This release focuses on a simple question that matters a lot in WordPress security: can WP Cerber trust the signal it is acting on?
We hardened the Cerber.Hub update dialog against XSS through plugin metadata or site names reported by compromised managed websites. If one connected site is already compromised, the main website console now treats that remote metadata more defensively.
IPv4-mapped IPv6 addresses are now normalized to standard IPv4 notation, and WP Cerber no longer falls back to the spoofable HTTP_CLIENT_IP header when X-Forwarded-For is empty or invalid. That makes access decisions more deterministic behind reverse proxies and in IPv6 setups.
We also renamed the older “White IP Access List” and “Black IP Access List” terms to “Allowed IP Access List” and “Blocked IP Access List” across the admin interface. The behavior has not changed, but the wording now describes the actual access decision more directly.
Several fixes in this release reduce noise and improve triage: IPv6 geolocation data is cached correctly again, Access List labels for IPv6 range matches now correspond to the actual matching entry, and the integrity scanner works again on sites whose database table prefix starts with a digit.
If automatic updates are enabled for WP Cerber on your site, there is nothing you need to do. The update will be installed automatically when WordPress runs its normal plugin update cycle.