Hello,
We are experiencing repeated false-positive IP lockouts after recent WP Cerber updates.
We have been using WP Cerber for many years (around 8), and it has always been a reliable and excellent security solution. Recently, after updating Cerber (not sure which exact version introduced this), we started seeing a serious issue:
regular visitors are being locked out constantly, around 20+ customer lockouts per day, without any malicious behavior.
Our setup:
- WooCommerce
- PixelYourWebsite plugins for tracking (Facebook, etc.)
- No recent structural changes on our side
Cerber now flags the following requests as suspicious:
/wp-json/pys-facebook/v1/event(PixelYourWebsite tracking)/wp-admin/admin-ajax.php(regular frontend AJAX requests)
When a normal visitor triggers a few of these requests, Cerber blocks the IP.
To mitigate this, we added the following to
“Exclude these locations from inspection by the firewall”:
- /wp-json/pys-facebook/v1/event
- /wp-admin/admin-ajax.php
This reduced false positives by about 80%. but of course this is just managing the symptoms of the issue, the core of the issue is that these locations\requests are even seen as suspicious in the first place and are not just allowed without any suspicion.
In Live Traffic we clearly see “Location exception applied” on these requests.
However, even when the exception is applied, those same requests are still:
- counted as “erroneous requests”
- leading to “Too many erroneous requests”
- resulting in IP blocks
We can see all three tags:
- “Location exception applied”
- “Too many erroneous requests
- IP blocked”
on the same requests.
This means that while firewall inspection is bypassed, the requests are still counted against the IP by another protection mechanism.
At the moment, the only workaround seems to be disabling Error shielding mode, which we would strongly prefer not to do. This would be the first time in years we would have to weaken or disable Cerber due to false positives.
Important context:
- PixelYourWebsite has been used for years without any issue.
- admin-ajax.php has obviously always been part of WordPress
- This behavior is new and started only recently
Expected behavior:
Cerber should recognize standard WordPress AJAX and REST activity as legitimate and operate normally, without exclusions, special rules, or disabled protections - as it did for years.
Actual behavior:
Normal WordPress traffic is misclassified as malicious, leading to repeated false-positive IP lockouts.
This appears to be a detection logic regression introduced in recent versions.
Please advise what changed in the detection logic and how this can be corrected so Cerber works normally again without requiring exclusions or disabling security mechanisms.
Thank you