Introducing WP User Sentry

Security | WordPress

WP User Sentry is a very simple WordPress Plugin which I built to cover a small gap in most security plugins. It’s now available on WordPress.org and Github.

WP User Sentry, like all good plugins, was born out of my own frustrations; whenever I give a security talk I inevitably would be asked a question that goes:

Plugin x stopped y000s of attacks, how do I stop them?

There are several things to decompact. Yay, plugin x is doing its job, assuming you trust what it says, that’s great. For this post we will skip over “how to stop them” being the wrong question and focus on the first part, why is your plugin telling you?

You do not need to know how many logins failed, watching those stats leads to madness. 

Build robust solutions for filtering and blocking bad IPs, ideally at the server level, and go and make a cup of tea. If you can’t do that, then rely on a security plugin and turn off the email telling you what a swell job it’s doing.

The only metric, when it comes to logins, you should care about is the successful ones. I don’t need to know about the 20k failed attempts to login for admin; I trust my systems to take care of them. I do want to know about the successful login on my account from Italy when I’m on a trip to Peru!

Now, I have had a login alert setup for years, on most of my sites, for when I log-in, as most of my sites use Stream, which is a user activity monitor. One of its features is the ability to trigger notifications if certain actions occur, so I have Stream setup to send a notification if I log in. 

This works well, but looks ugly and doesn’t give me much information in the email, it also has a really odd bug where it counts two-factor authentication success as a second login, which is really annoying double email.

So WP User Sentry was born to provide a simple notification system of successful logins.

Out of the box:

  • It will email users when their account is logged into
  • The email is customisable by the site admins
  • You can select which roles should be notified
  • You can set it so if the user is already logged in (in a different session) on that IP, with that device (based on useragent), then it will not send an email.
  • You can attempt to determine the country the IP is from using a third party, currently ip-api.com is supported.

The result – in a simple way to be notified when your account is being accessed. As a secondary feature it also exposes the built-in WordPress Session Manager, to show users where they are logged in, and with what type of devices.

WP User Sentry should work alongside other security plugins and has been tested alongside WordFence, iThemes Security and the Two-Factor plugin.

Future plans

Version 1.1 is already in the works, with a few features people have asked for, including a “test email” button in the admin area, extra options for determining countries and a is user active flag in the user management screen.

You can download and install via WordPress.org. If you need help then you can find me in the Support Forums or if you find a bug, please do feel free to raise an issue on Github where development takes place.

Helping you and your customers stay safe


WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)