TL; DR: WordPress powers more than one-third of sites on the internet, but its open framework pushes many security applications into plugins rather than core functionality. WP Cerber Security — a highly rated WordPress plugin — applies a layered, zero-trust model to protect sites against intrusions. It offers a blend of algorithms to deliver real-time threat assessments and sophisticated mitigation and recovery tools. WP Cerber Security’s product road map also includes concierge security services, a spam catcher, and cloud-based neural network analysis.
Gregory Markov was a solopreneur software developer who worked directly with website owners. While he could help them with many of their WordPress issues, one popped up that was out of his purview at the time.
“Five years ago, I got an email from one of my favorite clients. Their website powered by WordPress got hacked,” Gregory said. “They trusted me with their websites since I was a software engineer and had a decent background in web technologies, cybersecurity, and computer networks. So they asked me if I could provide a solution to prevent such incidents from happening again.”
That solution started as a personal project inspired by his clients, and evolved into the WP Cerber Security plugin, a robust tool that defends WordPress sites worldwide. Today, the tool includes mitigations for brute-force and code-injection attacks, and abuses of the REST API. It delivers sitewide anti-spam tools, an integrity checker, and a malware scanner.
“Customers expect that cybersecurity providers will keep up with the growing number of threats and their complexity, so we see demand for mature security solutions,” he said. WordPress powers more than one-third of the web, running applications, including shopping carts, membership sites, and file-sharing communities. That market share makes WordPress a prime target for hackers.
WP Cerber Security offers complex collection-and-analysis algorithms to identify attacks in real time and keep one step ahead.
“To stay ahead in this game, you can’t rely on some blacklists of infected servers or malware patterns that are maintained manually,” Gregory said. “That is why we have been developing our cloud-based cyber threat intelligence platform.”
Customers seem to agree that WP Cerber Security is a standard-bearer in the WordPress security plugin space. It enjoys more than 200,000 installations with 95.5% five-star ratings.
WordPress Requires Vendor Plugins to Offer Core Security Features
According to Gregory, WordPress has very few built-in security measures.
“Most of them restrict the permissions of registered users, and none of them protect WordPress against malicious hacker attacks,” he said. “It’s not a weakness or a design flaw. It’s a philosophy that implies that such features are implemented as WordPress plugins.”
In a white paper, the WordPress team emphasizes user password security and the hardening of APIs within the core application. One WordPress vulnerability scanner suggests that 5% of nearly 22,000 logged vulnerabilities apply to the core application but 87% relate to plugins. Given the WordPress philosophy of being open and extensible by design, it logically falls to plugins to police other plugins. That also assumes administrators remain current on server and application patches.
Before he developed WP Cerber, Gregory assessed existing products on the market.
“I realized that none of them met my minimum requirements for a normal small business solution,” he said. “Some security plugins were so bulky, they brought a website to its knees after activation. Others have so many bugs that the server log was stuffed with error messages. And one of the popular security plugins was developed by a marketing specialist.”
That combination of a diverse security ecosystem and a plugin-policing-plugin logic model led Gregory to develop WP Cerber Security with a layered zero-trust model.
“WP Cerber delivers layered security to customer websites,” he said. “It means all our algorithms work in sync as a whole and analyze multiple metrics of incoming requests to a website. That approach provides more than just a sum of separate features. I believe it is the only way to provide bullet-proof protection for our customers.”
The plugin looks at behavior in context, across several dimensions, instead of applying a static rule set to all data. That dynamic behavior responds more effectively to intrusion attempts, particularly new ones, given that security risks have grown more sophisticated over the last few years.
Website Threats Increase as Malicious Hackers Grow More Sophisticated
Early attempts to hack a WordPress site focused on standard techniques, including brute-force logins, denial-of-service attacks, credential sniffing, and exploiting plugins and themes. Those approaches still work with unpatched servers or poorly designed plugins.
For example, in 2020, the Ultimate Member plugin — installed on more than 200,000 websites — allowed a critical and severe exploit that granted intruders administrator-level access. Similarly, the Page Builder plugin by SiteOrigin, used by a million active websites, featured bugs that facilitate cross-site request forgery and cross-site scripting intrusions.
However, more recent and more sophisticated intrusion attempts follow different pathways and use more advanced, automated probing technologies. Today, it’s more common for organized cybercriminal groups to fire off dozens of simultaneous penetration requests, hoping to find a vulnerability and to exploit it through sheer volume before the security system catches up. More sophisticated threat assessment tools help WordPress administrators stay one step ahead of the next big attack.
“Customers expect that we will use our knowledge, skills, and top-notch technology to protect their websites,” Gregory said. “That’s why we developed our cyber threat intelligence platform. It collects, aggregates, and analyzes hundreds of thousands of cybersecurity incidents around the world in real time. Currently, we have eight servers in Europe, North America, Australia, and Asia.”
Yet real-time threat assessment does little to secure a website unless that site is already secure by default. A simple, but often overlooked, WordPress design philosophy requires zero-trust architecture. That denies an action unless there’s a reason to assume it’s safe rather than approving an action unless there’s a reason to assume it’s malicious.
Gregory built that zero-trust architecture into WP Cerber Security.
“The zero-trust approach to website security is what critical applications of WordPress really need,” he said. “Instead of assuming everything that doesn’t directly attack a website is safe and permitted by default, the zero-trust approach enforced by WP Cerber permits only requests allowed by website policies and screens every request as though it originates from an offensive host.”
WP Cerber: Giving Ecommerce Entrepreneurs Peace of Mind
WordPress runs an estimated one-third of all websites, and many of those sites generate significant revenue for entrepreneurs. Although local admins should follow the recommended security guidelines, it’s almost impossible for even disciplined, tech-savvy admins to protect against a poorly coded plugin or a sophisticated attack by a group of malicious hackers. Security plugins dot the market, but under the hood they can be hit-or-miss.
WP Cerber Security’s mix of real-time threat assessment and zero-trust security posturing makes it a valuable tool to protect against unknown unknowns. Gregory plans a series of additions to his company’s portfolio of products that promise more benefits for customers.
“Most small businesses don’t have the resources to effectively respond to cyber threats and maintain installed security software,” he said. “We offer a group of security experts armed with domain expertise and will take care of all aspects of their website security and respond to incidents 24/7/365. With our concierge service, website owners can focus on building their businesses safely.”
WP Cerber Security’s next evolution will leverage neural networks to analyze suspicious network traffic. That technology will power algorithms to recognize malicious traffic and cyberattacks before they take full effect. Few other security plugins for WordPress offer WP Cerber Security’s degree of complexity and simplicity.
“You have to delight your customers with a constantly improving solution,” Gregory said. “I’m a firm believer that any team developing software for small businesses needs to strive for excellence.”