WP User Sentry is a very simple WordPress Plugin which I built to cover a small gap in most security plugins. It’s now available on WordPress.org and Github.
WP User Sentry, like all good plugins, was born out of my own frustrations; whenever I give a security talk I inevitably would be asked a question that goes:
Plugin x stopped y000s of attacks, how do I stop them?
There are several things to decompact. Yay, plugin x is doing its job, assuming you trust what it says, that’s great. For this post we will skip over “how to stop them” being the wrong question and focus on the first part, why is your plugin telling you?
You do not need to know how many logins failed, watching those stats leads to madness.
Build robust solutions for filtering and blocking bad IPs, ideally at the server level, and go and make a cup of tea. If you can’t do that, then rely on a security plugin and turn off the email telling you what a swell job it’s doing.
The only metric, when it comes to logins, you should care about is the successful ones. I don’t need to know about the 20k failed attempts to login for admin; I trust my systems to take care of them. I do want to know about the successful login on my account from Italy when I’m on a trip to Peru!
Now, I have had a login alert setup for years, on most of my sites, for when I log-in, as most of my sites use Stream, which is a user activity monitor. One of its features is the ability to trigger notifications if certain actions occur, so I have Stream setup to send a notification if I log in.
This works well, but looks ugly and doesn’t give me much information in the email, it also has a really odd bug where it counts two-factor authentication success as a second login, which is really annoying double email.
So WP User Sentry was born to provide a simple notification system of successful logins.
Out of the box:
- It will email users when their account is logged into
- The email is customisable by the site admins
- You can select which roles should be notified
- You can set it so if the user is already logged in (in a different session) on that IP, with that device (based on useragent), then it will not send an email.
- You can attempt to determine the country the IP is from using a third party, currently ip-api.com is supported.
The result – in a simple way to be notified when your account is being accessed. As a secondary feature it also exposes the built-in WordPress Session Manager, to show users where they are logged in, and with what type of devices.
WP User Sentry should work alongside other security plugins and has been tested alongside WordFence, iThemes Security and the Two-Factor plugin.
Version 1.1 is already in the works, with a few features people have asked for, including a “test email” button in the admin area, extra options for determining countries and a is user active flag in the user management screen.
You can download and install via WordPress.org. If you need help then you can find me in the Support Forums or if you find a bug, please do feel free to raise an issue on Github where development takes place.