Visitor Sentinel

Description

Visitor Sentinel is a security and traffic analysis plugin for WordPress. It combines real-time attack detection with an active deception layer, so an attacker is not just noticed — they are lured into giving themselves away.

Detection

  • Records site visits (IP, page visited, user-agent, device/browser, account type).
  • Analyzes every request in real time using multiple heuristics: unusual request rate, user-agent associated with scanning/attack tools, requests to sensitive resources (wp-config.php, .env, .git, etc.), repeated failed logins, credential-stuffing patterns, XML-RPC abuse, invisible honeypot fields on login/comment forms, submission-timing checks, and scanning of non-existent pages (404).
  • Calculates a risk score per IP address and automatically applies a temporary block once the score exceeds the configured threshold — sheer browsing volume alone never triggers a block, only genuine attack/bot/spam signals do.
  • If a temporarily blocked IP continues suspicious activity or is blocked repeatedly, it is automatically switched to a permanent block.

Deception layer (honeypots & honeytokens)

  • A decoy backup file (honeyfile) at a random, unlinked URL — any access to it is conclusive proof of directory scanning.
  • A decoy admin username that was never a real account — any login attempt against it is an instant, certain block.
  • A decoy REST endpoint that hands out a fake API key — using that key anywhere is what triggers the block, not merely finding it.
  • A hidden spam-trap email address planted only where scrapers read markup — if it ever comes back in a submitted form, that visitor harvested this exact site.
  • Every one of these bypasses the normal scoring threshold entirely: interacting with any of them is treated as certain malicious intent, not a “maybe.”

Management & visibility

  • Optional email alerts whenever an IP is blocked or escalated, and one-click CSV export of the blocked IPs list.
  • A complete control panel: a live dashboard, an auto-refreshing visitor log, a list of blocked IPs with details about the block reason, and options to unblock, extend, or change the block type (temporary/permanent).
  • Displays, to logged-in users and optionally guests, a discreet badge showing how many people are on the site right now, updating live in the browser without a page reload.
  • Fully responsive admin panel, usable on desktop, tablet, and phone.

All text is translation-ready. The plugin loads no external resources (CDN) and does not enable any third-party tracking. The only optional external call is described in the FAQ below, and it is off by default.

External services

This plugin connects to one third-party service, and only for a single, optional, off-by-default feature:

IP-to-country lookup (ip-api.com) — used only if you explicitly enable “Show country flags next to IPs” in Settings. When enabled, and only then, each new IP address seen by the plugin is sent to ip-api.com so it can look up which country it belongs to. Nothing else about the visitor (no page content, no personal data, no credentials) is sent. Results are cached locally for 30 days so the same IP is never looked up twice. If you never enable this setting, the plugin makes no external requests at all.

Service provided by ip-api.com: Terms of Service and Privacy Policy.

Installation

  1. Upload the visitor-sentinel folder to the /wp-content/plugins/ directory, or install directly from the Plugins screen.
  2. Activate the plugin from the WordPress “Plugins” menu.
  3. Go to the “Visitor Sentinel” menu in the admin panel to configure the detection thresholds and the deception layer.

FAQ

Does the plugin accidentally block real visitors?

Thresholds default to conservative values so that regular visitors are not affected. Logged-in administrators are never blocked. You can add trusted IP addresses to the whitelist in Settings at any time, and manually unblock any IP from the “Blocked IPs” panel.

What are the honeyfile, honeytoken username, and honeytoken API key?

They are fake bait, generated automatically per site and never linked or displayed to real visitors: a decoy backup file at a random URL, a decoy admin username, and a decoy API key handed out by a fake internal endpoint. Because no genuine visitor has any reason to ever touch them, any interaction is treated as certain evidence of an attacker, and results in an immediate block. You can see the exact generated values, and turn the whole layer off, in Settings.

Does this plugin send any data outside my site?

By default, no. The only optional exception is the country-flag feature: when you explicitly enable it in Settings, each new IP address is sent to the free, third-party service ip-api.com to determine its country. Results are cached locally for 30 days so the same IP is never looked up twice. This feature is off by default and the plugin makes no external requests unless you turn it on.

My site uses Cloudflare or another proxy, what should I do?

Enable the “Site behind a proxy/CDN” option in Settings so the plugin can correctly identify the visitor’s real IP address.

Is the visitor counter visible to everyone?

By default, yes — it shows the live “online now” count to guests as well as logged-in members. You can turn off “Show to guests too” in Settings to restrict it to logged-in users only, and choose which role can see it there.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Visitor Sentinel” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Visitor Sentinel” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.8.1

  • The Blocked IPs list now only shows currently active bans — an expired temporary ban disappears from the list on its own instead of lingering there until the daily cleanup runs.

1.8.0

  • Lifting a permanent block now requires a signed declaration (reason + digital signature) before the IP’s ban and activity history are wiped. Every declaration is kept forever in a new “History” screen, with a printable/PDF-exportable record of each one.
  • Fixed a detection loophole where two soft, 404-related signals alone (e.g. “not_found” and “not_found_flood”) could satisfy the “multiple signal types” requirement and trigger a block without any genuine attack evidence.

1.7.5

  • Fixed misaligned “View details” / “Unblock” buttons on the Blocked IPs table.

1.7.4

  • Fixed the block page so it always reliably covers the full screen and stays scrollable from the top, regardless of the site’s own markup.
  • Manually created bans no longer auto-escalate to a permanent block just from repeated visits (e.g. while the site owner is testing it) — that safeguard now only applies to bans the automatic detection created. A manual ban only becomes permanent if you explicitly choose to.

1.7.3

  • Fixed: a newly banned IP could still see the site by simply refreshing, if a full-page caching plugin (LiteSpeed Cache, WP Rocket, W3 Total Cache, WP Super Cache, WP Fastest Cache) served an old cached page without WordPress running. A ban now automatically purges the site’s full-page cache so it takes effect immediately.

1.7.2

  • Fixed the blocked-visitor page: the icon and title could fail to display depending on the site’s markup, because the layout relied on fixed positioning. It now uses normal page flow, so it always displays fully and correctly.

1.7.1

  • Detection now recognizes more HTTP client libraries commonly embedded in custom desktop programs, mobile apps, and API-testing tools (Axios, Postman, Insomnia, WinHTTP, CFNetwork, Alamofire, and others) rather than an actual browser.
  • Added a soft signal for requests missing a standard Accept header, typical of scripts/apps making raw requests instead of real browsing.

1.7.0

  • Added DDoS-style traffic-flood detection: an extremely fast burst of requests (well beyond human browsing speed) is now recognized as high-confidence attack evidence on its own.
  • Expanded detection to cover common web-shell/malware filenames and typical phishing-kit paths, plus more phishing-style phrasing in spam comment detection.
  • Fixed an over-aggressive rule that could temporarily block a genuine visitor for simply hitting more than 10 broken/missing pages in 5 minutes — the threshold is now much higher and this signal alone can no longer trigger a block.
  • Redesigned the “you are blocked” page shown to blocked visitors: modern, professional look, with the precise technical reason shown in a clear log format.

1.6.2

  • Country flags are now shown as clean text badges instead of emoji flags, which often failed to render as actual flag images on Windows.
  • The Blocked IPs detail view now shows a full origin & network profile for the IP (city, region, country, ISP, organization, ASN, and VPN/proxy or hosting detection) when country flags are enabled in Settings.

1.6.1

  • Fixed: Settings could not be saved, and Blocked IPs actions (unblock, extend, manual block, CSV export) failed with a WordPress error page, due to a leftover internal naming mismatch introduced in 1.6.0.

1.6.0

  • Added a full deception layer: honeyfile (decoy backup file), honeytoken admin username, honeytoken REST API key, and a hidden spam-trap email address. Any interaction with any of them results in an immediate block.
  • Redesigned the admin panel with clearly separated cards per settings section and a consistent icon set.

1.5.0

  • Added optional email alerts: get notified whenever an IP is automatically blocked or escalated to a permanent block.
  • Added CSV export of the Blocked IPs list.
  • The Visitors list now keeps one live, up-to-date entry per visitor instead of accumulating repeated rows.
  • Added a Platform column (device and browser), detected locally from the user-agent.

1.4.0

  • Much deeper automatic detection: invisible honeypot fields on the login and comment forms catch bots that blindly fill every field.
  • Submission-timing check: login/comment submissions faster than a human can type are flagged.
  • Dedicated brute-force detection on the login form, independent of the general rate limit.
  • Credential-stuffing detection: many different usernames tried from the same IP in a short window.
  • XML-RPC abuse detection (pingback reflection, multicall brute-force).
  • Greatly expanded list of known attack/scanner path patterns.

1.2.0

  • The Visitors list now auto-refreshes live, so new visits and the page each visitor is currently on appear automatically.
  • Added an optional country flag next to each IP, off by default (see FAQ).

1.1.0

  • Added a real-time “online now” indicator (auto-refreshing, no page reload) on both the front-end badge and the admin dashboard.
  • Made the admin panel fully responsive for phones and tablets.
  • Smarter detection: browsing volume alone can no longer trigger a block; a real attack/bot/spam signal is now required.
  • Added a detailed block page showing the visitor the specific reason and detected activity.
  • Added smart dashboard statistics: visit trend, top pages, referrers, threat types, device breakdown.

1.0.0

  • Initial release.