks.
* Bug fixed: The language for visible reCAPTCHA doesn't set according to the site language setting. It's always English.
= 4.8.2 =
* New: Starting with this version all database tables will be created with a default database engine. It should be InnoDB.
* New: To improve compatibility with some plugins the email notification function has been updated and now uses the comma-separated list of email addresses instead of an array.
* Bug fixed: An IP address from a range might not be allowed to log in if you have overlapping IP ranges in the both IP Access List.
* Bug fixed: A reason of blocking an IP address is not shown in notification emails if Always block entire subnet Class C of intruders IP is selected in the settings.
= 4.8 =
* New: You can enable/disable applying limit login rules to IP addresses in the White IP Access List.
* New: Block malicious IP addresses after a specified number of failed attempts to solve visible or invisible reCAPTCHA.
* New: Track password reset requests with username entered.
= 4.7.7 =
* New: invisible reCAPTCHA (classic, visible also available).
* New: reCAPTCHA for comment forms. Works well as anti-spam tool.
* Fixed bug: "Add network to the Black List" and "Add IP to the Black List" buttons on the Activity tab doesn't work in the Safari web browser.
= 4.5 =
* New: Instant mobile and browser notifications with Pushbullet.
* New: Ability to choose a 404 page template.
* New: Events on the Activity tab are displaying with user roles and avatars.
* Update: PHP function file_get_contents() has been replaced with cURL to improve compatibilty with restrictive hostings.
* Fixed bug: Password reset link that is generated by the WooCommerce reset password form can be corrupted if reCAPTCHA is enabled for the form.
* Fixed bug: The plugin doesn’t block IPv6 addresses from the Black IP Access List (versions affected: 4.0 – 4.3).
= 4.3 =
* New: Use powerful subscriptions to get email notifications according to filters for events you have set.
* New: Search and/or filter activity by IP address, username (login), specific event and a user. You may use any combination of them.
* New: Now you can export activity from your WordPress website to a CSV file. You may export all activities or just a set of filtered out activities.
* Update: Now you can specify multiple email boxes for notifications.
* Update: The Spanish translation has been updated, thanks to [leemon](https://profiles.wordpress.org/leemon/).
= 4.1 =
* New: Date format field allows you to specify a desirable format for displaying dates and time.
* Updated code for registration_errors filter to handle errors right way.
* The French translation has been updated.
* Fixed issue: Loading settings from a file with reCAPTCHA key and secret on a different website overwrite existing reCAPTCHA key and secret with values from the file.
* Fixed bug: The plugin tries to validate reCAPTCHA on WooCommerce login form if the validation enabled for the default WordPress login form only.
= 4.0 =
* New: reCAPTCHA for WooCommerce forms. [How to set up reCAPTCHA](https://wpcerber.com/how-to-setup-recaptcha/).
* New: [IP Access Lists](https://wpcerber.com/using-ip-access-lists-to-protect-wordpress/) have got support for IP networks in three forms: ability to restrict access with IPv4 ranges, IPv4 CIDR notation and IPv4 subnets: A,B,C has been added.
* New: Cerber can automatically detect an IP network of an intruder and suggest you to block entire network right from the Activity screen.
* New: Norwegian translation added, thanks to [Eirik Vorland](https://www.facebook.com/KjellDaSensei).
* Update: WP REST API is controlled by Access Lists. While REST API is blocked for the rest of the world, IP addresses from the White Access List can use WP REST API.
* Update: The WP Cerber admin menu is moved from Settings to the main admin menu.
* Update: To make Cerber more compatible with other plugins, the order of the init hook on the Custom login page (Custom login URL) has been changed.
* Update: Several languages and translations has been updated.
* Update: Large amount of code has been rewritten to improve performance and stability.
* Fixed bug: If a hacker or a bot uses login from the list of prohibited usernames or non-existent username, Citadel mode is unable to be automatically activated.
* Fixed bug: reCAPTCHA for an ordinary WordPress login form is incompatible with a WooCommerce login form.
* Fixed issue: In some cases the plugin log first digits of an IP address as an ID of existing user.
= 3.0 =
* New: [reCAPTCHA to protect WordPress forms spam registrations. Also available for lost password and login forms.](https://wpcerber.com/how-to-setup-recaptcha/)
* New: Registration, XML RCP, WP REST API are controlled by IP Access Lists now. If a particular IP address is locked out or blacklisted registration is impossible.
* New: Action Get WHOIS info and trigger IP locked out to create automation scenarios with the [jetFlow.io automation plugin](http://jetflow.io).
* New: Notification emails will contain Reason of a lockout.
* New: The activity DB table will be optimized after removing old records daily.
* Update: Column Username on the Activity tab now shows real value that submitted with WordPress login form.
* Update: Text domain is updated to 'wp-cerber'
* Fixed issue: If a user enter correct email address and wrong password to log in, IP address is locked immediately.
= 2.9 =
* New: Checking for a prohibited username (login). You can specify list of logins manually on the new settings page (Users).
* New: Rate limiting for notification letters. Set it on the main settings page.
* New: If new user registration disabled, automatic redirection from wp-register.php to the login page is blocked (404 error). Remote IP will be locked out.
* New: You can set user session expiration timeout.
* New: Define constant CERBER_IP_KEY if you want the plugin to use it as a key to get IP address from $_SERVER variable.
* Update: Improved WP-CLI compatibility.
* Update: All dates are displayed in a localized format with date_i18n function.
* Fixed bugs: incorrect admin URL in notification letters for multisite with multiple domains configuration, lack of error message on the login form if IP is blocked, CSRF vulnerability on the import settings page
* Removed calls of deprecated function get_currentuserinfo().
= 2.7.2 =
* Fixed bug for non-English WordPress configuration: the plugin is unable to block IP in some server environment. If you have configured language other than English you have to install this release.
= 2.7.1 =
* Fixed two small bugs related to 1) unable to remove IP subnet from the Access Lists and 2) getting IP address in case of reverse proxy doesn't work properly.
= 2.7 =
* New: Now you can view extra WHOIS information for IP addresses in the activity log including country, network info, abuse contact, etc.
* New: Added ability to disable WP REST API, see [Hardening WordPress](https://wpcerber.com/hardening-wordpress/)
* New: Added ability to add IP address to the Black List from the Activity tab. Nail it!
* New: Added Spanish translation, thanks to Ismael.
* New: Added ability to set numbers of displayed rows (lines) on the Activity and Lockout tabs. Click Screen Options on the top-right.
* Fixed minor security issue: Actions to remove IP on the Access Lists tab were not protected against CSRF attacks. Thanks to Gerard.
* Update: Small changes on the dashboard widget.
* Update: Action taken by the plugin (plugin makes a decision) now marked with dark vertical bar on the right side of the labels (Activity tab).
= 2.0.1.6 =
* New: Added Reason column on the Lockouts screen which will display cause of blocking particular IP.
* New: Added Hardening WP with options: disable XML-RPC completely, disable user enumeration, disable feeds (RSS, Atom, RSD).
* New: Added Custom email address for notifications.
* New: Added Dutch and Czech translations.
* New: Added Quick info about IP on Activity tab.
* Update: Removed option 'Allow whitelist in Citadel mode'. Now this whitelist is enabled by default all the time.
* Update: For notifications on the multisite installation the admin email address from the Network Settings will be used.
* Fixed Bug: Disable wp-login.php doesn't work for subfolder installation.
* Fixed Bug: Custom login URL doesn't work without trailing slash.
* Fixed Bug: Any request to wp-signup.php reveal hidden Custom login URL.
= 1.8 =
* New! added Hostname column for the Activity and Lockouts tabs.
* New! added ability to write failed login attempts to the specified file or to the syslog file. Use it to protect site with fail2ban.
* Added Ukrainian translation (Український переклад).
= 1.7 =
* Added ability to remove old records from the user activity log. Log will be cleaned up automatically. Check out new Keep records for field on the settings page.
* Added pagination for the Activity and Lockouts tabs.
* Added German (Deutsch) translation, thanks to mario.
* Added ability to reset settings to the recommended defaults at any time.
= 1.6 =
* New: beautiful widget for the dashboard to keep an eye on things. Get quick analytic with trends over 24 hours and ability to manually deactivate Citadel mode.
* French translation added, thanks to hardesfred.
* Hardening WordPress. Removed automatically redirection from /login/ to the login page, from /admin/ and /dashboard/ to the dashboard.
* Fixed issue with lost password link in the multisite mode.
* Now compatible with User Switching plugin.
* Added ability to manually deactivate Citadel mode, once it automatically switches on.
= 1.5 =
* New feature: importing and exporting settings and access lists from/to the file.
* Limited notifications in the dashboard.
= 1.4 =
* Added support Multisite mode for limit login attempts.
* Added Number of comments column on the Users screen in dashboard.
* Updated notification settings.
* Updated languages files.
= 1.3 =
* Fixed issue with hanging up during redirect to /wp-admin/ on some circumstance.
* Fixed minor issue with limit login attempts for non-admin users.
* Added Date of registration column on the Users screen in dashboard.
* Some UI improvements on access-list screen.
* Performance optimization & code refactoring.
= 1.2 =
* Added localization & internationalization files. You can use Loco Translate plugin to make your own translation.
* Added Russian translation.
* Added headers for failed attempts to use such headers with [fail2ban](http://www.fail2ban.org).
= 1.1 =
* Added ability to filter out Activity List by IP, username or particular event. You can see what happens and when it happened with particular IP or username. When IP reaches limit login attempts and when it was blocked.
* Added protection from adding to the Black IP Access List subnet belongs to current user's session IP.
* Added option to work with site/server behind reverse proxy.
* Update installation instruction.
= 1.0 =
* Initial version
