Bypass all resource restrictions, passwords, and keys? Read here!
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.9 Nulled
= 9.9 =
New: WP Cerber now automatically maintains a backup copy of the last known valid plugin settings. The backup is refreshed after successful settings updates, settings imports, plugin upgrades, and during daily maintenance.
New: If the stored plugin settings become corrupted, WP Cerber now restores them automatically from the settings backup and shows a dismissible admin notice explaining what happened, what action was taken, and what the administrator should review.
New: The "System Readiness" widget now shows an advisory notice on servers where PHP is built without the modern `mysqlnd` database driver. The notice confirms that WP Cerber keeps working and recommends enabling `mysqlnd` for full compatibility and better performance.
Improved: Traffic Inspector now detects additional high-confidence JavaScript obfuscation patterns, including fully escaped strings that use `\uNNNN` and `\u{...}` escape sequences and dangerous execution, DOM, network, and system code decoded from explicit `fromCharCode()` calls, while preserving its low false-positive detection model.
Compatibility: WP Cerber now runs correctly on legacy hosting environments where PHP is built without the modern `mysqlnd` database driver. On such servers, database query results are retrieved through a slower compatible method instead of triggering a fatal error.
Fixed: A corrupted WP Cerber configuration value stored in the database could cause a fatal `TypeError` in `array_merge()` at plugin load time on PHP 8, taking the whole website down. WP Cerber now detects the unreadable stored value, falls back to the default settings, and reports the failure as a critical issue until the administrator re-saves the settings.
Fixed: A regression in the detection of obfuscated JavaScript by Traffic Inspector. JavaScript strings built entirely of `\xNN` hex escape sequences were not decoded, so obfuscated code such as `eval`, `script`, and `XMLHttpRequest` could go undetected when request fields were inspected.
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.8.3 Nulled
= v9.8.3 =
New: The Activity log and Traffic log CSV exports now report the date range they cover, adding the oldest and newest record timestamps to the export header.
Improved: Activity log and Traffic log CSV exports now stream matching rows in a single unbuffered pass, keeping memory usage flat and avoiding deep-offset scanning, which makes exporting large logs faster and more reliable.
Improved: Activity log and Traffic log exports now send the `X-Accel-Buffering: no` response header so an Nginx proxy in front of PHP-FPM forwards each chunk immediately instead of buffering the whole export, improving time-to-first-byte on large exports.
Improved: Decoding of stored Traffic Inspector request field data is now more robust, consistently treating nullable legacy values, empty values, invalid JSON, and unsupported serialized payloads as an empty array.
Fixed: Corrected memory limit handling during Activity log and Traffic log exports, where a numeric limit such as `512` could be applied as bytes instead of megabytes, preventing WP Cerber from raising the available memory and causing exports to stop earlier than expected.
Fixed: In the Traffic Inspector Log "Advanced Search", combining the "Any software error" option with other filters could return requests with recorded PHP errors that did not match the other criteria; results now match all selected filters.
Fixed: Dashboard links in Activity alert notification emails could carry mismatched query parameters, for example the IP filter receiving an IP-range boundary value, which opened an unrelated filtered view; the links now use the correct values.
Fixed: Activity alerts that match on a search string now resolve the user of the logged event instead of falling back to the current administrator, so user-based alert matching behaves correctly.
Fixed: Prevented an undefined array key notice in `CRB_Activity::is_modified_since()` when the `data_modified` status value was missing, and corrected an operator-precedence error so a missing modification timestamp is correctly treated as modified.
Security: Sanitized user-controlled profile display names (first name, last name, and display name) before they are concatenated into `Name <email>` mail recipient strings, closing an email header injection vector that could add an extra recipient to the two-factor authentication PIN email and to Activity alert notification emails.
Security: Plugin ownership-change messages on the scanner page are now rendered through WP Cerber's UI layer with contextual output escaping instead of raw HTML, removing a potential stored admin XSS vector from externally supplied plugin ownership metadata provided by the WordPress.org plugin repository.
Security: Activity log and Traffic log CSV exports now send the `Cache-Control: no-store` response header to prevent a sensitive security-log export from being cached by the browser or an intermediate proxy.
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.8 Nulled
= 9.8 =
Changed: Renamed the "White IP Access List" and "Black IP Access List" terms to "Allowed IP Access List" and "Blocked IP Access List" across the admin UI for clearer access-control terminology.
Changed: Client IP address detection now converts IPv4-mapped IPv6 addresses to standard IPv4 notation in proxy and IPv6 environments. ACL entries using mapped IPv6 notation no longer match these normalized client IP addresses.
Changed: Client IP address detection no longer falls back to the `HTTP_CLIENT_IP` header when the `X-Forwarded-For` proxy header is empty or does not contain a valid address.
Improved: The integrity scanner now records detailed database error information in the log when diagnostic logging is enabled in the settings.
Fixed: Geolocation data for IPv6 addresses is now cached correctly, so country names appear immediately in the Activity log and Traffic log instead of being re-fetched from the geolocation service on each view, which previously caused extra AJAX requests and a noticeable delay.
Fixed: Eliminated the `ERROR 1062` ("Duplicate entry") messages that the IPv6 geolocation caching bug wrote to the server error log on each IPv6 lookup.
Fixed: If more than one IPv6 range or IPv6 network defined in IP Access Lists, the Traffic and Activity logs could display comments or labels belonging to a different IPv6 Access List entry, for example showing the label "IP whitelisted" for a request that was actually denied. The logs now show details that match the Access List entry involved.
Fixed: Database operations now compatible with WordPress table prefixes starts with a digit, such as `123_`. This resolves a regression introduced by the stricter database operation validation in WP Cerber 9.7.4, where affected sites could fail to run integrity scanner.
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.7.4 Nulled
= 9.7.4 =
New: Timestamps in the fail2ban log now follow the operating system timezone instead of UTC, so fail2ban can correctly evaluate failed login attempts on servers using a non-UTC timezone.
New: Added the constant CERBER_LOG_TIMEZONE to force an explicit timezone identifier for the fail2ban log when automatic detection cannot determine the system timezone.
Improved: Hostnames written to the fail2ban log on failed login attempts are now sanitized to strip log-forging characters, allow only hostname-safe characters, and keep each entry on a single well-formed line.
Improved: WP Cerber's admin interface now uses WordPress's --wp-admin-theme-color custom property instead of hardcoded accent colors, aligning tabs, focus states, and changelog callouts with the selected admin color scheme.
Improved: The Tools / License page now shows localized, non-contradictory notices for empty, malformed, invalid, expired, or temporarily unverifiable license keys.
Improved: Refactored database operations with the new CRB_Database and CRB_Query_Builder classes for more consistent query execution, transactions, safe value quoting, and validation.
Improved: Added the Revalt result/error type as an internal foundation for more consistent operation results, diagnostic chains, and error logging.
Improved: Traffic Inspector now validates decoded JSON request payloads and captures decoding errors for more reliable request logging.
Improved: Sensitive-field masking and request-field preparation now use stricter validation, normalization, and escaping before database insertion.
Improved: Admin notices emitted by WP Cerber are now rendered through crb_purify_message(), which allows only a defined set of HTML elements and attributes.
Changed: The login security setting "Write failed login attempts to the system log file" has been renamed to "Log failed logins in a syslog-style format for automated IP banning tools". Behavior is unchanged.
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.7.3 Nulled
= 9.7.3 =
Improved: Plugin settings that accept REGEX patterns are now validated for syntax errors when an administrator saves settings, helping detect invalid patterns before they cause configuration problems.
Improved: The Readiness widget now detects when required PHP functions are disabled even if a required extension is installed, and they provide more precise diagnostic messages.
Fixed: Translation updates no longer attempt to download non-existent locales, which prevents the misleading error message Updating translations for WP Cerber Security (haz)… Download failed. Not Found.
Fixed: Regular expression patterns in the Traffic Inspector setting "Do not log these locations" now work correctly when they contain forward slashes, so matching requests are excluded from logging as intended.
Fixed: A minor bug that could cause the server error log message preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated.
Fixed: A minor bug that could cause the server error log message Constant CRB_DOING_BG_TASK already defined. Fixed: A minor bug that could cause the server error log message Attempt to read property "ID" on null.
Fixed: A minor bug that could cause the server error log message Call to undefined function curl_init().
Fixed: A minor bug that could cause the server error log message Undefined array key "primary_ip".
Fixed: A minor bug that could cause the server error log message Undefined array key "local_ip".
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.7 Nulled
== Changelog ==
= 9.7 =
New: Implemented a "System Readiness" dashboard widget that surfaces configuration and environment issues impacting security and stability, with quick links to relevant settings and documentation.
Improved: Enforced stricter Content-Security-Policy (CSP) measures in the plugin admin area by adding additional security directives.
Improved: Enhanced the detection of obfuscated malicious JavaScript to better identify hidden security threats.
Improved: More efficient analysis of suspicious requests by the firewall, resulting in better performance and fewer false positives.
Improved: Implemented batch processing and timestamp formatting for spam comment cleanup to improve performance and prevent resource issues.
Improved: Refactored database operations to use stricter identifier validation, improving SQL safety and compliance with MySQL standards.
Improved: Updated HTTP header validation methods used for whitelisting requests in the anti-spam engine and traffic firewall settings. These settings now support entries with an empty value after the colon.
Improved: Added exception logging and enhanced error handling to the continuous code quality assurance process.
Improved: File handling operations are now more fault-tolerant with the implementation of explicit permission checks and thread-safe file locks.
Changed: To prevent accidental movement dashboard widgets can now be reorganized using drag-and-drop via their headings only.
Compatibility: Refactored code to address deprecated features and ensure compatibility with PHP 8.5.
Fixed: A minor bug where escaped HTML tags were not properly handled when rendering the settings pages user interface.
Fixed: A minor bug that caused the server error log message: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /wp-cerber/cerber-common.php:4267.
Fixed: A minor bug that caused the server error log message: preg_match(): Passing null to parameter #2 ($subject) of type string is deprecated.
Fixed: A minor bug that caused the server error log message: Undefined array key "REQUEST_METHOD".
Fixed: A minor bug that caused the server error log message: preg_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated.
Fixed: A minor bug that caused the server error log message: Undefined array key "HTTP_HOST".
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.6.11 Nulled
Full changelogs
![]()
WP Cerber Security 9.6.11
WP Cerber Security 9.6.11 WordPress security plugin, firewall & anti-spam - Defenderwpcerber.com
Decryption key:
WP Cerber Security Pro - WordPress Antispam & Malware Scan v9.6.10 Nulled
= WP Cerber Security 9.6.10
We’ve just released a new version of WP Cerber, and while you won’t see big visual changes, this update is all about the details that prepare WP Cerber for the future. We refined how links are generated in email alerts, made admin navigation smoother, and strengthened URL and data sanitizing in rare edge cases. These are the kinds of [...]
Decryption key:
= 9.6.9 =
Important: The behavior of the 'authenticate' hook has been reverted to restore the behavior from versions before WP Cerber 9.6.6. Custom login workflows may be affected.
New: Added RDAP protocol support for retrieving IP address data. This is a modern and efficient replacement for WHOIS.
New: Added a setting to configure an optional message shown when a user’s email address is not allowed for registration.
New: New setting for handling login attempts with prohibited usernames: administrators can choose to silently deny access or also block the IP address.
Improved: Hardened .htaccess rules to prevent file execution in the WordPress uploads folder, even in edge-case scenarios.
Improved: Updated the plugin upgrade process to correctly handle copying and deleting obsolete settings.
Improved: Optimized log table rendering by replacing esc_url() with the faster crb_escape_url().
Improved: Enhanced diagnostic messaging in the "Upload a reference ZIP archive" dialog on the scanner page.
Improved: Hardened code of crb_escape_url() — bulletproof just got tougher.
Fixed bug: Warning: Undefined array key 'title' in cerber-load.php on line 9157.
Fixed bug: Undefined property: stdClass::$plugin in cerber-common.php on line 5853.
Fixed bug: The notification threshold setting was being reset to its default value after upgrading the plugin.
Fixed bug: The integrity scanner could stop scanning if the WP Cerber data folder became write-protected.
Minor: The setting "Non-existing users are strictly prohibited" has been moved from "Main Settings" to the "Global User Policies" tab.
Minor: The "Disable login language switcher" checkbox has been moved from "Main Settings" to the "Global User Policies" tab.
Decryption key:
Download WP Cerber Security Pro v9.6.7.3 - WordPress Antispam & Malware Scan Nulled Free
WP Cerber Security 9.6.7.3
In our ongoing commitment to providing an ever-evolving security solution for WordPress, this update to WP Cerber addresses several bugs discovered post-launch, ensuring a more reliable and seamless experience.
Fixed: A fatal PHP error triggered by a conflict with InfiniteWP.
Fixed: A bug that prevented language translations from loading when the main website’s language was set to English.
Fixed: An issue within Cerber.Hub where new client websites were incorrectly added to the main website with quotation marks in the client website URL and website name.
Improved: Cerber.Hub now renders client websites using the language specified in WP Cerber settings, allowing you to choose any language when managing a client website remotely.
Removed: The deprecated FILTER_SANITIZE_STRING constant, ensuring compatibility with modern PHP versions.