Documentation
"Knowledge is the foundation of vigilance."
Everything you need to deploy, configure, and master Sentinel's surveillance capabilities.
First Steps
Essential actions to take after installing Sentinel to maximize your security monitoring effectiveness.
Review Activity Log
Check Sentinel → Activity Log to see real-time monitoring data. This gives you immediate visibility into all user activities on your site.
Tailor Your Monitoring
Visit Sentinel → Event Registry to customize which events to track. This is where you can enable or disable specific monitoring features based on your security needs.
Optimize Performance
Adjust log retention and cleanup settings in Sentinel → Settings → Log Management. Set appropriate retention periods based on your compliance requirements.
Set Up User Permissions
Configure which user roles can access Sentinel features in Sentinel → Settings → Privacy & Security Tab → Access Control & Security. Restrict access to administrators and trusted editors only.
Enable Privacy Features
Configure GDPR compliance features in Sentinel → Settings → Privacy & Security Tab. Enable IP anonymization and data export capabilities.
Pro Tips for New Users
Start Small
Begin with default settings and gradually customize based on your specific security needs. This prevents overwhelming yourself with too many alerts initially.
Regular Reviews
Make use of the daily and weekly digests to stay on top of your security and monitoring needs and tailor to your needs.
Backup Strategy
Consider exporting your logs regularly for long-term storage and compliance purposes, especially for sites with high security requirements
Installation
Get Sentinel up and running on your WordPress site in minutes with our comprehensive security monitoring solution.
System Requirements
Before installing Sentinel, ensure your WordPress site meets these requirements:
- WordPress: Version 5.0 or higher
- PHP: Version 7.4 or higher
- MySQL: Version 5.6 or higher
- Memory: Minimum 64MB PHP memory limit
Note
Sentinel is designed to work with all modern WordPress themes and plugins. It uses WordPress best practices and doesn’t conflict with other security plugins.
Method 1: WordPress Repository (Coming Soon)
Navigate to Plugins → Add New → Search for 'Sentinel' → Install & ActivateMethod 2: Manual Installation
Download and install the plugin manually for immediate access.
- Download the plugin ZIP file from our download page
- Go to Plugins → Add New → Upload Plugin
- Choose the downloaded file and click Install Now
- Activate the plugin after installation
Success!
After activation, Sentinel will automatically create its database tables and begin monitoring your site immediately with default settings.
Post-Installation Checklist
After installing Sentinel, complete these essential steps:
Verify Installation
Check that "Sentinel" appears in your WordPress admin sidebar
Review Default Settings
Visit Sentinel → Settings to review and customize default configurations
Test Monitoring
Perform some actions on your site to verify events are being logged
Quick Setup
Configure Sentinel in under 5 minutes with these essential steps to start monitoring your WordPress site immediately.
1. Access the Dashboard
After activation, navigate to Sentinel in your WordPress admin sidebar. You’ll see a comprehensive dashboard with real-time activity monitoring.
Big Brother is Watching You
Tip: Sentinel starts monitoring immediately after activation with sensible defaults. No additional configuration required to begin tracking essential security events.
2. Review Event Settings
Visit Sentinel → Event Registry to customize which events to track. This is where you can enable or disable specific monitoring features based on your security needs.
• User logins/logouts
• Content creation/editing
• Plugin/theme changes
• Failed login attempts
• Admin actions
• File modifications
• Database changes
• Security events3. Configure Alerts
Set up email notifications for critical security events. Go to Sentinel → Settings → Notifications Tab → Compliance & Monitoring to have sentinel send you an email when a critical security event occurs.
Who Controls The Signals, Controls The System
4. Test the System
Perform some test actions on your site to verify that Sentinel is properly logging events:
- Log out and log back in
- Create or edit a post
- Change a setting in your admin panel
- Check the activity log to see these events recorded
Purchase Process
Getting Sentinel+ is quick and easy:
Visit the Purchase Page
Click the purchase button below to start your subscription.
Complete Payment
Secure payment processing via Stripe. You’ll receive a confirmation email with your license key.
Activate Your License
Follow the activation steps below to unlock premium features on your WordPress site.
License Activation
Activate your Sentinel+ license to unlock premium features:
// 1. Navigate to Sentinel Settings in WordPress Admin
// Go to: WordPress Admin → Sentinel → Settings
// 2. Enter your license key in the License Key field
// Format: SEN-XXXX-XXXX-XXXX-XXXX
// 3. Click "Activate License"
// 4. Verify activation status shows "Active"Lost your license key?
Use our License Recovery System to get it sent to your email instantly.
Verification
Confirm your Sentinel+ activation is working correctly
License status shows "Active" in Sentinel Settings
Custom Events section appears in Sentinel admin
Premium features are accessible and functional
No activation errors in WordPress admin notices
Troubleshooting
Common issues and solutions for Sentinel+ activation:
License Key Not Working
Issue: License key is rejected or shows as invalid.
Verify the key format (SEN-XXXX-XXXX-XXXX-XXXX) and ensure no extra spaces or characters. If still having issues, use our License Recovery System.
Features Not Appearing
Issue: Premium features don't show up after activation.
Clear any caching plugins, refresh the WordPress admin page, and check that your license status shows “Active”.
Domain Locking Issues
Issue: License is locked to wrong domain or can't activate on new site.
Contact support to unlock your domain or reset activations if you’ve moved your site.
Still having issues?
Contact our support team through the contact page for personalized assistance with your Sentinel+ activation.
Setup & Configuration
Learn how to set up and configure third-party plugin integrations in Sentinel. This section covers the complete setup process, configuration options, and troubleshooting common issues.
Initial Setup
Setting up third-party plugin integrations is a straightforward process that requires minimal configuration:
Access Event Registry
Navigate to Sentinel → Event Registry in your WordPress admin dashboard.
Locate Plugin Integrations
Scroll down to the “3rd Party Plugin Integrations” section. Sentinel will automatically detect active plugins and show available setup templates.
Setup Plugin Events
Click the “Setup [Plugin Name] Events” button for each plugin you want to monitor. This creates and enables all relevant events automatically.
Verify Setup
Check the “Plugin-Specific Event Controls” section to see your newly created events. You can enable/disable individual events as needed.
Authentication Tracking (Sentinel+)
Since v1.1.0Sentinel+The Authentication Counter System is the real-time tracking engine that powers Sentinel+’s advanced security features. It monitors every authentication attempt across your site, maintains per-IP counters, and provides the data that triggers incident detection and automated security responses.
Sentinel+ Feature
Authentication tracking and counter-based threat detection are exclusive to Sentinel+ users. This system provides the foundation for brute force detection, username enumeration protection, XML-RPC flood detection, and the automated action engine.
How Authentication Tracking Works
Every time someone attempts to log in through WordPress login, REST API, XML-RPC, or WooCommerce, Sentinel captures the attempt and updates real-time counters. These counters track patterns that indicate security threats, enabling proactive protection before damage occurs.
Authentication Attempt Lifecycle
Attempt Captured
Sentinel intercepts the authentication attempt and extracts context: IP address, username (if provided), source (wp-login, xmlrpc, rest-api, woocommerce), and result (success or fail).
IP Status Checked
Sentinel checks if the IP is allowlisted, currently trusted (admin recently logged in), or temporarily blocked. Allowlisted and trusted IPs bypass counter tracking.
Counters Updated
Real-time counters are incremented for the IP address, tracking failed attempts, distinct usernames attempted, XML-RPC requests, and source-specific activity.
Snapshot Generated
A counter snapshot is created containing current counts, timestamps, and tracking window information. This snapshot is evaluated against your security thresholds.
Incident Evaluation
If thresholds are exceeded, an incident is created and the action engine is triggered (observe, throttle, or block) based on your security response mode.
Event Logged
The authentication attempt is logged as an `auth_success` or `auth_fail` event in your activity logs, including the counter snapshot data for analysis.
What Gets Tracked
Failed Login Attempts
Tracks the total number of failed authentication attempts per IP address. Used for brute force detection when the count exceeds your configured threshold (default: 5 failures).
Distinct Usernames
Counts unique usernames attempted per IP address. Detects username enumeration attacks when an IP tries many different usernames (default threshold: 10 distinct usernames).
XML-RPC Requests
Monitors XML-RPC endpoint activity per IP. Protects against XML-RPC flood attacks and abuse (default threshold: 20 requests).
Source Tracking
Tracks which authentication source was used: wp-login, xmlrpc, rest-api, or woocommerce. Helps identify attack vectors and patterns.
Time Windows
Maintains tracking windows for each counter type. Counters automatically expire after 15 minutes of inactivity, preventing stale data from triggering false positives.
Per-IP Isolation
Each IP address has completely separate counters. Activity from one IP never affects counters for another IP, ensuring accurate threat detection.
Counter Snapshots
After each authentication attempt, Sentinel generates a counter snapshot containing the current state of all counters for that IP address. This snapshot is what gets evaluated against your security thresholds to determine if an incident should be created.
| Snapshot Field | Description | Used For |
|---|---|---|
| fails | Total failed login attempts | Brute force detection threshold |
| distinct_usernames | Number of unique usernames attempted | Username enumeration detection threshold |
| xmlrpc_count | Total XML-RPC requests | XML-RPC flood detection threshold |
| last_ts | Timestamp of most recent attempt | Tracking window calculation |
| window_start | When tracking window began | Time-based threshold evaluation |
| source | Authentication source (wp-login, xmlrpc, etc.) | Source-specific incident metadata |
Snapshot Evaluation
Snapshots are evaluated immediately after each failed authentication attempt. If any threshold is exceeded, an incident is created and the action engine is triggered. Successful logins do not trigger incident evaluation, but they are still logged for audit purposes.
IP Allowlist & Trusted IPs
Sentinel provides two mechanisms to exclude legitimate IP addresses from counter tracking: IP allowlist and trusted IP system. Both prevent false positives while maintaining security monitoring.
IP Allowlist
Permanently exclude specific IP addresses or CIDR ranges from all counter tracking and security actions. Configured in Sentinel → Settings → Security Controls. Supports individual IPs (192.168.1.100) or CIDR notation (192.168.1.0/24) for entire networks. Allowlisted IPs bypass all security checks and never trigger incidents.
Trusted IP System
Automatically trusts IP addresses when administrators successfully log in. Trusted IPs are excluded from counter tracking for a configurable duration (default: 24 hours). This prevents legitimate admin activity from triggering security incidents while maintaining protection for other users. Trust duration is configurable in security settings.
When an IP is allowlisted or trusted, authentication attempts from that IP are still logged as `auth_success` or `auth_fail` events for audit purposes, but counters are not incremented and no incidents are created. This ensures you maintain a complete audit trail while avoiding false positives.
Counter Storage & Cleanup
Counters are stored in WordPress transients and object cache (if available) with a 15-minute TTL (Time To Live). This ephemeral storage ensures counters automatically expire, preventing stale data from accumulating and triggering false positives.
How Counter Expiration Works
Counter Created
When the first authentication attempt occurs from an IP, counters are initialized with a 15-minute expiration timer.
Activity Updates Timer
Each subsequent authentication attempt from the same IP resets the 15-minute timer, keeping active counters alive.
Automatic Expiration
If no authentication attempts occur from an IP for 15 minutes, all counters for that IP automatically expire and are removed from memory.
Fresh Start
The next authentication attempt from that IP creates new counters, starting from zero. This prevents old activity from affecting current threat detection.
Why 15 Minutes?
The 15-minute window balances security responsiveness with false positive prevention. It’s long enough to detect sustained attacks (which typically last minutes, not hours) but short enough to prevent legitimate users who forgot their password from being permanently flagged. This window applies to all counter types: failed attempts, username enumeration, and XML-RPC requests.
Integration with Incident
The Authentication Counter System is the data source for Sentinel+’s incident detection. When counter snapshots exceed your configured thresholds, incidents are automatically created and the action engine is triggered.
Authentication Counter Thresholds
| Counter Type | Threshold Setting | Incident Type Created | Action Engine Triggered |
|---|---|---|---|
| Failed Attempts | Bruteforce Threshold (default: 5) | security.bruteforce | Yes, if threshold exceeded |
| Distinct Usernames | Enumeration Threshold (default: 10) | security.enumeration | Yes, if threshold exceeded |
| XML-RPC Requests | XML-RPC Threshold (default: 20) | security.xmlrpc_flood | Yes, if threshold exceeded |
Counter snapshots are included in incident metadata, allowing you to see exactly what triggered each incident. This data is also logged in authentication events (`auth_success` and `auth_fail`) for complete audit trails and troubleshooting.
Understanding Counter Behavior
Why aren't incidents being created?
Issue: I've configured thresholds but incidents aren't appearing even when I see failed login attempts in the logs.
Check if the IP is allowlisted or trusted. Allowlisted and trusted IPs bypass counter tracking entirely. Also verify that you’re looking at failed attempts (`auth_fail` events) – successful logins don’t trigger incident evaluation. Ensure your thresholds are set correctly and that the IP hasn’t been temporarily blocked (which stops counter updates).
Counters seem to reset unexpectedly
Issue: I see an IP with 4 failed attempts, but the next day it shows 0 attempts again.
This is expected behavior. Counters automatically expire after 15 minutes of inactivity. If an IP stops attempting logins for 15+ minutes, all counters reset to zero. This prevents stale data from triggering false positives. The 15-minute window is designed to catch sustained attacks while allowing legitimate users who forgot passwords to try again later without being flagged.
Action engine not triggering
Issue: Incidents are being created but the action engine (throttle/block) isn't taking action.
Verify your Security Response Mode is set to “Throttle Threats” or “Block Threats” (not “Observe Only”). Check that the incident was created from a failed authentication attempt (successful logins don’t trigger actions). Ensure the IP isn’t allowlisted or trusted, as these bypass all security actions. Review your action engine settings in Security Controls to confirm throttle delay and block duration are configured.
Developer Functions
For developers building custom integrations, Sentinel provides helper functions to interact with the authentication counter system:
/**
* Capture and process an authentication attempt
*
* @param array $ctx Context array with:
* - 'ip' (required): IP address
* - 'username' (optional): Username attempted
* - 'result' (required): 'success' or 'fail'
* - 'source' (required): 'wp-login', 'xmlrpc', 'rest-api', or 'woocommerce'
* - 'ua' (optional): User agent string
* - 'url' (optional): Request URL
*/
sentinel_auth_capture_attempt($ctx);/**
* Get current counter snapshot for an IP (without incrementing)
*
* @param string $ip IP address
* @return array|null Counter snapshot or null if no data
*
* Returns:
* - 'fails': Failed attempt count
* - 'distinct_usernames': Unique username count
* - 'xmlrpc_count': XML-RPC request count
* - 'last_ts': Last attempt timestamp
* - 'window_start': Window start timestamp
*/
$snapshot = sentinel_auth_increment_counters($ip, $username, $source, $is_fail);// Check if IP is allowlisted
$is_allowlisted = sentinel_is_ip_allowlisted($ip);
// Check if IP is currently trusted
$is_trusted = sentinel_is_ip_trusted($ip);
// Mark IP as trusted (e.g., after admin login)
sentinel_mark_ip_trusted($ip, $duration = 86400); // 24 hours defaultPremium Functions Only
All authentication counter functions require Sentinel+ (premium license). Calling these functions without a valid premium license will return empty results or no-op. Always check `sentinel_is_premium()` before using these functions in custom code.
Email Notifications & Digest Reports
Sentinel’s comprehensive email notification system keeps you informed about your site’s activity through real-time alerts and scheduled digest reports. Configure exactly what you want to be notified about, when you want to receive updates, and how detailed those updates should be.
Enabling Email Notifications
Setting Up Email Notifications
Navigate to Settings
Go to Sentinel → Settings and click the Alerts & Notifications tab.
Enable Email Notifications
Check the “Enable Email Notifications” checkbox at the top of the email notification section.
Set Notification Email Address
Enter the email address where you want to receive notifications in the “Notification Email” field. This defaults to your WordPress admin email address.
Configure Notification Types
Select which types of notifications you want to receive using the toggle controls for Real-time Alerts, Daily Digests, Weekly Digests, Categories, and Priorities.
Save Settings
Click “Save Changes” to activate your email notification preferences. Digest reports will be scheduled automatically based on your selections.
Real-time Alerts
Real-time alerts are sent immediately when specific events occur on your site. These are perfect for critical issues that require immediate attention, allowing you to respond quickly to security threats, errors, or high-priority events.
Critical Events Only
Receive immediate email alerts for events with critical priority level. These are the most urgent issues requiring immediate attention, such as fatal errors or severe security incidents.
Security Events
Get instant notifications for all security-related events, including failed logins, blocked IPs, security incidents, and authentication failures. Essential for monitoring potential attacks.
Error Events
Receive immediate alerts for all error events, including PHP errors, database errors, and plugin/theme errors. Helps you catch and resolve issues before they impact users.
High Priority Events
Get notified about high-priority events that may not be critical but still require attention, such as memory warnings, performance issues, or suspicious activity patterns.
Real-time Alert Behavior
Real-time alerts are sent immediately when an event occurs, using WordPress’s `wp_mail()` function. Each alert includes the event details, timestamp, user information (if applicable), and a direct link to view the full event in your Sentinel dashboard. Alerts are sent individually, so you may receive multiple emails if multiple qualifying events occur in quick succession.
Daily Digest Reports
Daily digest reports provide a comprehensive summary of your site’s activity from the past 24 hours. These reports are sent once per day at 9:00 AM (your server’s local time) and combine all enabled daily digest sections into a single, beautifully formatted email.
Event Summary
A comprehensive overview of all activity from the past 24 hours, including total events logged, active users, events broken down by category (authentication, content, system, error, security, user), events by priority level (critical, high, medium, low), and the top 5 most frequent event types. Perfect for getting a complete picture of your site's daily activity at a glance.
Error Report
A focused report on all errors that occurred in the past 24 hours, including high and critical priority events, PHP errors, database errors, and failed operations. Each error includes the event type, timestamp, and error message (if available). Essential for identifying and resolving issues quickly.
User Activity
A detailed breakdown of user-related activity, including total user events, the top 10 most active users (with activity counts), and recent user events (logins, profile updates, content changes). Helps you understand user behavior patterns and identify unusual activity.
Digest Report Sections
| Digest Section | Data Included | Best For |
|---|---|---|
| Event Summary | Total events, active users, category breakdown, priority breakdown, top events | General site monitoring and activity overview |
| Error Report | All errors, error types, timestamps, error messages | Troubleshooting and issue resolution |
| User Activity | User events, top active users, recent user actions | User behavior analysis and security monitoring |
Combined Daily Email
When you enable multiple daily digest sections (Event Summary, Error Report, User Activity), Sentinel combines them into a single email with all sections included. This reduces email clutter while providing comprehensive coverage. The email is sent once per day at 9:00 AM, regardless of how many sections you have enabled.
Weekly Digest Reports
Weekly digest reports provide a comprehensive analysis of your site’s health, performance, and security over the past 7 days. These reports are sent every Monday at 9:00 AM and combine all enabled weekly digest sections into a single detailed email with trends, metrics, and actionable insights.
System Health Report
A comprehensive health assessment including total events for the week, active users, calculated system uptime percentage (based on cron health and database connectivity), and detailed health metrics: critical events count, high priority events count, medium priority events count, active plugins count, current theme name, and database error count. Provides a complete picture of your site's overall health and stability.
Performance Metrics
Detailed performance analysis including average response time (in milliseconds), peak memory usage for the week, average database queries per request, performance events count, timeout events count, and total performance samples collected. Helps identify performance bottlenecks and optimization opportunities.
Security Summary
A security-focused report covering total security events for the week, failed login attempts count, and a list of recent security incidents with types and dates. Essential for understanding your site's security posture and identifying potential threats or attack patterns.
| Digest Section | Key Metrics | Use Case |
|---|---|---|
| System Health Report | Uptime percentage, critical/high events, database errors | Monitoring overall site stability and identifying recurring issues |
| Performance Metrics | Response time, memory usage, DB queries, timeouts | Performance optimization and resource planning |
| Security Summary | Security events, failed logins, incidents | Security monitoring and threat detection |
Combined Weekly Email
Like daily digests, weekly digest sections are combined into a single email when multiple sections are enabled. The email is sent every Monday at 9:00 AM and includes all enabled sections (System Health, Performance Metrics, Security Summary) in one comprehensive report. This provides a complete weekly overview without email overload.
Granular Notification Controls
In addition to digest reports and real-time alerts, Sentinel provides granular controls to filter notifications by event category and priority level. These controls apply to real-time alerts, allowing you to fine-tune exactly which events trigger immediate email notifications.
Category Filters
Enable notifications for specific event categories: Authentication (logins, logouts, registrations), Content (posts, pages, comments), System (plugins, themes, core updates), Error (all error types), Security (security incidents, blocked IPs), and User (user-related activity). Mix and match categories to create custom notification profiles.
Priority Filters
Control notifications by event priority: Critical (always enabled for real-time alerts), High (important but not critical), Medium (moderate importance), and Low (informational events). Critical priority events always trigger real-time alerts when email notifications are enabled, regardless of other settings.
Notification Logic
Real-time alerts are sent when an event matches ANY enabled filter. For example, if you enable “Security Events” in real-time alerts AND “Error” category filter, you’ll receive emails for both security events and error events. The filters are combined with OR logic, not AND logic. This ensures you don’t miss important events that might match multiple criteria.
Digest Report Schedule
Digest reports are automatically scheduled using WordPress cron when you enable email notifications and select digest sections. The scheduling is handled automatically—you don’t need to configure cron jobs manually.
| Digest Type | Schedule | Time | Automatic |
|---|---|---|---|
| Daily Digest | Once per day | 9:00 AM (server time) | Yes, when any daily section is enabled |
| Weekly Digest | Every Monday | 9:00 AM (server time) | Yes, when any weekly section is enabled |
How Scheduling Works
Enable Digest Sections
When you enable any daily or weekly digest section and save settings, Sentinel automatically checks if cron jobs need to be scheduled.
Automatic Scheduling
If daily digests are enabled, Sentinel schedules the `sentinel_daily_digest` cron job for 9:00 AM tomorrow (then daily thereafter). If weekly digests are enabled, Sentinel schedules the `sentinel_weekly_digest` cron job for 9:00 AM next Monday (then weekly thereafter).
Automatic Cleanup
If you disable all daily digest sections, Sentinel automatically unschedules the daily digest cron job. Similarly, disabling all weekly sections unschedules the weekly digest cron job. This prevents unnecessary cron execution.
WordPress Cron Requirements
Digest reports require WordPress cron to be functioning properly. If your site uses a real cron job (instead of pseudo-cron), ensure it’s configured to run at least once per hour. If cron is disabled or not working, digest reports will not be sent. You can verify cron is working by checking if other scheduled WordPress tasks (like plugin updates) are executing on time.
Email Format & Content
All Sentinel emails are sent as HTML emails with plain text fallbacks for email clients that don’t support HTML. Emails include professional formatting, color-coded priority badges, tables for data presentation, and direct links to your Sentinel dashboard for detailed analysis.
HTML Formatting
Beautiful HTML emails with responsive design, color-coded sections, priority badges, and professional styling. Emails are optimized for both desktop and mobile email clients.
Plain Text Fallback
Every email includes a plain text version for email clients that don't support HTML or for users who prefer text-only emails. All important information is included in both formats.
Dashboard Links
Every email includes direct links to your Sentinel dashboard where you can view full event details, filter logs, and perform detailed analysis. Links use your site's admin URL.
Branded Headers
All emails include the Sentinel logo and branding in the header, making them easily identifiable in your inbox and maintaining a professional appearance.
Notification Email Address
The notification email address is where all Sentinel emails are sent. This can be different from your WordPress admin email, allowing you to route notifications to a dedicated monitoring inbox or team email address.
Configuring Notification Email
Find Email Setting
Navigate to Sentinel → Settings → Alerts & Notifications tab and locate the “Notification Email” field.
Enter Email Address
Enter the email address where you want to receive all Sentinel notifications. This can be a single address or a distribution list email address.
Verify Email Format
Sentinel validates the email address format when you save. Ensure the email address is correctly formatted (e.g., admin@example.com).
Default Behavior
If no notification email is specified, Sentinel uses your WordPress admin email address (from Settings → General → Administration Email Address) as the default recipient.
Multiple Recipients
To send notifications to multiple recipients, use a distribution list or group email address configured in your email system. Sentinel sends to a single email address per notification. For team notifications, consider setting up an email alias or forwarding rule in your email provider.
Troubleshooting Email Notifications
Not receiving digest emails
Issue: I've enabled daily or weekly digests but I'm not receiving the emails, even though I can see events in the dashboard.
First, verify WordPress cron is working by checking if other scheduled tasks (like plugin updates) run on time. Check your spam/junk folder—Sentinel emails may be filtered. Verify your notification email address is correct and can receive emails. Enable WordPress debug logging (WP_DEBUG_LOG) and check for email-related errors. Ensure at least one digest section is enabled (Event Summary, Error Report, etc.). Check that “Enable Email Notifications” is checked at the top of the email settings section.
Real-time alerts not sending
Issue: I've enabled real-time alerts for critical events but I'm not receiving emails when critical events occur.
Verify “Enable Email Notifications” is checked. Confirm that at least one real-time alert option is enabled (Critical Events, Security Events, Error Events, or High Priority). Check that the event actually has the priority/category you’re filtering for—view the event in Activity Logs to confirm its category and priority. Test your site’s email functionality using WordPress’s built-in test email feature. Check WordPress debug logs for email sending errors. Ensure your hosting provider allows PHP mail() function or configure SMTP if required.
Receiving too many emails
Issue: I'm getting overwhelmed with email notifications and want to reduce the frequency or scope.
Disable real-time alerts and rely only on daily/weekly digests for less frequent updates. Narrow your category filters to only the most important categories (e.g., Security and Error only). Adjust priority filters to exclude low and medium priority events. Disable digest sections you don’t need—for example, if you only care about errors, disable Event Summary and User Activity. Consider using only weekly digests instead of daily for less frequent updates.
Digest emails arriving at wrong time
Issue: My digest emails are arriving at unexpected times, not at 9:00 AM as expected.
Digest emails are scheduled based on your server’s timezone, not your local timezone. Check your WordPress timezone setting (Settings → General → Timezone). Verify your server’s system time is correct. If using a real cron job, ensure it’s configured to match your WordPress timezone. The 9:00 AM time is relative to your server’s configured timezone. WordPress cron may have slight delays depending on site traffic—emails are sent when cron executes, which may be slightly after the scheduled time during low-traffic periods.
Email Notification Best Practices
Start with real-time alerts for critical events only
Begin with minimal notifications to avoid email overload, then gradually expand based on your actual needs and site activity patterns.
Enable daily digests for regular monitoring
Use daily digests to get comprehensive activity summaries without the constant interruption of real-time alerts. Perfect for staying informed without email fatigue.
Use weekly digests for comprehensive analysis
Weekly digests provide trend identification, performance metrics, and long-term health insights that help you understand patterns over time.
Configure category filters to focus on important events
Narrow your notification scope to the event categories that matter most to your site—typically Security and Error categories for most users.
Set up a dedicated monitoring email address
Use a separate email address (or distribution list) for Sentinel notifications to keep monitoring separate from your personal inbox and enable team access.
Test email delivery after configuration
Verify that notifications are working correctly by triggering a test event or waiting for the next scheduled digest. Check spam folders if emails don't arrive.
Review digest reports weekly to identify patterns
Regularly analyze your digest reports to spot trends, optimize notification settings, and adjust filters based on what you actually need to monitor.
Adjust notification frequency based on site activity
High-traffic sites may benefit from digests only (no real-time alerts), while low-traffic sites can safely use real-time alerts for immediate awareness.
IP Allowlist Management
Since v1.1.0Sentinel+Sentinel+ provides two levels of IP trust management: a permanent IP Allowlist for consistently trusted addresses, and an automatic Temporary Trust System for administrators. Understanding these systems helps you balance security protection with operational convenience while minimizing false positives from legitimate traffic.
Sentinel+ Feature
IP Allowlist management and automatic admin trust are exclusive to Sentinel+. These features work in conjunction with the Authentication Tracking system to prevent false positives while maintaining robust security monitoring.
What is IP Allowlisting?
IP allowlisting provides a way to permanently exempt specific IP addresses or IP ranges from Sentinel’s authentication security controls. When an IP is allowlisted, it completely bypasses brute force detection, username enumeration monitoring, and XML-RPC flood protection. Activity from allowlisted IPs is still logged in the activity logs, but no security incidents are created and no protective actions (throttling or blocking) are applied.
Security Controls Bypassed by Allowlisting
Brute Force Detection
No incidents created for failed login attempts, regardless of count. Failed logins are still logged but don't trigger security responses.
Username Enumeration
Multiple username attempts don't trigger enumeration detection. Useful for automated systems or API integrations that need to test credentials.
XML-RPC Flood Protection
XML-RPC requests are not counted toward flood thresholds. Enables legitimate XML-RPC integrations without triggering protection.
Incident Creation
No security incidents are created for any authentication activity. The Incidents page will not show events from allowlisted IPs.
Throttling & Blocking
No throttle delays or temporary blocks are applied regardless of response mode settings. Traffic flows without artificial delays.
Activity Logging
Still Active - All authentication events are still logged normally in the Activity Logs. Only security enforcement is bypassed.
Security Consideration
Allowlisted IPs have complete exemption from security controls. Only allowlist IP addresses you trust absolutely, such as your office network, administrator home IPs, or known API integration services. Compromised allowlisted IPs can attack your site without detection or protection.
Permanent Allowlist vs. Temporary Trust
Sentinel+ offers two distinct trust mechanisms to accommodate different use cases:
Permanent IP Allowlist
ManualManually configured in Settings → Security Controls. Remains in effect until explicitly removed. Best for static office IPs, known integration services, and infrastructure that never changes.
Temporary Admin Trust
AutomaticAutomatically granted when an administrator successfully logs in. Expires after 1-24 hours (configurable). Best for dynamic admin IPs, remote workers, and reducing false positives.
Scope
GlobalPermanent: Affects all users at that IP address. Temporary: Only affects the specific administrator who logged in, but applies to their entire IP address.
Management
SettingsPermanent: Edit directly in settings textarea. Temporary: Enable/disable "Admin Trust Mode" and configure trust duration. No manual IP entry required.
Adding IPs to the Permanent Allowlist
Navigate to Security Settings
Go to Sentinel → Settings in your WordPress admin. Click the Security Controls tab to access authentication protection settings.
Locate IP Allowlist Field
Scroll down to the IP Allowlist section under Security Controls. You’ll see a large textarea field for entering IP addresses.
Enter IP Addresses
Add IP addresses one per line. You can enter exact IPs (e.g., 192.168.1.100) or CIDR ranges (e.g., 10.0.0.0/24 for an entire subnet). Leave blank to disable allowlisting.
Save Changes
Click Save Changes at the bottom of the page. The allowlist takes effect immediately for all future authentication attempts from those IPs.
Supported IP Address Formats
# Individual IP addresses (one per line)
192.168.1.100
203.0.113.45
198.51.100.78
# CIDR notation for IP ranges
10.0.0.0/24 # Entire 10.0.0.x subnet (256 IPs)
172.16.0.0/16 # Entire 172.16.x.x range (65,536 IPs)
192.168.1.0/28 # 192.168.1.0 - 192.168.1.15 (16 IPs)
# Mixed formats (all valid)
198.51.100.50
198.51.100.51
198.51.100.0/27 # Plus 32 IPs in this range
# Leave blank to disable allowlisting entirelyUnderstanding CIDR Notation
CIDR (Classless Inter-Domain Routing) notation allows you to specify IP ranges efficiently. The number after the slash (/) indicates how many bits are fixed. Common ranges: /32 = single IP, /24 = 256 IPs (C-class), /16 = 65,536 IPs (B-class), /8 = 16,777,216 IPs (A-class). Use online CIDR calculators to verify your ranges before adding them.
Automatic Admin Trust System
The Admin Trust Mode feature automatically grants temporary trust to IP addresses when administrators successfully log in. This prevents administrators from triggering security incidents while testing, managing users, or performing routine maintenance tasks that might otherwise appear suspicious to the authentication tracking system.
How Admin Trust Works
1. Admin Logs In
When a user with Administrator role successfully logs into WordPress, Sentinel+ detects this authentication event.
2. IP Marked as Trusted
The admin's IP address is automatically marked as "trusted" and stored in WordPress transients (fast cache) for the configured duration.
3. Detection Bypassed
For the trust duration (1-24 hours), that IP bypasses authentication security controls just like a permanent allowlist entry.
4. Trust Expires
After the configured time period, trust expires automatically. The IP is subject to normal security monitoring again until the admin logs in again.
Configuring Admin Trust Settings
Open Security Settings
Navigate to Sentinel → Settings → Security Controls tab in your WordPress admin dashboard.
Enable Admin Trust Mode
Find the Admin Trust Mode section. Check the box labeled “Temporarily bypass detection for admin IPs after successful login” to enable the feature.
Configure Trust Duration
Select how long admin IPs remain trusted from the dropdown: 1 hour, 2 hours, 6 hours, 12 hours, or 24 hours. Default is 24 hours for maximum convenience. Shorter durations provide tighter security.
Save and Test
Click Save Changes. Log out and log back in as an administrator. Your IP should now be trusted, and you won’t trigger security incidents during testing or management tasks.
When to Use Permanent vs. Temporary Trust
Choose the appropriate trust mechanism based on your specific needs:
Permanent Allowlist For
Static IPsOffice/company network static IPs, Server infrastructure monitoring services, API integration services with dedicated IPs, VPN exit points with fixed addresses, Load balancers and proxy servers
Temporary Trust For
Dynamic IPsAdministrator home connections (dynamic ISP IPs), Remote workers without static IPs, Mobile administrators (cellular/WiFi switching), Testing and development environments, Reducing false positive incidents
Avoid Allowlisting
NeverShared hosting provider IP ranges, Public WiFi or coffee shop networks, VPN services used by multiple people, Proxy services with rotating IPs, "Just in case" speculative entries
Best Practice
RecommendedStart with Temporary Admin Trust enabled (24hr duration). Only add IPs to permanent allowlist if they are truly static and under your control. Review allowlist quarterly and remove stale entries.
Viewing Current Allowlist & Trust Status
To see which IPs are currently on your permanent allowlist, navigate to Sentinel → Settings → Security Controls and scroll to the IP Allowlist field. All listed IPs are actively bypassing security controls. Currently, there is no UI to view temporarily trusted admin IPs, as these are stored in transient cache and expire automatically. Check the Activity Logs to see which admins have logged in recently from which IPs to infer current trust status.
Removing IPs from the Allowlist
Open Allowlist Settings
Go to Sentinel → Settings → Security Controls and locate the IP Allowlist textarea field.
Delete IP Addresses
Simply delete the line(s) containing the IP addresses you want to remove from the allowlist. You can also clear the entire field to remove all allowlisted IPs at once.
Save Changes
Click Save Changes. Removed IPs are immediately subject to normal security monitoring. If they trigger suspicious behavior, incidents will be created as usual.
After Removing IPs
When you remove an IP from the allowlist, any existing open incidents from that IP remain open. Removing from the allowlist only affects future activity—it does not retroactively create incidents for past activity that was previously bypassed. Monitor the Incidents page for 24-48 hours after removal to see if the IP triggers new security events.
Security Best Practices
Verify IP ownership before allowlisting
Use whois lookups and network scanning tools to confirm the IP belongs to your organization or trusted service before adding it.
Use CIDR notation for IP ranges carefully
Allowlisting too broad a range (/16 or /8) can inadvertently trust thousands or millions of IPs. Be as specific as possible.
Document why each IP is allowlisted
Keep external notes (or inline comments in the field) explaining what each IP/range is for and who requested it.
Review allowlist quarterly
Set a calendar reminder to audit your allowlist every 3 months. Remove IPs that are no longer relevant (employee left, service migrated, etc.).
Enable Admin Trust Mode by default
Start with automatic admin trust enabled (24hr duration) to reduce false positives. Only use permanent allowlist for truly static infrastructure.
Monitor Activity Logs for allowlisted IPs
Even though incidents aren't created, check Activity Logs periodically for unusual patterns from allowlisted IPs (e.g., excessive failed logins).
Troubleshooting
Allowlisted IP still triggers incidents
Issue: An IP you added to the allowlist continues to generate security incidents and appears on the Incidents page.
Verify the IP address is entered correctly with no typos or extra spaces. Check that you saved the settings after adding the IP. If using CIDR notation, confirm the range includes the problematic IP using an online CIDR calculator. Clear your browser cache and check Sentinel → Settings → Security Controls to confirm the IP appears in the allowlist field. If the incident was created before you allowlisted the IP, it will remain open—only new activity is bypassed.
Admin Trust Mode not working
Issue: Administrators still trigger brute force incidents despite Admin Trust Mode being enabled.
Confirm Admin Trust Mode checkbox is checked in Sentinel → Settings → Security Controls. Verify the admin successfully logged in recently (trust is only granted on successful login, not failed attempts). Check if the admin’s IP changed between login and the incident (dynamic IPs from ISPs can change). If using object caching (Redis, Memcached), verify the cache is working—trust status is stored in transients which rely on cache. Test by logging in as admin, then immediately performing an action that would normally trigger an incident (e.g., 3 failed logins).
CIDR range not matching expected IPs
Issue: A CIDR range you entered doesn't seem to cover the IPs you expected, or covers too many IPs.
Use an online CIDR calculator (search “CIDR calculator”) to verify your notation. Common mistakes: /32 is a single IP (not a range), /24 covers 256 IPs (.0 to .255), /16 covers 65,536 IPs. Remember that CIDR ranges start from the network address—192.168.1.50/24 will actually match 192.168.1.0-255, not 50-255. To match a smaller range of specific IPs, list them individually rather than using CIDR notation.
Can't remove IP from allowlist
Issue: Deleted an IP from the allowlist field but it still seems to be bypassing security controls.
Ensure you clicked Save Changes after deleting the IP. Check if the IP has temporary admin trust active (separate from permanent allowlist). Clear any server-side caching (if using WP Rocket, W3 Total Cache, etc.) as cached settings might persist. Verify you’re editing the correct settings—allowlist is in Security Controls tab, not General Settings. If the IP is part of a CIDR range that’s still in the allowlist, it will remain trusted even if you removed its individual entry.
General Settings
Configure Sentinel’s core functionality and behavior to match your security monitoring requirements.
Basic Configuration
Access general settings via Sentinel → Settings → Log Management Tab → Log Management & Retention. These settings control the fundamental behavior of the monitoring system.
| Setting | Description | Default | Recommended |
|---|---|---|---|
| Auto-Cleanup | When enabled, old logs will be automatically moved to archive or deleted based on the settings below. | Enabled | Enabled |
| Age Limit | Archive logs older than this many days. (Minimum: 1 day, Maximum: 10 years) | 90 days | 90 days |
| Entry Limit | Archive logs when total entries exceed this number. (Minimum: 100, Maximum: 1,000,000)r | 10,000 | 10,000 |
| Cleanup Schedule | How often to check for logs that need cleanup. | Daily | Daily |
| Archive Retention | How long to keep archived logs before permanent deletion. | 1 year | 1 year |
| Database Optimization | Optimize database tables to maintain performance and reduce storage space. | Enabled | Enabled |
| Optimization Schedule | How often to run database optimization. | Weekly | Weekly |
Advanced Configuration Options
Fine-tune Sentinel’s behavior with these advanced settings. These options provide more granular control over the monitoring system’s behavior and performance.
| Setting | Description | Default | Recommended |
|---|---|---|---|
| Data Anonymization | Automatically anonymize IP addresses and user data for privacy compliance. | Disabled | Based on privacy policy |
| IP Address Logging | Enable to track IP addresses in activity logs for security monitoring. | Enabled | Based on privacy policy |
| Role-Based Log Access | When enabled, editors will only see user, content, and authentication events. Admins see all events. | Disabled | Moderation Policy Based |
| Audit Log Access | When enabled, Sentinel will log whenever a user views the logs or dashboard, including who, when, and from where. | Disabled | Based on privacy policy |
| Right to be Forgotten | Enable GDPR Article 17 compliance - users can request deletion of their personal data from logs. | Disabled | Based on privacy policy |
| Data Portability | Enable GDPR Article 20 compliance - users can export their personal data in machine-readable format. | Disabled | Based on privacy policy |
| Batch Processing | Process logs in batches to reduce server load. Larger batches are more efficient but use more memory. | 1000 entries | 500 - 2,000 |
| Right to be Forgotten | Enable shortcode functionality allowing users to request data deletion. Provides GDPR compliance through [sentinel_data_deletion_request] shortcode. | Disabled | Based on privacy policy |
Performance Considerations
Optimize Sentinel’s performance based on your site’s traffic and requirements:
High-Traffic Sites
Consider reducing log retention to 30 days and enabling automatic cleanup to prevent database bloat.
Low-Traffic Sites
You can safely extend log retention to 180 days or more for comprehensive audit trails.
Event Registry
Configure which events Sentinel should track and monitor to create a comprehensive security audit trail. The Event Registry is organized into distinct sections for different types of monitoring capabilities.
Event Registry Structure
The Event Registry is organized into three main sections to help you manage different types of monitoring:
3rd Party Plugin Integrations
Available to all users. Monitor popular WordPress plugins like WooCommerce, Contact Form 7, and Gravity Forms with pre-configured event templates and one-click setup.
System Events Registry
Available to all users. View and control all registered WordPress core events, plugin events, and system activities with detailed filtering and management options.
Custom Events Management
Sentinel+ feature. Create and manage custom events for business-specific monitoring needs, third-party integrations, and specialized tracking requirements.
Available Event Types
Sentinel tracks and logs a comprehensive range of events that range from PHP errors to WordPress core events. Below is a list of some of what Sentinel tracks. This is not a comprehensive list as most events are self-explanatory.
Authentication Events
Core Securityuser_login
User logged in successfully
user_logout
User logged out
failed_login
Failed login attempt
password_reset
Password reset requested
User Management
Account Changesuser_registered
New user registration
user_deleted
User account deleted
role_changed
User role modified
profile_updated
User profile modified
Content Management
Site Contentpost_published
Post published
post_updated
Post modified
post_deleted
Post removed
comment_approved
Comment approved
media_uploaded
File uploaded
System & Security
Core Changesplugin_activated
Plugin enabled
theme_switched
Theme switched
core_upgraded
WordPress core upgraded
option_updated
WordPress option or setting changed
php_fatal_error
PHP error occurred
Complete Event List
The Event Registry in your WordPress admin (Sentinel → Event Registry) contains the full list of all available events with detailed descriptions, severity levels, and usage statistics. You can enable/disable individual events and customize their monitoring behavior there.
Event Configuration Options
Each event type in the Event Registry includes these configuration options:
Status Toggle
Enable or disable monitoring for each event type individually
Severity Levels
Set priority as Low, Medium, High, or Critical based on security importance
Usage Tracking
Monitor how often each event occurs and when it was last triggered
Detailed Information
View comprehensive details about each event including descriptions and metadata
Performance Options
While Sentinel is designed to be extremely lightweight with minimal impact on your site, proper optimization ensures it stays that way regardless of your site’s traffic volume or activity level.
Performance First
Sentinel typically adds less than 50ms to page load times and uses minimal server resources. However, optimizing these settings for your specific environment ensures optimal performance as your site grows.
Batch Logging Configuration
Control how Sentinel processes and stores log entries to balance performance with real-time visibility.
| Setting | Description | Recommended Values | Performance Impact |
|---|---|---|---|
| Enable Batch Logging | Queue logs and write them in batches instead of immediately | Enabled for high-traffic sites | Significantly reduces database writes |
| Batch Size | Number of logs to process in each batch | 50-100 for most sites, 200+ for high-traffic | Higher = better performance, more memory usage |
| Batch Frequency | How often to process batched logs (in seconds) | 60s standard, 30s for real-time needs | Lower = more frequent processing |
Trade-off
Batch logging improves performance but introduces a slight delay in log visibility. Choose based on whether you need real-time monitoring or can accept 30-60 second delays.
Rate Limiting & Spam Prevention
| Setting | Purpose | Recommended Values | Use Case |
|---|---|---|---|
| Per-Minute Limit | Maximum events logged per minute | 100-200 for normal sites | Prevents log flooding during attacks |
| Per-Hour Limit | Maximum events logged per hour | 1000-5000 based on site activity | Long-term protection against sustained attacks |
| Rate Limiting Behavior | How to handle events when limits are exceeded | Graceful Degradation (recommended) | Maintains visibility while reducing load |
Rate Limiting Behaviors Explained
Graceful Degradation
RecommendedSamples every 10th event when over limit to maintain visibility while reducing load
Hard Blocking
AggressiveCompletely stops logging until the next time window (most resource-efficient)
Priority Only
SelectiveOnly logs critical and error events, blocks warning/info events
Smart Memory Monitoring
Prevent memory-related crashes and optimize resource usage with intelligent memory management.
| Feature | Description | Default Setting | Recommended For |
|---|---|---|---|
| Memory Monitoring | Tracks memory usage patterns and provides optimization recommendations | Enabled | All sites, especially shared hosting |
| Memory Threshold | Percentage of PHP memory limit before logging is paused | 80% | Adjust based on site's memory usage patterns |
| Smart Recommendations | Analyzes usage patterns and suggests optimizations | Enabled | Sites wanting automated optimization guidance |
| Memory Leak Detection | Sentinel+ feature. Advanced algorithm detects potential memory leaks by analyzing usage patterns across multiple requests with confidence scoring and smart filtering to reduce false positives. | Disabled (Premium) | Sites experiencing unexplained memory growth or performance degradation |
Performance Optimization by Site Type
Recommended configurations for different types of WordPress sites:
Small Personal/Blog Sites
Settings: Batch logging disabled, standard rate limits (100/min, 1000/hour), memory threshold 80%
Reasoning: Low traffic allows real-time logging without performance impact
Business/Medium Traffic Sites
Settings: Batch logging enabled (50 logs/60s), moderate rate limits (200/min, 3000/hour), memory threshold 75%
Reasoning: Balance between real-time visibility and performance optimization
High-Traffic/E-commerce Sites
Settings: Batch logging enabled (100+ logs/30s), high rate limits (500/min, 10000/hour), memory threshold 70%
Reasoning: Maximum performance with comprehensive monitoring for critical business operations
Shared Hosting
Settings: Conservative batch logging (25 logs/120s), lower rate limits, memory threshold 85%
Reasoning: Resource constraints require careful optimization to avoid hosting limits
Monitoring Performance Impact
Use Sentinel’s built-in performance monitoring to ensure optimal operation:
Usage Statistics
Monitor per-minute and per-hour event rates to optimize rate limiting settings
Memory Analysis
Track memory usage patterns and receive automated optimization recommendations
Smart Recommendations
Receive personalized suggestions based on your site's actual usage patterns
Pro Tip
Start with conservative settings and gradually optimize based on your site’s actual performance metrics. The Settings page shows real-time usage statistics to help you make informed adjustments.
Memory Leak Detection (Sentinel+)
Since v1.1.0Sentinel+Overview
Advanced memory leak detection uses sophisticated algorithms to identify potential memory leaks before they cause serious performance issues or crashes.
Sentinel+ Feature
Memory leak detection is available only to premium users to reduce false positive noise for free users.
How It Works
Pattern Analysis
Monitors memory usage across multiple requests, tracking increases and consistency patterns to identify potential leaks.
Confidence Scoring
Uses advanced algorithms to calculate confidence scores (0-100%) based on consistency, magnitude, and frequency of memory increases
Smart Filtering
Only alerts when confidence exceeds 70% to minimize false positives from normal memory fluctuations.
Cooldown Protection
Implements 6-hour cooldown periods to prevent alert spam while ensuring critical issues are still reported.
Alert Types
| Confidence Level | Alert Type | Description | Recommended Action |
|---|---|---|---|
| 90%+ | Critical | Very high confidence this is a real memory leak | Immediate investigation required |
| 70-89% | Warning | Potential memory leak detected | Monitor and investigate within 24 hours |
| <70% | No Alert | Insufficient confidence for leak detection | Continue monitoring |
Recommendations Provided
When a memory leak is detected, Sentinel provides context-specific recommendations:
- Urgent Actions: Identify recently changed code, enable debug logging, check for infinite loops
- Investigation Steps: Review activated plugins, check data processing operations
- Optimization Tips: Review image processing, implement pagination, optimize caching strategies
Understanding Memory Leak Reports
When Sentinel detects a potential memory leak, it creates a detailed event log entry that includes comprehensive diagnostic information. These reports help you understand not just that a leak exists, but why it was detected and what actions you should take.
Where to Find Memory Leak Reports
Activity Logs Page
Navigate to Sentinel → Activity Logs and filter by event key memory_leak_warning to see all detected leaks.
WordPress Dashboard Widget
The Sentinel Memory Insights widget on your WordPress Dashboard provides real-time memory statistics and recent leak detections.
Admin Notices
Critical memory leaks trigger admin notices at the top of your WordPress admin pages with immediate recommendations.
Memory Leak Report Details
Each memory leak report contains detailed information to help you diagnose and resolve the issue:
Confidence Score
A percentage (0-100%) indicating how certain Sentinel is that this is a real memory leak. Scores above 90% require immediate attention.
Average Memory Increase
The average amount of memory consumed per request, helping you understand the scale of the leak.
Sample Size
Number of requests analyzed to detect the pattern. More samples mean higher confidence.
Detection Method
The algorithm used (typically "trend_analysis") that identified the leak pattern.
Severity Level
Critical, Warning, or Info classification based on confidence and memory impact.
Actionable Recommendations
Context-specific steps tailored to your leak's characteristics and confidence level.
Memory Monitoring Checkpoints
Sentinel tracks memory usage at critical points throughout each WordPress request lifecycle. This checkpoint-based monitoring allows precise identification of when and where memory consumption occurs.
Memory Lifecycle Table
| Stage | When It Happens | What It Measures |
|---|---|---|
| Request Start | Beginning of page load | Baseline memory usage before WordPress initialization |
| WP Loaded | After WordPress core is loaded | Memory consumed during WordPress initialization |
| Plugins Loaded | After all plugins are activated | Memory impact of active plugins |
| Theme Loaded | During theme initialization | Memory consumed by theme functions and assets |
| Scripts Enqueued | When JavaScript/CSS files are loaded | Memory used by enqueued assets |
| Template Redirect | Before page template renders | Memory usage before content generation |
| Shutdown | End of request | Final memory usage, peak consumption, and leak detection |
Memory Hog Identification
Sentinel automatically identifies operations that consume more than 1MB of memory between checkpoints. These “memory hogs” are flagged in leak reports and help pinpoint the exact source of excessive memory usage. Common culprits include large image processing, bulk database queries, and unoptimized data exports.
Memory Insights Dashboard Widget
Sentinel includes a Memory Insights widget on your WordPress Dashboard that provides real-time memory monitoring and leak detection summaries. This widget appears automatically for administrators and updates dynamically.
Current Memory Usage
Displays current memory consumption as both absolute value and percentage of PHP memory limit.
Peak Memory Tracking
Shows the highest memory usage during the current request, helping identify memory spikes.
Memory Limit Display
Shows your PHP memory limit setting so you can see how close you are to the limit.
Performance Insights
AJAX-powered recommendations based on recent memory usage patterns and detected issues.
Top Memory Hogs
Lists the operations consuming the most memory, helping you identify optimization opportunities.
Quick Refresh
Manual refresh button to update insights without reloading the entire dashboard page.
The widget analyzes your last 20 requests to provide trend-based recommendations. If more than 30% of recent requests exceed your memory threshold, Sentinel will suggest adjusting your threshold settings to reduce alert noise while still catching critical spikes.
Automatic Memory Optimization
When memory usage reaches critical levels (exceeding your configured threshold), Sentinel automatically attempts optimization to prevent crashes and maintain site stability.
Automatic Optimization Actions
Remove Expired Transients
Automatically deletes expired WordPress transients that are consuming memory unnecessarily.
Clear Object Cache
If object caching is enabled, Sentinel flushes the cache to free memory immediately.
Set Memory Limit Flag
Sets an internal flag to help other plugins and themes optimize their memory usage.
Log Optimization Event
Records the optimization attempt in your activity logs for review and analysis.
Optimization Limitations
Automatic optimization can only do so much. If memory usage consistently reaches critical levels, you should increase your PHP memory limit or investigate the root cause of excessive memory consumption. Automatic optimization is a temporary measure, not a permanent solution.
Configuring Memory Thresholds
You can configure when Sentinel considers memory usage to be problematic. The memory threshold setting determines the percentage of your PHP memory limit that triggers warnings and automatic optimization.
Setting Your Memory Threshold
Navigate to Settings
Go to Sentinel → Settings and click the Performance tab.
Find Memory Settings
Locate the Memory Monitoring section in the Performance options.
Adjust Threshold
Set the Memory usage threshold slider to your desired percentage (default: 80%). Lower values trigger alerts sooner, while higher values reduce alert frequency.
Enable Leak Detection
Check Enable memory leak detection to activate automated leak detection (Sentinel+ only).
Save Settings
Click Save Changes to apply your new threshold settings.
Memory Threshold Settings
| Threshold Setting | When Alerts Trigger | Best For |
|---|---|---|
| 60 – 70% | Early warning before problems occur | Sites with limited memory or shared hosting |
| 75 – 80% | Balanced monitoring (default) | Most WordPress sites and typical hosting |
| 85 – 90% | Only critical issues trigger alerts | High-memory environments or sites with predictable usage |
| 90%+ | Extreme situations only | Dedicated servers with abundant resources |
Threshold Best Practices
Start with the default 80% threshold and monitor your alerts for 1-2 weeks. If you receive too many alerts, increase the threshold by 5-10%. If you experience memory-related crashes before alerts trigger, decrease the threshold. The Memory Insights widget will suggest threshold adjustments if more than 30% of requests exceed your current setting.
Interpreting Confidence Scores
Sentinel’s confidence scoring algorithm evaluates multiple factors to determine how likely it is that a detected pattern represents a real memory leak versus normal memory fluctuations.
| Confidence Factor | Weight | How It's Calculated |
|---|---|---|
| Consistency Ratio | 40% | Percentage of requests showing consistent memory increases (higher = more confident) |
| Positive Increase Ratio | 60% | Percentage of requests with memory increases over 1MB (more increases = higher confidence) |
| Size Bonus | Up to +30% | Additional confidence for very large memory increases (>10MB = +20%, >20MB = +30%) |
The final confidence score combines these factors. A score of 70% means Sentinel is 70% confident this is a real leak. Scores above 90% indicate very high confidence and require immediate investigation. Scores below 70% are filtered out to prevent false positive alerts.
Privacy Settings
Sentinel provides comprehensive privacy and data protection features to help you comply with GDPR, CCPA, and other data protection regulations while maintaining effective security monitoring.
Legal Disclaimer
These tools help facilitate compliance with data protection regulations, but you are responsible for ensuring your implementation meets all applicable legal requirements in your jurisdiction. Consider consulting with legal professionals for compliance verification.
IP Anonymization
Sentinel’s intelligent anonymization system masks personally identifiable data in security logs while preserving analytical value for security monitoring and traffic analysis.
How IP Anonymization Works
When triggered (either automatically through deletion requests or manually via admin tools), Sentinel processes IP addresses using a sophisticated masking system:
| Address Type | Original Format | Anonymized Format | Preserved Information |
|---|---|---|---|
| IPv4 | 192.168.55.200 | 192.168.xxx.xxx | Network/subnet identification |
| IPv6 | 2001:db8::1234:5678 | 2001:db8::xxxx:xxxx | Network prefix for geolocation |
| Masked | 10.0.xxx.xxx | 10.0.xxx.xxx | No changes (prevents double-masking) |
Smart Processing
Sentinel automatically detects already-anonymized IP addresses to prevent double-processing and maintain data integrity.
Anonymization Benefits
Privacy Protection
Removes personally identifiable information while maintaining security monitoring capabilities
Analytics Preservation
Keeps network-level data intact for traffic analysis and security pattern detection
Compliance Ready
Meets GDPR Article 4 requirements for data anonymization and pseudonymization
Security Controls
Sentinel+ provides advanced security controls that enable intelligent threat detection, automated response actions, and sophisticated IP management. These features transform Sentinel from a monitoring tool into an active security protection system.
Sentinel+ Feature
Advanced security controls require a premium license. Includes intelligent threat detection, automated response actions, IP allowlist management, and incident handling.
Security Response Mode
Configure how Sentinel+ responds to detected security threats using the intuitive 3-way toggle control. This setting determines the system’s behavior when thresholds are exceeded.
| Response Mode | Behavior | Use Case | Recommendation |
|---|---|---|---|
| Observe Only | Log security incidents without taking automated action | Testing and baseline establishment | Start here for new installations |
| Throttle Threats | Add configurable delays to suspicious login attempts | Slowing down attacks while preserving access | Good balance of security and usability |
| Block Threats | Temporarily block IP addresses that exceed thresholds | Maximum protection for high-risk environments | Recommended for production sites |
Best Practice
Start with “Observe Only” mode for 1-2 weeks to establish baseline behavior and avoid blocking legitimate users. Monitor the incident log to tune thresholds before enabling active protection.
Detection Thresholds
Configure sensitivity levels for different types of security threats. These settings determine when Sentinel+ considers an activity suspicious enough to trigger an incident.
Brute Force Detection
Monitors repeated login failures from the same IP address within a specified time window.
| Setting | Default | Range | Description |
|---|---|---|---|
| Failed Attempts | 5 | 3 - 20 | Number of failed login attempts before triggering incident |
User Enumeration Detection
Detects attempts to discover valid usernames through login form probing or author page scanning.
| Setting | Default | Range | Description |
|---|---|---|---|
| Enumeration Attempts | 10 | 5 - 50 | Number of username discovery attempts before incident |
| Detection Window | 10 minutes | 5 - 60 minutes | Time period for counting enumeration attempts |
XML-RPC Protection
Monitors XML-RPC endpoint for abuse including brute force attacks and DDoS attempts.
| Setting | Default | Range | Description |
|---|---|---|---|
| Request Limit | 20 | 10 - 100 | Maximum XML-RPC requests before incident |
| Time Period | 5 minutes | 5 - 60 minutes | Window for counting XML-RPC requests |
IP Allowlist Management
Configure IP addresses and ranges that should bypass all authentication limits and security checks. This is essential for preventing lockouts of legitimate users and systems.
Allowlist Configuration
Enter IP addresses or CIDR ranges in the allowlist textarea, one per line. Supports both individual IPs and network ranges:
# Office network
192.168.1.0/24
# VPN server
203.0.113.5
# CDN ranges
198.51.100.0/24
203.0.113.0/24
# Localhost variants
127.0.0.1
::1CIDR Notation Examples
| CIDR Range | Covers | Common Use |
|---|---|---|
| 192.168.1.0/24 | 192.168.1.1 - 192.168.1.254 | Office network |
| 10.0.0.0/8 | 10.0.0.1 - 10.255.255.254 | Large private network |
| 172.16.0.0/16 | 172.16.0.1 - 172.16.255.254 | Corporate VPN |
| 203.0.113.5 | 203.0.113.5 only | Single server IP |
Security Note
Be cautious when allowlisting broad IP ranges. Overly permissive allowlists can compromise security. Regularly review and audit your allowlist entries.
Response Settings
Configure how Sentinel+ responds when security incidents are detected based on the selected response mode.
Throttle Response
When “Throttle Threats” mode is active, add configurable delays to suspicious requests:
| Setting | Default | Range | Purpose |
|---|---|---|---|
| Throttle Delay | 3 seconds | 1-10 seconds | Delay added to suspicious login attempts |
Block Response
When “Block Threats” mode is active, temporarily block IP addresses that exceed thresholds:
| Setting | Default | Options | Recommendation |
|---|---|---|---|
| Block Duration | 1 hour | 5 minutes - 24 hours | Start with shorter durations, increase as needed |
Admin Trust Mode
Reduce false positives by temporarily bypassing security checks for admin users after successful authentication.
| Setting | Default | Options | Description |
|---|---|---|---|
| Trust Admin IPs | Disabled | Enabled / Disabled | Bypass detection for admin IPs after successful login |
| Trust Duration | 24 hours | 1 - 24 hours | How long to trust admin IPs after authentication |
Use Case
Admin Trust Mode is particularly useful for administrators who frequently trigger detection thresholds through legitimate administrative activities.
Incident Management
Configure automatic incident resolution and notification rate limiting to prevent alert fatigue while maintaining security awareness.
| Setting | Default | Options | Purpose |
|---|---|---|---|
| Auto-resolve Incidents | 6 hours | 30 minutes - 24 hours | Automatically resolve incidents after specified time |
| Notification Cooldown | 30 minutes | 5 minutes - 1 hour | Minimum time between duplicate incident notifications |
Viewing & Managing Security Incidents
When Sentinel+ detects security threats through the authentication counter system, it creates formal incident records that require investigation and resolution. The Incidents page provides a centralized interface for viewing, analyzing, and managing all detected security events in real-time.
Sentinel+ Exclusive
The Incidents system is exclusive to Sentinel+. Free users can view authentication events in activity logs, but only Sentinel+ creates structured incident records with confidence scoring, automatic resolution, and centralized management.
Accessing the Incidents Page
Navigate to the Incidents management interface through the WordPress admin sidebar.
Navigate to Sentinel → Incidents in WordPress admin
The Incidents page displays all detected security threats with filtering, sorting, and bulk actions.
View the Incidents Dashboard Widget
A summary widget on the main WordPress dashboard shows recent incident statistics for quick monitoring.
Incident Types
Sentinel+ detects three primary types of security incidents, each indicating different attack patterns and requiring specific responses.
| Incident Type | Detection Trigger | Default Threshold | What It Means |
|---|---|---|---|
| Brute Force Attack | Failed login attempts from single IP | 5 attempts | Attacker attempting to guess passwords through repeated login failures |
| Username Enumeration | Distinct usernames attempted from single IP | 10 usernames | Attacker probing for valid usernames to target in future attacks |
| XML-RPC Flood | XML-RPC requests from single IP | 20 requests | Automated attack targeting XML-RPC endpoint for brute force or DDoS |
Understanding Incident Records
Each incident record contains comprehensive forensic data to help you assess threat severity and take appropriate action.
IP Address
The source IP address where the attack originated. Can be used for blocking, allowlisting, or external threat intelligence lookups.
Incident Type
The specific attack pattern detected (brute force, enumeration, or XML-RPC flood).
Confidence Level
Threat certainty rating (Low, Medium, High) that escalates as the incident repeats. Higher confidence indicates stronger evidence of malicious intent.
First Seen / Last Seen
Timestamps showing when the incident was first detected and most recently updated. Long-running incidents indicate persistent attacks.
Event Count
Number of times this IP triggered the same incident type. Higher counts indicate sustained attack attempts.
Status
Current incident state: Open (active threat) or Resolved (threat addressed or auto-expired).
Source
Authentication entry point used in the attack (wp-login, REST API, XML-RPC, WooCommerce, etc.).
Confidence Level Escalation
Sentinel+ automatically increases incident confidence as attacks persist, helping you prioritize the most dangerous threats.
Low Confidence
Initial detection. May be legitimate user errors or isolated probes. Monitor but don't panic.
Medium Confidence
Repeated violations. Clear pattern of suspicious activity. Investigate and consider throttling.
High Confidence
Sustained attack confirmed. Strong evidence of malicious intent. Block immediately.
Incident Resolution
Incidents can be resolved manually or automatically based on your configuration preferences.
Automatic Resolution
By default, Sentinel+ automatically resolves incidents after 6 hours of inactivity. This prevents the Incidents page from becoming cluttered with old threats while keeping active attacks visible.
1. Navigate to Sentinel → Settings
2. Go to Security Controls tab
3. Find "Incident Management" section
4. Set "Incident Auto-Resolve Duration" (default: 6 hours)
5. Save changesManual Resolution
Resolve incidents manually when you’ve investigated the threat and determined it no longer requires monitoring or has been permanently blocked.
Open the Incidents page (Sentinel → Incidents)
View the list of all open and resolved incidents with full details.
Click "Resolve" next to an incident
Marks the incident as resolved and removes it from the active incidents list.
Use bulk actions to resolve multiple incidents
Select multiple incidents and choose “Resolve Selected” to process threats in batches.
Important
Resolving an incident does NOT block the IP address. It only marks the incident record as handled. If you want to prevent future attacks from this IP, add it to the blocklist manually or enable Block Threats mode in Security Response settings.
Investigating Incidents
When an incident is detected, follow this investigation workflow to assess threat severity and take appropriate action.
Check the IP address reputation
Use external threat intelligence services (AbuseIPDB, IPVoid) to determine if this IP has a history of malicious activity.
Review the authentication source
Determine if attacks are coming through wp-login, XML-RPC, REST API, or WooCommerce to identify vulnerable entry points.
Examine attempted usernames
Check if the attacker is targeting actual user accounts or common default names like "admin" or "test".
Check confidence level and event count
High confidence and high event counts indicate persistent, sophisticated attacks requiring immediate action.
Verify legitimate user isn't locked out
Ensure the incident isn't caused by a real user with forgotten passwords, especially if using common usernames.
Take action based on findings
Block the IP, adjust thresholds, enable throttling, or resolve the incident if determined to be benign.
Dashboard Widget
Sentinel+ adds a real-time incidents widget to the main WordPress dashboard, providing at-a-glance security monitoring without leaving your admin home.
Open Incidents Count
Number of active security threats requiring attention.
24-Hour Incident Summary
New incidents detected in the last day with breakdown by type.
Quick Actions
Direct links to view all incidents, adjust security settings, or review activity logs.
Best Practices
Follow these guidelines for effective incident management and security monitoring.
Review incidents daily
Check the Incidents page or dashboard widget daily to catch persistent attacks early and adjust security settings proactively.
Prioritize high-confidence incidents
Focus investigation efforts on High confidence incidents first, as these represent confirmed threats requiring immediate action.
Don't over-block
Not every Low confidence incident requires blocking. Investigate first to avoid blocking legitimate users experiencing password issues.
Tune your thresholds
If receiving too many false positives, increase detection thresholds. If attacks slip through, decrease them.
Enable email notifications
Configure incident email alerts to receive immediate notification of security threats without checking the dashboard constantly.
Troubleshooting
Common issues and solutions for incident management.
No incidents are being created
Issue: Failed login attempts are appearing in activity logs, but no incidents are being generated in the Incidents page.
Verify Sentinel+ is active and your license is valid. Check that Security Response Mode is not disabled—incidents are only created when authentication counter thresholds are enabled. Review your brute force threshold, enumeration threshold, and XML-RPC threshold settings to ensure they’re configured appropriately. If thresholds are set too high (e.g., brute force = 100), legitimate attacks may not trigger incident creation. Default values are: brute force (5), enumeration (10), XML-RPC (20).
Incidents auto-resolve too quickly
Issue: Incidents are automatically resolving before I have time to investigate them, making it difficult to track ongoing attacks.
Navigate to Sentinel → Settings → Security Controls → Incident Management and increase the Incident Auto-Resolve Duration setting. The default is 6 hours, but you can extend it to 12, 24, or 48 hours based on your investigation workflow. For high-traffic sites with dedicated security teams, 6 hours is usually sufficient. For smaller teams, 24 hours provides better coverage.
Dashboard widget not appearing
Issue: The Sentinel Incidents widget is not visible on my WordPress dashboard, even though I have Sentinel+ activated.
Check Screen Options at the top-right of the dashboard and ensure the Sentinel Incidents widget is enabled. Verify your user role has manage_options capability—only administrators can see security widgets by default. If using custom roles, ensure the role includes Sentinel dashboard widget permissions. Clear your browser cache and WordPress object cache if the widget was recently added.
Troubleshooting Security Controls
Common issues and solutions for security control configuration and operation.
Why are legitimate users getting blocked?
Common causes:
- Detection thresholds set too low for normal usage patterns
- Admin or power users not included in IP allowlist
- Shared IP addresses from office or corporate networks
- VPN or proxy services triggering multiple user detection
Solutions:
- Add office/VPN IP ranges to allowlist using CIDR notation (e.g.,
192.168.1.0/24) - Enable Admin Trust Mode for administrative users
- Increase detection thresholds gradually while monitoring incidents
- Start with “Observe Only” mode for 1-2 weeks to establish usage baselines
Why isn't my IP allowlist working?
Common causes:
- Incorrect CIDR notation formatting
- Leading or trailing whitespace in IP entries
- Mixing IPv4 and IPv6 formats incorrectly
- Using ranges that don’t include your actual IP address
Solutions:
- Validate CIDR notation using online calculators before adding
- Use one IP address or range per line with no extra spaces
- Test with single IP addresses first before using broad ranges
- Check the incident log to see if your IP is being flagged incorrectly
- Check that your public IP hasn’t changed (dynamic IPs)
I'm getting too many false positive incidents. How do I reduce them?
Common causes:
- Detection thresholds too sensitive for your site’s normal traffic
- Normal user behavior patterns not accounted for
- Automated systems, bots, or monitoring tools included in detection
- Mobile users or shared connections triggering multi-user scenarios
Solutions:
- Increase thresholds gradually while monitoring incident patterns
- Add known service IPs (monitoring, CDN, backup services) to allowlist
- Use longer detection windows for better accuracy (10-15 minutes instead of 5)
- Enable notification cooldown to reduce alert frequency
- Review incident logs to identify patterns before adjusting settings
Security controls aren't activating - incidents logged but no action taken?
Common causes:
- Security Response Mode still set to “Observe Only”
- All or most traffic being allowlisted unintentionally
- Detection thresholds set too high to ever trigger
- Premium license not active for advanced security features
Solutions:
- Verify response mode is set to “Throttle Threats” or “Block Threats”
- Review allowlist entries for overly broad ranges (avoid
0.0.0.0/0) - Lower thresholds temporarily to verify system operation
- Check incident log for “action taken” vs “observed only” entries
- Confirm Sentinel+ license is active and validated
How can I test if security controls are working?
Safe testing methods:
- Check the Activity Log for allowlist bypass confirmations
- Check the Incident Log for recent security events and actions taken
- Temporarily lower thresholds and monitor for expected incidents
- Review activity logs for throttling delays or blocked requests
Testing tips:
- Start testing in “Observe Only” mode to see detection without blocking
- Use a different device or network for controlled testing
- Monitor debug logs for security control activation messages
- Test during low-traffic periods to minimize impact on real users
Data Deletion Request
Since v1.1.0Implement GDPR “Right to be Forgotten” functionality using the [[sentinel_data_deletion_request]] shortcode.
Overview
The data deletion request feature allows users to request the removal of their personal data from Sentinel’s logs and databases, helping you comply with GDPR Article 17 (Right to Erasure).
GDPR Compliance
This feature helps satisfy the “Right to be Forgotten” requirement under GDPR, allowing users to request deletion of their personal data.
Implementation
Add the shortcode to any page where users can request data deletion:
// Add to your privacy policy page or dedicated deletion request page
[sentinel_data_deletion_request]What Gets Deleted
When a user requests data deletion, Sentinel will remove the following data:
User Activity Logs
Account Eventsuser_login
Login/logout attempts
profile_updated
Profile changes
post_created
Content creation and edits
comment_posted
Comment activities
Personal Information
PII Dataip_address
IP addresses (if not anonymized)
user_agent
User agent strings
session_data
Session data
custom_metadata
Custom user metadata
Administrative Data
System Recordsdeletion_request
Deletion request records
audit_trail
Audit trail entries
notification_prefs
Notification preferences
user_settings
User-specific settings
Important
Data deletion is permanent and cannot be undone. Consider implementing a confirmation step and backup procedures.
Best Practices
Follow these guidelines when implementing data deletion requests:
Clear Communication
Explain what data will be deleted and the implications of the deletion request
Verification Process
Implement proper user verification to prevent unauthorized deletion requests
Confirmation Step
Require explicit confirmation before proceeding with data deletion
Audit Trail
Maintain records of deletion requests for compliance and security purposes
Legal Compliance
Ensure your implementation meets all applicable data protection regulations in your jurisdiction. Consider consulting with legal professionals for compliance verification.
File Monitoring
Monitor critical WordPress files for unauthorized changes with Sentinel’s file integrity monitoring system. Detect potential security breaches by tracking modifications to important system files.
Available in Sentinel Basic:
Core file monitoring with scheduling, exclusions, and alert thresholds. Sentinel+ adds custom files, theme/plugin monitoring, and real-time detection
Overview
File monitoring tracks changes to critical WordPress files using MD5 hash verification. When files are modified, Sentinel logs the event with detailed information about the change.
Hash-based Detection
Smart File Exclusions
Flexible Scheduling
Alert Thresholds
Custom File Paths (Sentinel+)
Theme File Monitoring (Sentinel+)
Plugin File Monitoring (Sentinel+)
Real-time Monitoring (Sentinel+)
How File Monitoring Works
Sentinel’s file monitoring system works through a simple but effective process:
Initial Hash Creation
When file monitoring is enabled, Sentinel creates MD5 hashes of monitored files and stores them as baseline values.
Daily Verification
Every day, Sentinel recalculates the hashes of monitored files and compares them against the stored baseline values.
Change Detection
When a hash mismatch is detected, Sentinel logs the change event with file details and size changes.
Baseline Update
After logging the change, Sentinel updates the stored hash with the new file state for future comparisons.
Setup & Configuration
Configure file monitoring through the Sentinel settings page:
1. Navigate to Sentinel → Settings
2. Go to 'Privacy & Security' tab
3. Enable 'File Monitoring'
4. Configure monitoring frequency
5. Set up custom files (Sentinel+)
6. Save settings| Setting | Description | Default | Sentinel+ Feature |
|---|---|---|---|
| Critical File Monitoring | Monitor wp-config.php and .htaccess for changes | Disabled | No |
| Monitor Custom File Paths | Monitor additional files beyond core WordPress files | Disabled | Yes |
| Monitor Active Theme Files | Monitor functions.php and style.css of active theme | Disabled | Yes |
| Monitor Critical Plugin Files | Monitor important plugin files for changes | Disabled | Yes |
| Real-time File Monitoring | Immediate detection of file changes (resource intensive) | Disabled | Yes |
| Monitoring Frequency | How often to check files (hourly, twice daily, daily, weekly) | Daily | No |
| Exclude Log Files | Prevent monitoring of debug.log, error.log, etc. (prevents recursion) | Enabled | No |
| Custom Exclusion Patterns | File patterns to exclude (*.log, *.tmp, *.cache) | *.log, *.tmp, *.cache | No |
| Alert Threshold | Minimum file size change in bytes to trigger alerts | 10 bytes | No |
Monitored Files
Sentinel monitors different types of files based on your configuration:
Core WordPress Files (Free)
2 Fileswp-config.php
WordPress configuration file
.htaccess
Server configuration file
Sentinel+ Features
Monitor custom file paths, active theme files (functions.php, style.css), critical plugin files, and enable real-time monitoring for immediate change detection.
Custom File Path Examples
# Theme files
wp-content/themes/your-theme/functions.php
wp-content/themes/your-theme/style.css
# Plugin files
wp-content/plugins/important-plugin/plugin.php
# Server configs
/etc/apache2/sites-available/your-site.conf
/var/www/html/.htaccess
# Custom files
wp-content/uploads/critical-config.jsonUnderstanding Alerts
When file changes are detected, Sentinel logs detailed information about the modification:
📋 Alert Information Includes
Each file monitoring alert provides comprehensive details to help you assess the significance and legitimacy of file changes:
- File Identity: Complete file name and full system path
- Change Summary: Detailed description (additions, deletions, modifications)
- Size Impact: Exact bytes added or removed from the file
- Timestamps: Previous and current modification times for comparison
- File Classification: Automatic categorization (core, theme, plugin, custom)
- Priority Assessment: Risk level based on file importance and location
💡 Pro Tip: Use the alert threshold setting to reduce noise from minor changes while keeping important modifications visible.
Event Details
| Event Type | Files Monitored | Priority | Description |
|---|---|---|---|
| file_modified | All monitored files | Critical | File monitoring system detected unauthorized changes to critical files |
Change Summary Examples
wp-config.php was modified (+156 bytes) - WordPress configuration file had moderate additions
.htaccess was modified (-23 bytes) - Server configuration file had minor deletions
custom-config.php was modified (same size - content changed) - Critical system file was modified (same size - content changed)Best Practices
Follow these recommendations for effective file monitoring
Enable Log File Exclusions
Always keep “Exclude Log Files” enabled to prevent recursive monitoring loops. This prevents debug.log from triggering continuous alerts.
Set Appropriate Alert Thresholds
Use the default 10-byte threshold to reduce noise from tiny file changes. Increase for high-traffic sites that frequently update files.
Choose the Right Monitoring Frequency
Daily monitoring is sufficient for most sites. Use hourly for critical production sites, weekly for development environments.
Use Custom Exclusions Wisely
Exclude cache files, temporary files, and frequently changing logs using patterns like *.cache, *.tmp, backup-*.zip.
Monitor Important Files Only
Focus on critical system files (wp-config.php, .htaccess). Use Sentinel+ for theme/plugin monitoring on development sites.
Use Real-time Monitoring Carefully
Real-time monitoring is resource intensive. Only enable it for critical files that rarely change and require immediate detection.
Troubleshooting
Common issues and solutions for file monitoring:
File monitoring not working
Issue: This issue typically occurs when file monitoring has been disabled in your Sentinel settings, or when the files you're trying to monitor don't exist or aren't readable by WordPress. It can also happen if your custom file paths are invalid or point to directories outside the allowed monitoring scope.
Check Sentinel settings in Privacy & Security tab, verify file paths exist and are readable by WordPress.
Too many false positives
Issue: You're receiving excessive alerts because your monitoring is detecting every tiny file change. This commonly happens when the alert threshold is set too low, when log files are being monitored (which creates a recursion loop), or when cache and temporary files trigger unnecessary alerts.
Debug log recursion (continuous alerts)
Issue: Sentinel is creating an endless loop of alerts where monitoring the debug.log file causes new log entries, which trigger more alerts. This happens when "Exclude Log Files" is disabled, debug.log is included in your custom monitoring paths, or your exclusion patterns aren't configured correctly.
Enable “Exclude Log Files” setting, remove debug.log from custom paths, add .log to exclusion patterns.
Theme/Plugin monitoring not working (Sentinel+)
Issue: The advanced theme and plugin file monitoring feature isn't detecting changes to your theme or plugin files. This occurs when the feature is disabled in settings, when theme or plugin files don't exist at the expected locations, or when your Sentinel+ license isn't active.
Verify Sentinel+ license is active, enable theme/plugin monitoring in settings, check that theme files exist.
Custom file paths not working
Issue: Sentinel isn't monitoring the custom file paths you've specified. This happens when paths are formatted incorrectly, when WordPress security restrictions prevent access, or when the files are located outside directories that Sentinel is allowed to monitor.
Use relative paths from WordPress root or absolute paths within allowed directories. Check debug logs for validation errors.
Debug Information
Enable WordPress debug logging to see detailed file monitoring information. Check your debug.log for entries starting with “[Sentinel] File Monitor:”.
Enhanced Diff Viewer (Sentinel+)
Sentinel+ includes an advanced diff viewer that shows exactly what changed in your files – similar to GitHub’s diff view. This premium feature goes beyond basic hash detection to provide detailed line-by-line comparisons.
Sentinel+ Feature
The enhanced diff viewer requires a premium license. Free users still receive file change notifications with hash verification, but only premium users can see the detailed changes.
How It Works
When a file is modified, Sentinel+ automatically:
- Creates baseline: Stores the original file content when first detected
- Generates diff: Compares current content with stored baseline
- Stores history: Maintains up to 10 recent changes per file
- Shows changes: Displays unified diff format with syntax highlighting
Using the Diff Viewer
The diff viewer appears in both the dashboard activity feed and the full logs view:
Locate File Change
Look for “File Modified” events in your activity logs. Premium users will see both “View Details” and “View Changes” buttons.
Open Diff Viewer
Click the “View Changes” button (code icon) to open the diff viewer. The viewer loads dynamically without refreshing the page.
Review Changes
The diff viewer shows:
- + Green lines: Added content
- – Red lines: Removed content
- Gray lines: Unchanged context
- Blue headers: File information and line numbers
Best Practices
- Regular Reviews: Check file changes weekly, especially on production sites
- Investigate Unknowns: Any unexpected changes should be investigated immediately
- Document Changes: Keep notes about legitimate changes for future reference
- Monitor Critical Files: Pay special attention to wp-config.php, .htaccess, and theme files
- Backup Before Changes: Use the diff viewer to verify changes before accepting them
Hooks & Filters
Sentinel provides several action hooks that allow developers to extend and integrate with its monitoring system. These hooks fire at key moments in the event lifecycle, enabling you to build custom integrations, notifications, and automation workflows.
Available Hooks
Sentinel currently provides 3 main action hooks for developers to extend functionality. These hooks allow you to respond to events being logged, security incidents, and event registrations.
Available Action Hooks
These are the actual hooks provided by Sentinel that you can use to extend functionality.
// Triggered after any event is successfully logged
// Parameters: $event_key (string), $event_data (array), $user_id (int)
add_action('sentinel_event_logged', 'my_event_handler', 10, 3);
function my_event_handler($event_key, $event_data, $user_id) {
// Send critical security events to Slack
$critical_events = ['failed_login_attempt', 'user_role_changed', 'plugin_activated'];
if (in_array($event_key, $critical_events)) {
$user = get_user_by('ID', $user_id);
$username = $user ? $user->display_name : 'System';
wp_remote_post('https://hooks.slack.com/your-webhook-url', [
'body' => json_encode([
'text' => sprintf('🚨 Security Event: %s by %s', $event_key, $username),
'attachments' => [
[
'color' => 'danger',
'fields' => [
['title' => 'Event', 'value' => $event_key, 'short' => true],
['title' => 'User', 'value' => $username, 'short' => true],
['title' => 'Data', 'value' => json_encode($event_data, JSON_PRETTY_PRINT)]
]
]
]
])
]);
}
// Log high-priority events to external monitoring service
$priority_events = ['maintenance_mode_enabled', 'security_incident_opened', 'core_file_modified'];
if (in_array($event_key, $priority_events)) {
wp_remote_post('https://monitoring-service.com/api/events', [
'headers' => [
'Content-Type' => 'application/json',
'Authorization' => 'Bearer ' . get_option('monitoring_api_key')
],
'body' => json_encode([
'source' => 'WordPress-Sentinel',
'site' => get_site_url(),
'event_type' => $event_key,
'user_id' => $user_id,
'data' => $event_data,
'timestamp' => current_time('mysql')
])
]);
}
}// Triggered when a new event type is registered with Sentinel
// Parameters: $event_key (string), $config (array)
add_action('sentinel_event_registered', 'handle_new_event_registration', 10, 2);
function handle_new_event_registration($event_key, $config) {
// Log when new custom events are registered
error_log(sprintf(
'New Sentinel event registered: %s (Category: %s, Priority: %s)',
$event_key,
$config['category'] ?? 'unknown',
$config['priority'] ?? 'medium'
));
// Automatically enable high-priority security events
if (isset($config['category']) && $config['category'] === 'security') {
if (isset($config['priority']) && in_array($config['priority'], ['high', 'critical'])) {
// Ensure this security event is not disabled
$disabled_events = get_option('sentinel_disabled_events', []);
if (in_array($event_key, $disabled_events)) {
$disabled_events = array_diff($disabled_events, [$event_key]);
update_option('sentinel_disabled_events', $disabled_events);
}
}
}
// Notify administrators about new business-critical events
if (isset($config['category']) && $config['category'] === 'business') {
$admin_email = get_option('admin_email');
wp_mail(
$admin_email,
'New Business Event Registered in Sentinel',
sprintf(
'A new business event has been registered: %s\n\nDescription: %s\n\nThis event is now being monitored.',
$event_key,
$config['description'] ?? 'No description provided'
)
);
}
}// Triggered when a security incident notification is sent
// Parameters: $notification_data (array) containing incident details
add_action('sentinel_security_incident_notification', 'handle_security_incidents', 10, 1);
function handle_security_incidents($notification_data) {
$incident_id = $notification_data['incident_id'] ?? 'unknown';
$event = $notification_data['event'] ?? [];
// Send immediate SMS alert for critical security incidents
if (isset($event['priority']) && $event['priority'] === 'critical') {
// Using a service like Twilio
wp_remote_post('https://api.twilio.com/2010-04-01/Accounts/YOUR_ACCOUNT_SID/Messages.json', [
'headers' => [
'Authorization' => 'Basic ' . base64_encode('YOUR_ACCOUNT_SID:YOUR_AUTH_TOKEN')
],
'body' => [
'From' => '+1234567890',
'To' => '+1987654321',
'Body' => sprintf(
'CRITICAL SECURITY ALERT: Incident #%s detected on %s. Event: %s',
$incident_id,
get_site_url(),
$event['event_key'] ?? 'Unknown'
)
]
]);
}
// Log to external security information and event management (SIEM) system
wp_remote_post('https://your-siem-system.com/api/incidents', [
'headers' => [
'Content-Type' => 'application/json',
'X-API-Key' => get_option('siem_api_key')
],
'body' => json_encode([
'source' => 'WordPress-Sentinel',
'incident_id' => $incident_id,
'site' => get_site_url(),
'severity' => $event['priority'] ?? 'medium',
'event_details' => $event,
'timestamp' => current_time('c')
])
]);
// Create ticket in support system for high-priority incidents
if (in_array($event['priority'] ?? 'medium', ['high', 'critical'])) {
wp_remote_post('https://support-system.com/api/tickets', [
'headers' => [
'Authorization' => 'Bearer ' . get_option('support_api_token'),
'Content-Type' => 'application/json'
],
'body' => json_encode([
'title' => sprintf('Security Incident #%s - %s', $incident_id, $event['event_key'] ?? 'Unknown'),
'description' => sprintf(
'Security incident detected by Sentinel monitoring system.\n\nIncident ID: %s\nSite: %s\nEvent: %s\nPriority: %s\n\nDetails: %s',
$incident_id,
get_site_url(),
$event['event_key'] ?? 'Unknown',
$event['priority'] ?? 'medium',
json_encode($event, JSON_PRETTY_PRINT)
),
'priority' => $event['priority'] ?? 'medium',
'category' => 'security'
])
]);
}
}Filter Hooks
Currently, Sentinel does not provide any filter hooks for modifying data or behavior. All extension points are provided through action hooks shown above.
Future Development
Filter hooks for data modification and behavior customization may be added in future versions based on developer feedback and requirements.
Functions
Useful functions for working with Sentinel programmatically.
Core Functions
Essential functions for integrating with Sentinel.
// Log an event
sentinel_log_event($event_type, $message, $user_id = null, $metadata = []);
// Get recent events
$events = sentinel_get_recent_events($limit = 10);
// Check if event type is enabled
$enabled = sentinel_is_event_enabled($event_type);Classes
Object-oriented approach to working with Sentinel.
Main Classes
Core classes for advanced integration.
// Initialize logger
$logger = new Sentinel_Logger();
// Log an event
$logger->log($event_type, $message, $user_id, $metadata);
// Get events with filters
$events = $logger->get_events([
'user_id' => 1,
'event_type' => 'login',
'date_from' => '2024-01-01'
]);REST API
Access Sentinel data programmatically via REST API endpoints. The API provides read-only access to activity logs, statistics, and event configuration data for external integrations and monitoring tools.
Setup Required
REST API access must be enabled in Sentinel → Settings → Log Management → API Access before endpoints become available.
API Configuration
Enable and configure REST API access through the WordPress admin interface.
Enable API Access
Navigate to Sentinel → Settings → Log Management and check “Enable REST API access”
Test API Access
Verify endpoints are available at /wp-json/sentinel-plugin/v1/
No Authentication Required
Current implementation allows public access when API is enabled. In production environments, consider implementing additional authentication layers for security.
API Key Authentication
Generating API Keys
Navigate to Settings
Go to Sentinel → Settings in your WordPress admin.
Find API Key Section
Locate the “API Key” section below the License Key field
Generate Key
Click “Generate Key” to create a new API key, or “Regenerate” to replace an existing one
Authentication Methods
Include your API key in requests using either method
curl -H 'X-Sentinel-API-Key: YOUR_API_KEY_HERE' 'https://yoursite.com/wp-json/sentinel-plugin/v1/logs'https://yoursite.com/wp-json/sentinel-plugin/v1/logs?api_key=YOUR_API_KEY_HERESecurity Note
HTTP headers are more secure than URL parameters, which may be logged by web servers.
JavaScript Example
fetch('https://yoursite.com/wp-json/sentinel-plugin/v1/logs', {
headers: {
'X-Sentinel-API-Key': 'YOUR_API_KEY_HERE'
}
})
.then(response => response.json())
.then(data => console.log('Logs:', data.logs));Base URL & Namespace
All API endpoints use the following base structure
https://yoursite.com/wp-json/sentinel-plugin/v1/API Namespace: sentinel-plugin/v1
Response Format: JSON
Available Endpoints
The following REST API endpoints are currently available:
| Endpoint | Method | Description |
|---|---|---|
| /logs | GET | Retrieve activity logs with filtering and pagination |
| /stats | GET | Get activity statistics and summary data |
| /events/types | GET | List all registered event types and configurations |
GET /logs
Retrieve activity logs with optional filtering and pagination support.
curl -X GET 'https://yoursite.com/wp-json/sentinel-plugin/v1/logs'Query Parameters:
limit(integer) – Number of logs to return. Default: 50, Max: 1000offset(integer) – Number of logs to skip. Default: 0event_key(string) – Filter by specific event typepriority(string) – Filter by priority level (low, medium, high, critical)user_id(integer) – Filter by specific user ID
curl -X GET 'https://yoursite.com/wp-json/sentinel-plugin/v1/logs?event_key=user_login&limit=25&priority=high'{
"logs": [
{
"id": 123,
"event_key": "user_login",
"category": "authentication",
"priority": "medium",
"user_id": 1,
"ip_address": "192.168.1.100",
"url": "/wp-admin/",
"data": {
"username": "admin",
"success": true
},
"created_at": "2024-01-15 10:30:45",
"user": {
"username": "admin",
"display_name": "Administrator"
}
}
],
"pagination": {
"total": 1250,
"limit": 50,
"offset": 0,
"pages": 25
}
}GET /stats
Retrieve summary statistics and activity breakdowns.
curl -X GET 'https://yoursite.com/wp-json/sentinel-plugin/v1/stats'{
"summary": {
"total_logs": 5420,
"today_logs": 127,
"active_users_today": 8
},
"categories": [
{
"name": "authentication",
"count": 1245
},
{
"name": "content",
"count": 892
}
],
"priorities": [
{
"name": "medium",
"count": 3210
},
{
"name": "low",
"count": 1890
}
]
}GET /events/types
List all registered event types with their configuration details.
curl -X GET 'https://yoursite.com/wp-json/sentinel-plugin/v1/events/types'{
"event_types": [
{
"key": "user_login",
"label": "User Login",
"category": "authentication",
"priority": "medium",
"description": "User successfully logs into the system"
},
{
"key": "woo_new_order",
"label": "WooCommerce New Order",
"category": "ecommerce",
"priority": "high",
"description": "New order placed by customer"
}
],
"total": 24
}Error Responses
Standard HTTP error responses and error codes.
| HTTP Code | Error Code | Description |
|---|---|---|
| 400 | rest_invalid_param | Invalid parameter values (e.g., limit out of range) |
| 403 | rest_forbidden | API access disabled in settings |
| 500 | rest_internal_error | Server error or database issues |
{
"code": "rest_forbidden",
"message": "API access is disabled.",
"data": {
"status": 403
}
}Integration Examples
Real-world examples of integrating with the Sentinel REST API.
// Monitor login failures in real-time
const fetch = require('node-fetch');
async function checkLoginFailures() {
try {
const response = await fetch('https://yoursite.com/wp-json/sentinel-plugin/v1/logs?event_key=failed_login&limit=10');
const data = await response.json();
if (data.logs.length > 0) {
console.log(`${data.logs.length} recent login failures detected`);
data.logs.forEach(log => {
console.log(`Failed login from ${log.ip_address} at ${log.created_at}`);
});
}
} catch (error) {
console.error('API request failed:', error);
}
}
// Check every 5 minutes
setInterval(checkLoginFailures, 5 * 60 * 1000);<?php
// External monitoring script
function get_site_activity_summary($site_url) {
$api_url = rtrim($site_url, '/') . '/wp-json/sentinel-plugin/v1/stats';
$response = wp_remote_get($api_url);
if (is_wp_error($response)) {
error_log('Sentinel API error: ' . $response->get_error_message());
return false;
}
$data = json_decode(wp_remote_retrieve_body($response), true);
if (isset($data['summary'])) {
return [
'total_logs' => $data['summary']['total_logs'],
'today_activity' => $data['summary']['today_logs'],
'active_users' => $data['summary']['active_users_today']
];
}
return false;
}
// Usage
$summary = get_site_activity_summary('https://yoursite.com');
if ($summary) {
echo 'Today: ' . $summary['today_activity'] . ' activities by ' . $summary['active_users'] . ' users';
}
?>import requests
import json
class SentinelAPI:
def __init__(self, base_url):
self.base_url = base_url.rstrip('/') + '/wp-json/sentinel-plugin/v1'
def get_logs(self, **filters):
'''Get activity logs with optional filters'''
response = requests.get(f'{self.base_url}/logs', params=filters)
response.raise_for_status()
return response.json()
def get_stats(self):
'''Get activity statistics'''
response = requests.get(f'{self.base_url}/stats')
response.raise_for_status()
return response.json()
def get_security_events(self, limit=50):
'''Get security-related events'''
return self.get_logs(
event_key='failed_login,suspicious_activity',
priority='high,critical',
limit=limit
)
# Usage
api = SentinelAPI('https://yoursite.com')
# Get today's failed logins
failed_logins = api.get_logs(event_key='failed_login', limit=10)
print(f'Recent failed logins: {len(failed_logins[\Rate Limiting & Best Practices
Guidelines for responsible API usage and performance optimization.
Current Implementation
No rate limiting is currently implemented. Consider implementing caching and reasonable request intervals in your applications.
Recommended Practices:
- Pagination: Use limit and offset parameters for large datasets
- Filtering: Apply specific filters to reduce response sizes
- Caching: Cache responses locally when appropriate
- Error Handling: Implement proper error handling and retry logic
- Monitoring: Monitor your API usage to avoid overwhelming the server
Common Issues
Solutions to frequently encountered problems.
Troubleshooting FAQs
Common issues and their solutions.
Why are some events not being logged?
Check Sentinel → Event Registry to ensure the event type isn’t disabled. Also make sure your role isn’t excluded in Settings → Privacy & Security. If batch logging is on, a stuck queue (sentinel_log_queue) can delay logging until processed.
I enabled “Error events” alerts but I never get them. Why?
In v1.0.0, the “Error events” real-time toggle checks for priority = error, but no events have this priority. Use the Error category toggle instead until fixed in the next release.
Can I send email alerts to multiple addresses?
Not in v1.0.0. Only the first valid email entered in Settings → Notifications is used. To send to more people, use a group/distribution Notifications is used. To send to more people, use a group/distribution email address.
Frequently Asked Questions
Common questions and answers about Sentinel to help you get the most out of your security monitoring.
Does Sentinel slow down my website?
No! Sentinel is designed for minimal performance impact. It uses efficient batch logging, asynchronous processing, and includes performance optimization settings to ensure your site runs smoothly. The plugin typically adds less than 50ms to page load times.
Can I export my activity logs?
Yes! Sentinel includes CSV export functionality for compliance reporting and data analysis. You can export logs by date range, event type, or user. Perfect for security audits, compliance requirements, and long-term record keeping.
Is Sentinel GDPR compliant?
Sentinel provides tools (IP anonymization, data export/deletion, role-based access, audit logs) to help you comply with GDPR, but compliance depends on how you configure and use it. We recommend consulting with legal professionals for full compliance.
How much storage space do the logs use?
Log storage depends on your site’s activity level. A typical site with moderate traffic uses approximately 1-5MB per month. Sentinel includes automatic cleanup features to manage storage efficiently, and you can adjust retention periods based on your needs.
Can Sentinel send me email alerts?
Yes. You can configure real-time alerts and daily/weekly digests in Settings → Notifications. In v1.0.0, only one recipient email is supported.
How do I stop logging for certain users or roles?
Use Settings → Privacy & Security to exclude specific user roles from logging. This is useful for developers or staging site admins.
What happens when database logging fails?
Sentinel uses a queue-based retry system to ensure no important events are lost:
- Automatic Queuing: Failed logs are stored in WordPress transients for retry
- Smart Retry: Automatic retry on every admin page load with up to 3 attempts per log
- Manual Retry: “🔄 Retry Failed Logs” button in settings for immediate retry
- No Data Loss: Logs are preserved for 24 hours with automatic cleanup
- Debug Information: Detailed logging shows retry attempts and results
Check the ⚠️ Queued Failed Logs section in Sentinel Settings to see any pending retries.
Can I monitor multiple WordPress sites?
Sentinel is installed per site. To monitor multiple sites, install it on each one. Centralized dashboards could be built using exports or third-party integrations.
Support
Get help when you need it most.
Emergency Issues
If Sentinel is causing site problems, deactivate the plugin immediately via Plugins → Installed Plugins and then contact support with details.
Custom Events
Extend Sentinel’s monitoring capabilities beyond WordPress core events by creating and managing your own custom events for specific business logic, third-party plugins, and ecommerce activities.
Sentinel+ Feature
Custom Events is available in Sentinel+. It allows you to monitor business-specific activities, ecommerce transactions, and third-party plugin interactions beyond WordPress core events.
Overview
Custom Events bridge the gap between WordPress core monitoring and your specific business needs. While 3rd Party Plugin Integrations handle popular plugins like WooCommerce automatically, Custom Events let you create monitoring for unique business logic, specialized workflows, and unsupported plugins.
Note
This is separate from 3rd Party Plugin Integrations. Use Custom Events for business-specific monitoring that isn’t covered by the built-in plugin integrations available to all users.
Creating Custom Events
For unique business requirements or unsupported plugins, create custom events manually through the admin interface.
Access Custom Events
Navigate to Sentinel → Event Registry in your WordPress admin. The Custom Events section appears at the top for Sentinel+ users.
Add New Event
Use the “Add New Custom Event” form to create events with unique keys, descriptive labels, categories, and appropriate priority levels.
Trigger Events
Use sentinel_log_event() in your code to trigger custom events with relevant data and context.
// Log a custom event
sentinel_log_event('newsletter_signup', [
'email' => $user_email,
'source' => 'homepage_widget',
'user_id' => get_current_user_id()
]);
// Log with custom user context
sentinel_log_event('form_abandoned', [
'form_id' => $form_id,
'completion_percentage' => 75,
'time_spent' => 120
], $user_id);Event Key Requirements
Event keys must be unique, contain only lowercase letters, numbers, and underscores. They cannot be changed after creation, so choose carefully.
Developer Hooks & Filters
Extend custom event functionality with WordPress hooks and filters.
// Hook into when events are logged
add_action('sentinel_event_logged', 'my_custom_event_handler', 10, 3);
function my_custom_event_handler($event_key, $event_data, $user_id) {
// Custom logic when any event is logged
if ($event_key === 'user_login') {
// Do something special for login events
update_user_meta($user_id, 'last_login_tracked', current_time('mysql'));
}
}Parameters:
$event_key(string) – The event key that was logged$event_data(array) – Additional data associated with the event$user_id(int) – ID of the user who triggered the event
// Hook into event registration
add_action('sentinel_event_registered', 'my_event_registration_handler', 10, 2);
function my_event_registration_handler($event_key, $config) {
// React to new events being registered
if ($config['category'] === 'security') {
// Enable special monitoring for security events
update_option('my_security_monitoring_' . $event_key, true);
}
}Parameters:
$event_key(string) – The event key being registered$config(array) – Configuration array for the event
Advanced Functions
Programmatic functions for custom event management and integration.
// Register a basic custom event
sentinel_register_event('newsletter_signup', [
'category' => 'marketing',
'priority' => 'medium',
'description' => 'User signed up for newsletter'
]);
// Register a security event
sentinel_register_event('suspicious_activity', [
'category' => 'security',
'priority' => 'high',
'description' => 'Suspicious user behavior detected',
'data_fields' => ['ip_address', 'user_agent', 'risk_score']
]);
// Register an ecommerce event
sentinel_register_event('cart_abandoned', [
'category' => 'ecommerce',
'priority' => 'low',
'description' => 'Shopping cart was abandoned',
'data_fields' => ['cart_value', 'items_count', 'user_id']
]);Configuration Options:
category(string) – Event category: authentication, content, system, security, user, admin, general, auditpriority(string) – Priority level: low, medium, high, criticaldescription(string) – Human-readable descriptiondata_fields(array) – Expected data field namesenabled(bool) – Whether event is enabled. Default: true
Plugin & Theme Integration
Real-world examples of integrating custom events into your plugins and themes.
// In your plugin's main file
class My_Plugin {
public function __construct() {
// Register custom events on plugin activation
register_activation_hook(__FILE__, [$this, 'setup_sentinel_events']);
// Hook into your plugin's key actions
add_action('my_plugin_user_action', [$this, 'log_user_action']);
add_action('my_plugin_error', [$this, 'log_plugin_error']);
}
public function setup_sentinel_events() {
if (!function_exists('sentinel_register_event')) {
return; // Sentinel not available
}
// Register plugin-specific events
sentinel_register_event('my_plugin_action', [
'category' => 'user',
'priority' => 'medium',
'description' => 'User performed action in My Plugin'
]);
sentinel_register_event('my_plugin_error', [
'category' => 'system',
'priority' => 'high',
'description' => 'Error occurred in My Plugin'
]);
}
public function log_user_action($action_data) {
if (function_exists('sentinel_log_event')) {
sentinel_log_event('my_plugin_action', $action_data);
}
}
public function log_plugin_error($error) {
if (function_exists('sentinel_log_event')) {
sentinel_log_event('my_plugin_error', [
'error_message' => $error->get_error_message(),
'error_code' => $error->get_error_code()
]);
}
}
}// In your theme's functions.php
function my_theme_init() {
// Register theme-specific events
if (function_exists('sentinel_register_event')) {
sentinel_register_event('theme_customizer_changed', [
'category' => 'content',
'priority' => 'low',
'description' => 'Theme customizer settings modified'
]);
}
}
add_action('init', 'my_theme_init');
// Log theme-specific events
function log_customizer_change($setting, $value) {
if (function_exists('sentinel_log_event')) {
sentinel_log_event('theme_customizer_changed', [
'setting' => $setting,
'new_value' => $value,
'changed_by' => get_current_user_id()
]);
}
}
// Hook into WordPress customizer
add_action('customize_save_after', function($customizer) {
log_customizer_change('theme_options', 'bulk_update');
});Data Deletion Requests
Data Deletion Requests
Alerts & Notifications
Configure email alerts and notifications to stay informed about critical security events on your WordPress site.
Notification Types
Sentinel offers three types of notifications:
- Real-time Alerts: Instant email notifications for critical security events
- Daily Digests: Comprehensive daily summaries of site activity and errors
- Weekly Reports: Detailed analytics including health reports and security trends
Setting Up Real-time Alerts
Configure instant notifications for critical events. Navigate to Sentinel → Settings → Notifications to access these settings.
Required
Alert Types & Triggers
Choose which events trigger immediate notifications:
| Alert Type | Trigger Condition | Examples | Recommended |
|---|---|---|---|
| Critical Events | Fires when priority = critical | Failed admin logins, plugin vulnerabilities, file modifications | ✓ Essential |
| Security Events | Fires when category = security | Brute force attempts, suspicious IP activity, permission changes | ✓ Essential |
| High-priority Events | Fires when priority = high | User role changes, plugin installations, theme modifications | ⚠ Use carefully |
Fine-tuning Options
Additional filters to control when alerts are sent:
- Category Filters: Select specific event categories (Authentication, Content, System, Error, Security)
- Priority Filters: Choose priority levels (High, Medium, Low)
- Per-event Control: Disable individual events in Sentinel → Event Registry (affects both logging and alerts)
Evaluation Order
Sentinel checks real-time toggles first, then category toggles, then priority toggles. If any condition matches, an email is sent immediately.
Email Recipients
Configure who receives alert notifications in Sentinel → Settings → Notifications.
Notification Email
Single AddressSet a specific email address for notifications. Uses sanitize_email() validation and wp_mail() for delivery.
Fallback
If left empty, notifications fall back to the site’s Admin Email address.
Daily Digest Reports
Aggregated reports sent daily at ~9:00 AM site time via WP-Cron:
Event Summary
daily_summarytotals
Event totals and active users
breakdown
Category/priority breakdown
Error Report
daily_errorerror_count
Total error count
recent_errors
Recent error details
User Activity
daily_useractive_users
Top active users
recent_events
Most recent user events
Weekly Digest Reports
Comprehensive weekly reports sent on Mondays at ~9:00 AM site time:
Health Report
weekly_healthuptime
Uptime estimate
event_counts
Critical/high/medium counts
Performance Metrics
weekly_performanceresponse_time
Average response time
memory_peak
Peak memory usage
Security Summary
weekly_securitysecurity_totals
Security event totals
failed_logins
Failed login attempts
WP-Cron Dependency
Both daily and weekly digests rely on WP-Cron. Ensure your host supports WP-Cron or implement alternative cron solutions for reliable delivery.
Recommended Starter Configuration
Production-ready configuration for development and production environments:
| Category | Recommended Settings | Reasoning |
|---|---|---|
| Real-time | Enable Critical and Security | Catches the most important events without noise |
| Daily Digest | Enable Error Report and User Activity | Daily overview of problems and user behavior |
| Weekly Digest | Enable Health and Security | Weekly health check and security trends |
| Optional | Add Performance if needed | Only if you care about timing/memory metrics |
Production Tip
This configuration balances security monitoring with operational efficiency. Adjust based on your site’s traffic patterns, security requirements, and team size.
Export & Import
Transfer your logs and move your chosen configuration between Sentinel installations with ease.
Data Export
Pull activity records into different formats for review, reporting or regulatory compliance. Whether you’re analysing patterns or preparing audits, there’s a format to suit your needs.
Supported Formats
- CSV: Great for spreadsheet programs such as Excel or Google Sheets
- JSON: Ideal when connecting to external systems or APIs
- XML: Provides compatibility with older or legacy applications
User Management
Sentinel lets you decide who can see the logs, download data or change settings. Assign abilities based on the role each user plays:
Role-Based Permissions
Control access to Sentinel features based on user roles:
| Role | View Logs | Export Data | Modify Settings |
|---|---|---|---|
| Administrator | ✓ | ✓ | ✓ |
| Editor | ✓ | ✓ | ✗ |
| Author | ✓ | ✗ | ✗ |
Access Control
This keeps sensitive log data and configuration changes under the control of those who need it, while still allowing other users access to view-only functions.
Yoast SEO Integration
Monitor your SEO optimization activities with comprehensive tracking of meta changes, score improvements, schema updates, and bulk operations. Yoast SEO integration provides detailed insights into your content optimization workflow.
Available in Sentinel Basic:
Yoast SEO integration is included in the basic version of Sentinel. No upgrade required to monitor your SEO activities.
Overview
Yoast SEO Integration provides comprehensive monitoring of your SEO optimization activities. Track meta field updates, SEO score changes, schema markup modifications, and bulk SEO operations with detailed event logging that captures specific field changes, score improvements, and optimization patterns.
SEO Event Tracking
The Yoast SEO integration automatically monitors the following SEO activities:
SEO Event Tracking
4 Eventsyoast_meta_updated
SEO title, meta description, or focus keyword updated
yoast_score_changed
SEO or readability score improved or declined
yoast_schema_updated
Structured data or schema type modified
yoast_bulk_action
Bulk SEO optimization or bulk edit performed
Smart Detection Features
The Yoast SEO integration includes intelligent detection capabilities:
Field-Specific Tracking
Distinguishes between different SEO fields (title, description, focus keyword) and provides specific context for each change.
Score Change Detection
Monitors both SEO keyword scores and readability scores separately, tracking improvements and declines.
Bulk Operation Intelligence
Automatically detects bulk operations through pattern recognition and WordPress bulk edit integration.
Schema Type Recognition
Identifies specific schema field changes and provides context about structured data modifications.
Setup Instructions
Setting up Yoast SEO monitoring is automatic once both plugins are active:
Install Yoast SEO
Ensure Yoast SEO plugin is installed and activated on your WordPress site.
Enable Integration
Navigate to Sentinel → Event Registry and click “Setup Yoast SEO Events” in the integration templates section.
Customize Events
Configure which SEO events to monitor and set appropriate priority levels for your monitoring needs.
3rd Party Plugin Integrations
Sentinel provides comprehensive monitoring for popular WordPress plugins with automatic detection and one-click setup templates. These integrations are available to all Sentinel users (both Basic and Sentinel+) and require no additional configuration once enabled.
Available in Sentinel Basic
All third-party plugin integrations are included in the basic version of Sentinel. No upgrade required to monitor your plugin activities.
Supported Integrations
Sentinel automatically detects and provides monitoring templates for the following popular WordPress plugins:
WooCommerce
Track orders, payments, inventory changes, and customer interactions with comprehensive ecommerce monitoring.
Contact Form 7
Monitor form submissions, track failures, and analyze user engagement with your contact forms.
WPForms
Track form submissions, payment completions, and user interactions across all your WPForms.
Gravity Forms
Monitor form submissions and payment completions with detailed tracking and analytics.
Key Features
Automatic Plugin Detection
One-Click Setup Templates
Pre-configured Event Templates
Granular Event Control
Detailed Activity Logging
Real-time Monitoring
How It Works
Sentinel’s third-party plugin integrations work seamlessly with your existing plugins:
Automatic Detection
Sentinel automatically detects when supported plugins are active on your WordPress site.
One-Click Setup
Navigate to Sentinel → Event Registry → 3rd Party Plugin Integrations and click the setup button for your detected plugins.
Automatic Monitoring
Events are automatically created and enabled. Sentinel begins logging plugin activities immediately.
Granular Control
Enable or disable specific events, view detailed logs, and customize monitoring to match your needs.
WooCommerce Integration
Monitor your online store with comprehensive ecommerce event tracking. WooCommerce integration is available in both Sentinel Basic and Sentinel+ with automatic detection and one-click setup templates.
Available in Sentinel Basic:
WooCommerce integration is included in the basic version of Sentinel. No upgrade required to monitor your online store activities.
Overview
WooCommerce Integration provides comprehensive monitoring of your online store activities. Track orders, payments, inventory changes, and customer interactions with automated event logging that requires no additional configuration once enabled.
Order Management
Order Management
4 Eventswoo_new_order
New order placed by customer
woo_payment_complete
Payment successfully processed
woo_order_status_changed
Order status updated
woo_payment_failed
Payment processing failed
1. Navigate to Sentinel → Event Registry
2. Locate '3rd Party Plugin Integrations' section
3. Click 'Setup WooCommerce Events' button
4. Events are automatically created and enabled
5. Control events directly in Plugin Integrations section
6. Monitor orders in Activity LogAutomatic Integration
Once WooCommerce events are set up, Sentinel automatically logs all order activities, payment transactions, and status changes without requiring any additional configuration.
Contact Form 7 Integration
Monitor your Contact Form 7 submissions with detailed tracking and failure analysis. This integration automatically detects Contact Form 7 and provides comprehensive form monitoring without any additional configuration.
Available in Sentinel Basic:
Contact Form 7 integration is included in the basic version of Sentinel. No upgrade required to monitor your form activities.
Overview
Contact Form 7 Integration provides comprehensive monitoring of your contact form activities. Track successful submissions, identify failed submissions, and analyze user engagement with detailed event logging that captures form metadata and submission details.
Tracked Events
The Contact Form 7 integration automatically monitors the following events:
Form Submission Events
2 Eventscf7_form_submitted
Form successfully submitted
cf7_form_failed
Form submission failed
WPForms Integration
Monitor your WPForms submissions and payments with comprehensive tracking and analytics. This integration supports both WPForms Lite and WPForms Pro, automatically detecting the active version and providing appropriate monitoring.
Available in Sentinel Basic:
WPForms integration is included in the basic version of Sentinel. No upgrade required to monitor your form activities.
Overview
WPForms Integration provides comprehensive monitoring of your WPForms activities. Track form submissions, payment completions, and user interactions with detailed event logging that captures form metadata, field information, and payment details.
Tracked Events
The WPForms integration automatically monitors the following events:
Form Submission Events
2 Eventswpf_form_submitted
Form entry successfully saved
wpf_payment_completed
Payment successfully processed
Gravity Forms Integration
Monitor your Gravity Forms submissions and payments with comprehensive tracking and analytics. This integration automatically detects Gravity Forms and provides detailed form monitoring capabilities.
Available in Sentinel Basic
Gravity Forms integration is included in the basic version of Sentinel. No upgrade required to monitor your form activities.
Overview
Gravity Forms Integration provides comprehensive monitoring of your Gravity Forms activities. Track form submissions, payment completions, and user interactions with detailed event logging that captures form metadata and submission details.
Tracked Events
The Gravity Forms integration automatically monitors the following events:
Form Submission Events
2 Eventsgf_form_submitted
Form successfully submitted
gf_payment_complete
Payment successfully processed