Monitoring

Track login activity, verify file integrity, detect malware, and identify plugin and theme vulnerabilities from one dashboard.

Overview

Monitoring is included with every RakuWP plan and gives you a centralized view of your WordPress sites' security health. It combines four components into a single dashboard accessible from the RakuWP panel: login monitoring, file integrity checking, malware scanning, and vulnerability detection.

No extra configuration is required on the WordPress side. Once the RakuWP plugin is active on a site, the panel can pull monitoring data at any time through the REST API.

Dashboard

The monitoring home page lists every site linked to your account. Each row shows the site's favicon, URL, company, last check-in time, WordPress and PHP versions, and a free-text alert note you can use for your own reminders.

A status bar at the top summarizes how many sites are Online, Warning, or Offline:

  • Online: the site checked in within the last 24 hours.
  • Warning: the last check-in was between 24 and 72 hours ago, or the site has never checked in.
  • Offline: the site has not checked in for more than 72 hours, or its license is inactive.

Clicking a site opens its detail page, which is organized into three tabs: Login Monitoring, File Integrity, and Threats & Vulnerabilities.

Login Monitoring

Every login attempt on your WordPress site is recorded automatically. The login log captures the timestamp, username, IP address, user agent, and outcome (success, failed, or locked).

How it works

  1. The RakuWP plugin hooks into WordPress authentication events and stores each attempt in the wp_rakuwp_login_log table.
  2. Records older than 90 days are automatically pruned.
  3. The panel fetches logs on demand via the REST API (paginated, 50 entries per page).

What you see

Each log entry shows:

  • A colored indicator: green for success, amber for failed, red for locked.
  • Date and time of the attempt.
  • The username that was used.
  • The originating IP address. Hovering over the IP reveals a geolocation popover with city, region, country, and ISP.
  • The browser and operating system detected from the user agent string.

Login protection

When the login protection feature is enabled in Security Basics, the plugin also enforces rate limiting:

  • Max attempts: the number of failed logins allowed within the time window (default: 5).
  • Lockout duration: how long an IP is blocked after exceeding the threshold (default: 30 minutes).
  • Attempt window: the period over which failed attempts are counted (default: 15 minutes).

Locked attempts appear in the log with a red indicator and are counted in the tab badge.

File Integrity

File Integrity compares every WordPress core file on your site against the official checksums published by WordPress.org. Modified or missing files could indicate a compromise, a failed update, or manual edits to core files that will be lost on the next update.

How it works

  1. A WordPress cron job (rakuwp_file_integrity_check) runs once per day.
  2. The plugin fetches the SHA-1 checksum list for the installed WordPress version from the WordPress.org API.
  3. It hashes each local core file and compares the result to the expected checksum. Files inside wp-content are excluded.
  4. The results (total files checked, modified files, missing files) are stored locally and can be retrieved by the panel at any time.

What you see

The panel shows a summary line with the number of files checked and the date of the last scan. If all files match, a green checkmark confirms integrity. Otherwise, a table lists each affected file with its status (modified or missing).

On-demand scanning

Click Scan Now to trigger an immediate integrity check without waiting for the daily cron. The results replace the previous scan.

Malware Scanning

The malware scanner inspects PHP files in your themes, plugins, and mu-plugins directories for known malicious patterns. It uses a built-in signature database that covers web shells, backdoors, obfuscated eval() calls, code injection, and other common threats.

How it works

  1. The scan is initiated from the panel via the Threats & Vulnerabilities tab.
  2. The plugin collects all PHP files under wp-content/themes, wp-content/plugins, and wp-content/mu-plugins.
  3. Files are processed in batches of 50 (with a 2 MB size limit per file) to avoid timeouts.
  4. Each file is tested against the signature database using regular-expression matching.
  5. When all batches are complete, the results are stored locally and returned to the panel.

What you see

If no malware is found, a green checkmark confirms a clean scan. Otherwise, a table lists each finding with the file path, signature name, and severity level (critical, high, or medium). Severity is color-coded for quick identification.

Threats & Vulnerabilities

This tab combines malware scan results with a vulnerability check that cross-references every installed plugin and theme against a public vulnerability database.

Vulnerability data source

Vulnerability information is pulled from WPVulnerability.net, a free, open database that requires no API key. A daily cron job on the panel fetches vulnerability records for every plugin and theme slug found across all connected sites. Results are cached for 24 hours per slug, and records older than 90 days are pruned automatically.

How matching works

When you sync a site, the panel retrieves the list of installed plugins and themes (with their version numbers) from the WordPress site. It then checks each slug against the cached vulnerability data. A vulnerability is flagged when the installed version is lower than the version that contains the fix. If no fix has been released, all versions are considered affected.

Severity levels

Severity is derived from the CVSS score of each vulnerability:

  • Critical: CVSS ≥ 9.0
  • High: CVSS ≥ 7.0
  • Medium: CVSS ≥ 4.0
  • Low: CVSS < 4.0

What you see

The vulnerabilities table shows the plugin or theme name, its installed version, a short description of the vulnerability, the severity badge, and the recommended action (update to a specific version, or "No fix available" if no patch exists yet). Click any row to open a detail modal with the CVE ID, publication date, and a link to the full advisory.

Syncing

Click Sync Now to pull fresh data from the site and re-match against the vulnerability cache. The last sync timestamp is displayed above the tables.

Alert Notes

Each site on the monitoring dashboard has a free-text alert field (up to 500 characters). Use it to leave reminders for yourself or your team, such as "Scheduled maintenance March 25" or "Waiting for plugin update." Notes are saved automatically as you type.

Authentication and Security

All communication between the panel and a WordPress site is authenticated using the site's license key, sent in the X-RakuWP-Key header. Panel endpoints are also protected by CSRF tokens. IP addresses used in login logs support multi-header detection for proxy and CDN environments (Cloudflare, X-Forwarded-For, X-Real-IP).

Previous Security Basics Next Media Center