SECURITY MODULE

WordPress Security Monitor Plugin — Real-Time Threat Detection, File Integrity, and Automated Response

Detect brute force attacks, SQL injection attempts, malicious file uploads, and suspicious login activity in real time. Automated responses block threats before they cause damage. A live dashboard gives you full visibility into every security event on your WordPress site.

The Problem With WordPress Security

WordPress sites face constant automated attacks. Bots probe login pages with common usernames, scripts inject SQL payloads into query strings, and malicious file uploads attempt to plant webshells in your media library. Most site owners only discover a breach after the damage is done — defaced pages, stolen data, or a blacklisted domain.

Third-party security plugins often create their own problems: bloated firewall rules that slow page loads, opaque dashboards that generate noise without actionable information, and premium upsells for basic features like login limiting. You need a security layer that watches everything, responds automatically to real threats, and stays out of your way when nothing is wrong.

LuperIQ Security Monitor provides real-time monitoring across login activity, file system integrity, and incoming request patterns. It uses multi-layer threat analysis that combines IP reputation data, attack signature matching, behavioral analysis, and geolocation intelligence to classify every event on a four-level threat scale. When threats reach high or critical severity, the module responds automatically — blocking IPs, quarantining files, notifying administrators, and even triggering maintenance mode for the most severe attacks.

Everything the Security Monitor Tracks and Protects

How Login Protection Works

The Login Monitor hooks into WordPress authentication at multiple levels. On every failed login, the module records the username, IP address, and user agent, then increments a per-IP failure counter stored as a WordPress transient. Progressive delays are applied automatically: each failure adds 2 seconds of delay to the next attempt from that IP, capping at 60 seconds. After 25 failed attempts within one hour, the IP is temporarily blocked for 24 hours.

The module also inspects the username field on every authentication attempt. Common attack usernames like admin, administrator, root, test, and demo are flagged when no matching WordPress account exists. SQL injection patterns in the username field — including SELECT, DROP, UNION statements, hex-encoded payloads, and comment syntax — are blocked immediately with a security error before WordPress ever checks credentials.

Successful logins are analyzed for anomalies. For users with edit_posts capability or higher, the module tracks known IP addresses (up to 20 per user) and the last user agent string. A login from a new IP or changed user agent raises the threat level. Logins during unusual hours — between 10 PM and 6 AM server time — are also flagged. Session duration is tracked from login to logout so you can see how long each admin session lasted.

How File Protection Works

Every file uploaded through the WordPress media uploader passes through the File System Monitor before WordPress processes it. The scan runs in three stages. First, the file extension is checked against a blocklist of over 40 dangerous types including PHP variants (php, phtml, php3, php4, php5, php7, phps, phar), executables (exe, bat, cmd, com), and server-side scripts (asp, aspx, jsp, cgi). Second, double extensions like image.php.jpg are detected and blocked. Third, filenames are scanned against patterns matching known webshells (c99, r57, b374k, WSO), obfuscation terms (eval, base64, gzinflate), and hidden file prefixes.

If the file passes name-based checks, its content is scanned for malicious code patterns. The scanner examines text-based files under 2 MB for PHP execution functions (eval, exec, system, passthru, shell_exec, popen, proc_open), encoding functions used for obfuscation (base64_decode, gzinflate, str_rot13), webshell signatures, .htaccess injection rules, and script or iframe injection. Binary file formats like images, video, audio, PDFs, office documents, archives, and fonts are automatically skipped to prevent false positives.

Separately, an hourly cron job performs file integrity checks. It generates SHA-256 hashes of critical WordPress files — wp-config.php, .htaccess, wp-load.php, wp-login.php, wp-settings.php, index.php — and key theme files including functions.php, header.php, footer.php, and index.php. These hashes are compared against a stored baseline. Any added, modified, or removed file triggers a security event. If more than 5 files change at once, the threat level escalates to High.

How Threat Intelligence Works

The Threat Intelligence engine scans every front-end request — excluding admin, cron, and AJAX — for five categories of attack patterns. SQL injection detection catches UNION SELECT constructs, chained statements, comment-based obfuscation, and destructive keywords. XSS detection identifies script tags, javascript: protocols, and inline event handlers. File inclusion detection catches directory traversal sequences, /etc/passwd probes, and PHP stream wrappers. Code injection detection finds template injection syntax, backtick execution, and command chaining. Path traversal detection watches for direct access attempts to wp-config.php, install.php, xmlrpc.php, and the user enumeration endpoint.

Multi-layer threat analysis combines five signals to determine the final threat level for any event. IP reputation checks the address against the cached Central threat feed — known bad IPs receive Critical, bad IP ranges receive High, and Tor exit nodes receive Medium. Geolocation analysis checks IPs against high-risk regional ranges from the feed. Event pattern analysis assigns baseline threat levels by event type. Attack signature matching scans event data for execution functions, SQL manipulation, XSS payloads, and deep path traversal. Behavioral analysis tracks request volume (1000+ per hour triggers Critical) and unique path count (50+ unique paths per hour triggers High) to detect DDoS and scanning activity.

Threat data flows in both directions. The module syncs the LuperIQ Central threat feed every hour to stay current on known malicious IPs and ranges. Every 15 minutes, the module sends anonymized reports — IP address, attack type, and threat level only — back to Central so all LuperIQ installations benefit from shared threat intelligence. The report queue is capped at 500 entries and sent in batches of 100.

How Automated Response Works

The Auto Response system handles detected threats based on their severity level. Low and medium threats are logged for review without taking action. High threats receive graduated responses tailored to the attack type: suspicious requests add the IP to a watchlist with a 6-hour window, and the IP is temporarily blocked after 5 watchlist entries. SQL injection attempts trigger a 1-hour temporary block and an admin email alert. Dangerous file uploads result in a 24-hour temporary block and file quarantine. Repeated failed logins flag the IP for CAPTCHA. File integrity changes notify the administrator.

Critical threats receive the full response chain. The offending IP is permanently blocked. For SQL injection and code injection attacks at critical severity, the module also enables WordPress maintenance mode with a 15-minute auto-expiry timer, triggers an emergency backup via the luperiq_emergency_backup action hook, and sends a detailed alert email to the site administrator with the IP, attack type, and all actions taken. Every automated response is logged to the audit trail with the specific actions performed.

Who This Module Is Built For

Any WordPress site that needs real-time security monitoring beyond what basic firewall plugins provide.

WooCommerce and Membership Sites

• Monitor login activity across hundreds or thousands of customer accounts with anomaly detection for admin-level users.nBlock malicious file uploads before they reach your media library — critical for sites that allow user-submitted content.nAutomated nightly cleanup removes expired WooCommerce sessions and optimizes order metadata tables.

Agency-Managed WordPress Sites

• Centralized threat intelligence means every site in your portfolio benefits from threats detected on any single site.nThe live dashboard gives clients a clear view of security activity without requiring technical knowledge.nAutomated responses handle brute force attacks and injection attempts without manual intervention.

High-Traffic Content Sites

• Behavioral analysis detects DDoS patterns (1000+ requests per hour) and vulnerability scanning (50+ unique paths per hour) automatically.nRequest scanning runs at init priority 1 to catch attacks before they reach your application logic.nNightly cleanup prevents security data from growing unbounded — events older than 90 days and alerts older than 30 days are purged automatically.

Related Security Modules

Frequently Asked Questions

Does this module require other LuperIQ modules?

Yes. Security Monitor depends on the Security Core module, which provides the database repository, IP detection, IP blocking, audit logging, and configuration services that Security Monitor uses. Security Core must be active for Security Monitor to function.nWill the request scanning slow down my site? | The request scanner runs on every front-end page load at init priority 1, but it is lightweight. It checks the request URI and query string against five regex patterns and exits immediately if nothing matches. Admin pages, cron jobs, and AJAX requests are skipped entirely. The overhead is negligible for normal traffic.nHow does the module handle false positives on file uploads? | Binary file formats — images, video, audio, PDFs, office documents, archives, and fonts — are automatically excluded from content scanning to prevent false positives. Only text-based files under 2 MB are scanned for malicious code patterns. The extension blocklist targets executable and server-side script types that have no legitimate reason to be uploaded through the WordPress media library.nWhat happens if a critical threat triggers maintenance mode? | Maintenance mode is enabled with a 15-minute auto-expiry timer. WordPress automatically disables maintenance mode after the timer expires, even if no administrator intervenes. You can also manually remove the .maintenance file from your WordPress root directory at any time to restore the site immediately.nCan I unblock an IP that was automatically blocked? | Yes. The security dashboard sidebar shows top threat IPs with block and unblock buttons. Clicking Unblock removes the IP from the block list immediately. Expired temporary blocks are also cleaned up automatically by the nightly cleanup cron.nHow long is security event data retained? | By default, security events are retained for 90 days and alerts for 30 days. These values are configurable through the Security Core configuration. The nightly cleanup cron handles data purging automatically.nDoes the module send any data externally? | The module syncs with the LuperIQ Central API for threat intelligence. It downloads threat feed data (bad IPs, bad IP ranges, Tor exit nodes, geo risk data) hourly. It sends anonymized threat reports — IP address, attack type, and threat level only — back to Central every 15 minutes. No site content, user data, or personally identifiable information is transmitted.

Stop Threats Before They Reach Your WordPress Site

Security Monitor gives you real-time login monitoring, file integrity checks, five-pattern request scanning, multi-layer threat intelligence, and automated response — all running continuously with zero manual configuration after activation.

See Pricing