[WordPress] 外掛分享: Visitor Sentinel

首頁外掛目錄 › Visitor Sentinel
WordPress 外掛 Visitor Sentinel 的封面圖片
全新外掛
安裝啟用
★★★★★
5/5 分(1 則評價)
剛更新
最後更新
問題解決
WordPress 5.8+ PHP 7.4+ v2.1.1 上架:2026-07-14

內容簡介

Visitor Sentinel 是一款針對 WordPress 的安全與流量分析外掛,結合即時攻擊偵測與主動欺騙層,能有效識別並引誘攻擊者暴露自己,提升網站安全性。

【主要功能】
• 即時流量分析與攻擊偵測
• 自動封鎖可疑 IP 地址
• 主動欺騙技術(蜜罐與蜜標)
• 完整控制面板與即時儀表板
• 可選的電子郵件警報功能
• 支援 CSV 匯出被封鎖 IP 列表

外掛標籤

開發者團隊

⬇ 下載最新版 (v2.1.1) 或搜尋安裝

① 下載 ZIP → 後台「外掛 › 安裝外掛 › 上傳外掛」
② 後台搜尋「Visitor Sentinel」→ 直接安裝(推薦)
📦 歷史版本下載

原文外掛簡介

Visitor Sentinel is a security and traffic analysis plugin for WordPress. It combines real-time attack detection with an active deception layer, so an attacker is not just noticed — they are lured into giving themselves away.
Detection

Records site visits (IP, page visited, user-agent, device/browser, account type).
Analyzes every request in real time using multiple heuristics: unusual request rate, user-agent associated with scanning/attack tools, requests to sensitive resources (wp-config.php, .env, .git, etc.), repeated failed logins, credential-stuffing patterns, XML-RPC abuse, invisible honeypot fields on login/comment forms, submission-timing checks, and scanning of non-existent pages (404).
Calculates a risk score per IP address and permanently blocks it once the score exceeds the configured threshold — sheer browsing volume alone never triggers a block, only genuine attack/bot/spam signals do.
Blocks are permanent by design and apply everywhere on the site (the full-page cache, if any, is purged automatically on every block). Lifting one requires a signed declaration, kept permanently in History.

Deception layer (honeypots & honeytokens)

A decoy backup file (honeyfile) at a random, unlinked URL — any access to it is conclusive proof of directory scanning.
A decoy admin username that was never a real account — any login attempt against it is an instant, certain block.
A decoy REST endpoint that hands out a fake API key — using that key anywhere is what triggers the block, not merely finding it.
A hidden spam-trap email address planted only where scrapers read markup — if it ever comes back in a submitted form, that visitor harvested this exact site.
Every one of these bypasses the normal scoring threshold entirely: interacting with any of them is treated as certain malicious intent, not a “maybe.”

Management & visibility

Optional email alerts whenever an IP is blocked or escalated, and one-click CSV export of the blocked IPs list.
A complete control panel: a live dashboard, an auto-refreshing visitor log, a list of blocked IPs with details about the block reason, and options to unblock, extend, or change the block type (temporary/permanent).
Displays, to logged-in users and optionally guests, a discreet badge showing how many people are on the site right now, updating live in the browser without a page reload.
Fully responsive admin panel, usable on desktop, tablet, and phone.

All text is translation-ready. The plugin loads no external resources (CDN) and does not enable any third-party tracking. The only optional external call is described in the FAQ below, and it is off by default.
External services
This plugin connects to one third-party service, and only for a single, optional, off-by-default feature:
IP-to-country lookup (ip-api.com) — used only if you explicitly enable “Show country flags next to IPs” in Settings. When enabled, and only then, each new IP address seen by the plugin is sent to ip-api.com so it can look up which country it belongs to. Nothing else about the visitor (no page content, no personal data, no credentials) is sent. Results are cached locally for 30 days so the same IP is never looked up twice. If you never enable this setting, the plugin makes no external requests at all.
Service provided by ip-api.com: Terms of Service and Privacy Policy.

延伸相關外掛

文章
Filter
Mastodon