Title: Visitor Sentinel
Author: byot
Published: <strong>July 15, 2026</strong>
Last modified: July 15, 2026

---

Search plugins

![](https://ps.w.org/visitor-sentinel/assets/banner-772x250.png?rev=3608814)

![](https://ps.w.org/visitor-sentinel/assets/icon-256x256.png?rev=3608814)

# Visitor Sentinel

 By [byot](https://profiles.wordpress.org/byot/)

[Download](https://downloads.wordpress.org/plugin/visitor-sentinel.1.8.2.zip)

 * [Details](https://wordpress.org/plugins/visitor-sentinel/#description)
 * [Reviews](https://wordpress.org/plugins/visitor-sentinel/#reviews)
 *  [Installation](https://wordpress.org/plugins/visitor-sentinel/#installation)
 * [Development](https://wordpress.org/plugins/visitor-sentinel/#developers)

 [Support](https://wordpress.org/support/plugin/visitor-sentinel/)

## Description

Visitor Sentinel is a security and traffic analysis plugin for WordPress. It combines
real-time attack detection with an active deception layer, so an attacker is not
just noticed — they are lured into giving themselves away.

**Detection**

 * Records site visits (IP, page visited, user-agent, device/browser, account type).
 * Analyzes every request in real time using multiple heuristics: unusual request
   rate, user-agent associated with scanning/attack tools, requests to sensitive
   resources (wp-config.php, .env, .git, etc.), repeated failed logins, credential-
   stuffing patterns, XML-RPC abuse, invisible honeypot fields on login/comment 
   forms, submission-timing checks, and scanning of non-existent pages (404).
 * Calculates a risk score per IP address and automatically applies a temporary 
   block once the score exceeds the configured threshold — sheer browsing volume
   alone never triggers a block, only genuine attack/bot/spam signals do.
 * If a temporarily blocked IP continues suspicious activity or is blocked repeatedly,
   it is automatically switched to a permanent block.

**Deception layer (honeypots & honeytokens)**

 * A decoy backup file (honeyfile) at a random, unlinked URL — any access to it 
   is conclusive proof of directory scanning.
 * A decoy admin username that was never a real account — any login attempt against
   it is an instant, certain block.
 * A decoy REST endpoint that hands out a fake API key — using that key anywhere
   is what triggers the block, not merely finding it.
 * A hidden spam-trap email address planted only where scrapers read markup — if
   it ever comes back in a submitted form, that visitor harvested this exact site.
 * Every one of these bypasses the normal scoring threshold entirely: interacting
   with any of them is treated as certain malicious intent, not a “maybe.”

**Management & visibility**

 * Optional email alerts whenever an IP is blocked or escalated, and one-click CSV
   export of the blocked IPs list.
 * A complete control panel: a live dashboard, an auto-refreshing visitor log, a
   list of blocked IPs with details about the block reason, and options to unblock,
   extend, or change the block type (temporary/permanent).
 * Displays, to logged-in users and optionally guests, a discreet badge showing 
   how many people are on the site right now, updating live in the browser without
   a page reload.
 * Fully responsive admin panel, usable on desktop, tablet, and phone.

All text is translation-ready. The plugin loads no external resources (CDN) and 
does not enable any third-party tracking. The only optional external call is described
in the FAQ below, and it is off by default.

### External services

This plugin connects to one third-party service, and only for a single, optional,
off-by-default feature:

**IP-to-country lookup (ip-api.com)** — used only if you explicitly enable “Show
country flags next to IPs” in Settings. When enabled, and only then, each new IP
address seen by the plugin is sent to ip-api.com so it can look up which country
it belongs to. Nothing else about the visitor (no page content, no personal data,
no credentials) is sent. Results are cached locally for 30 days so the same IP is
never looked up twice. If you never enable this setting, the plugin makes no external
requests at all.

Service provided by ip-api.com: [Terms of Service](https://ip-api.com/docs/legal)
and [Privacy Policy](https://ip-api.com/docs/legal).

## Installation

 1. Upload the `visitor-sentinel` folder to the `/wp-content/plugins/` directory, or
    install directly from the Plugins screen.
 2. Activate the plugin from the WordPress “Plugins” menu.
 3. Go to the “Visitor Sentinel” menu in the admin panel to configure the detection
    thresholds and the deception layer.

## FAQ

### Does the plugin accidentally block real visitors?

Thresholds default to conservative values so that regular visitors are not affected.
A ban applies to the IP address itself with no exceptions — including for logged-
in administrators — so be careful with manual blocks and consider adding your own
trusted IPs to the whitelist in Settings beforehand. If you ever lock yourself out
by mistake, remove the ban directly from your site’s database (the `wp_visise_bans`
table) or via your host’s file manager. You can manually unblock any IP from the“
Blocked IPs” panel.

### What are the honeyfile, honeytoken username, and honeytoken API key?

They are fake bait, generated automatically per site and never linked or displayed
to real visitors: a decoy backup file at a random URL, a decoy admin username, and
a decoy API key handed out by a fake internal endpoint. Because no genuine visitor
has any reason to ever touch them, any interaction is treated as certain evidence
of an attacker, and results in an immediate block. You can see the exact generated
values, and turn the whole layer off, in Settings.

### Does this plugin send any data outside my site?

By default, no. The only optional exception is the country-flag feature: when you
explicitly enable it in Settings, each new IP address is sent to the free, third-
party service ip-api.com to determine its country. Results are cached locally for
30 days so the same IP is never looked up twice. This feature is off by default 
and the plugin makes no external requests unless you turn it on.

### My site uses Cloudflare or another proxy, what should I do?

Enable the “Site behind a proxy/CDN” option in Settings so the plugin can correctly
identify the visitor’s real IP address.

### Is the visitor counter visible to everyone?

By default, yes — it shows the live “online now” count to guests as well as logged-
in members. You can turn off “Show to guests too” in Settings to restrict it to 
logged-in users only, and choose which role can see it there.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Visitor Sentinel” is open source software. The following people have contributed
to this plugin.

Contributors

 *   [ byot ](https://profiles.wordpress.org/byot/)

[Translate “Visitor Sentinel” into your language.](https://translate.wordpress.org/projects/wp-plugins/visitor-sentinel)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/visitor-sentinel/),
check out the [SVN repository](https://plugins.svn.wordpress.org/visitor-sentinel/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/visitor-sentinel/)
by [RSS](https://plugins.trac.wordpress.org/log/visitor-sentinel/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.8.2

 * A banned IP is now blocked everywhere on the site with zero exceptions, including
   for logged-in administrators. Previously, a logged-in admin’s own IP was silently
   exempt from bans, which could look like the block “wasn’t working.” If you ban
   your own IP by mistake, add it to the whitelist in Settings beforehand, or remove
   it directly from the database if you get locked out.

#### 1.8.1

 * The Blocked IPs list now only shows currently active bans — an expired temporary
   ban disappears from the list on its own instead of lingering there until the 
   daily cleanup runs.

#### 1.8.0

 * Lifting a permanent block now requires a signed declaration (reason + digital
   signature) before the IP’s ban and activity history are wiped. Every declaration
   is kept forever in a new “History” screen, with a printable/PDF-exportable record
   of each one.
 * Fixed a detection loophole where two soft, 404-related signals alone (e.g. “not_found”
   and “not_found_flood”) could satisfy the “multiple signal types” requirement 
   and trigger a block without any genuine attack evidence.

#### 1.7.5

 * Fixed misaligned “View details” / “Unblock” buttons on the Blocked IPs table.

#### 1.7.4

 * Fixed the block page so it always reliably covers the full screen and stays scrollable
   from the top, regardless of the site’s own markup.
 * Manually created bans no longer auto-escalate to a permanent block just from 
   repeated visits (e.g. while the site owner is testing it) — that safeguard now
   only applies to bans the automatic detection created. A manual ban only becomes
   permanent if you explicitly choose to.

#### 1.7.3

 * Fixed: a newly banned IP could still see the site by simply refreshing, if a 
   full-page caching plugin (LiteSpeed Cache, WP Rocket, W3 Total Cache, WP Super
   Cache, WP Fastest Cache) served an old cached page without WordPress running.
   A ban now automatically purges the site’s full-page cache so it takes effect 
   immediately.

#### 1.7.2

 * Fixed the blocked-visitor page: the icon and title could fail to display depending
   on the site’s markup, because the layout relied on fixed positioning. It now 
   uses normal page flow, so it always displays fully and correctly.

#### 1.7.1

 * Detection now recognizes more HTTP client libraries commonly embedded in custom
   desktop programs, mobile apps, and API-testing tools (Axios, Postman, Insomnia,
   WinHTTP, CFNetwork, Alamofire, and others) rather than an actual browser.
 * Added a soft signal for requests missing a standard Accept header, typical of
   scripts/apps making raw requests instead of real browsing.

#### 1.7.0

 * Added DDoS-style traffic-flood detection: an extremely fast burst of requests(
   well beyond human browsing speed) is now recognized as high-confidence attack
   evidence on its own.
 * Expanded detection to cover common web-shell/malware filenames and typical phishing-
   kit paths, plus more phishing-style phrasing in spam comment detection.
 * Fixed an over-aggressive rule that could temporarily block a genuine visitor 
   for simply hitting more than 10 broken/missing pages in 5 minutes — the threshold
   is now much higher and this signal alone can no longer trigger a block.
 * Redesigned the “you are blocked” page shown to blocked visitors: modern, professional
   look, with the precise technical reason shown in a clear log format.

#### 1.6.2

 * Country flags are now shown as clean text badges instead of emoji flags, which
   often failed to render as actual flag images on Windows.
 * The Blocked IPs detail view now shows a full origin & network profile for the
   IP (city, region, country, ISP, organization, ASN, and VPN/proxy or hosting detection)
   when country flags are enabled in Settings.

#### 1.6.1

 * Fixed: Settings could not be saved, and Blocked IPs actions (unblock, extend,
   manual block, CSV export) failed with a WordPress error page, due to a leftover
   internal naming mismatch introduced in 1.6.0.

#### 1.6.0

 * Added a full deception layer: honeyfile (decoy backup file), honeytoken admin
   username, honeytoken REST API key, and a hidden spam-trap email address. Any 
   interaction with any of them results in an immediate block.
 * Redesigned the admin panel with clearly separated cards per settings section 
   and a consistent icon set.

#### 1.5.0

 * Added optional email alerts: get notified whenever an IP is automatically blocked
   or escalated to a permanent block.
 * Added CSV export of the Blocked IPs list.
 * The Visitors list now keeps one live, up-to-date entry per visitor instead of
   accumulating repeated rows.
 * Added a Platform column (device and browser), detected locally from the user-
   agent.

#### 1.4.0

 * Much deeper automatic detection: invisible honeypot fields on the login and comment
   forms catch bots that blindly fill every field.
 * Submission-timing check: login/comment submissions faster than a human can type
   are flagged.
 * Dedicated brute-force detection on the login form, independent of the general
   rate limit.
 * Credential-stuffing detection: many different usernames tried from the same IP
   in a short window.
 * XML-RPC abuse detection (pingback reflection, multicall brute-force).
 * Greatly expanded list of known attack/scanner path patterns.

#### 1.2.0

 * The Visitors list now auto-refreshes live, so new visits and the page each visitor
   is currently on appear automatically.
 * Added an optional country flag next to each IP, off by default (see FAQ).

#### 1.1.0

 * Added a real-time “online now” indicator (auto-refreshing, no page reload) on
   both the front-end badge and the admin dashboard.
 * Made the admin panel fully responsive for phones and tablets.
 * Smarter detection: browsing volume alone can no longer trigger a block; a real
   attack/bot/spam signal is now required.
 * Added a detailed block page showing the visitor the specific reason and detected
   activity.
 * Added smart dashboard statistics: visit trend, top pages, referrers, threat types,
   device breakdown.

#### 1.0.0

 * Initial release.

## Meta

 *  Version **1.8.2**
 *  Last updated **7 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0.1**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [ban ip](https://wordpress.org/plugins/tags/ban-ip/)[bot protection](https://wordpress.org/plugins/tags/bot-protection/)
   [firewall](https://wordpress.org/plugins/tags/firewall/)[honeypot](https://wordpress.org/plugins/tags/honeypot/)
   [security](https://wordpress.org/plugins/tags/security/)
 *  [Advanced View](https://wordpress.org/plugins/visitor-sentinel/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/visitor-sentinel/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/visitor-sentinel/reviews/)

## Contributors

 *   [ byot ](https://profiles.wordpress.org/byot/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/visitor-sentinel/)