WPress Zone — User Guide

How WPress Zone Works

WPress Zone is a central monitoring dashboard where you manage and track all your WordPress sites from one place. It gives you uptime status, security alerts, plugin and theme update reports, vulnerability scans, failed login tracking, and more — without having to log in to each WordPress site individually.

Why Is a WordPress Plugin Needed?

WPress Zone cannot access your WordPress sites directly — it has no credentials for them and does not need them. Instead, a lightweight companion plugin installed on each WordPress site collects data locally and pushes it to WPress Zone on a regular schedule. This means:

WPress Zone never stores your WordPress admin password.
Data collection happens on your server, not from the outside.
The plugin only sends data outward — WPress Zone cannot remotely execute anything on your site.

The two components work together: the plugin collects and sends data, and the WPress Zone app receives, displays, and alerts on it.

Quick start: Install the plugin on each site → enter the API Key and Secret Key in the plugin settings → the dashboard starts populating within minutes.

Add a Site

Adding a site is a two-step process: first create it in WPress Zone to generate your API keys, then install the companion plugin on WordPress and enter those keys. Once the plugin connects, monitoring starts automatically.

Step 1 — Create the site in WPress Zone

In the WPress Zone app, click Websites in the left sidebar, then click the New Website button in the top-right corner.
Fill in the Site name (required) and the Site URL (required) — use the full URL including https://, e.g. https://example.com.
If you leave Advanced settings unchecked, the following defaults apply:

Uptime monitoring — enabled, check interval set to 5 minutes (or your plan's minimum).

SSL monitoring — enabled; alerts when the certificate is expiring or invalid.

Domain monitoring — enabled; alerts when the domain registration is approaching expiry.

Alert events — all five events enabled: Site down, Modified files, Permission issues, Suspicious files, and Failed logins.

Alert delivery — notifications sent to email only (your global email integrations).

To change any of these, check Advanced settings — see the sections below for details.

Advanced settings

By default, all monitoring and alerts are enabled and notifications go to your global alert integrations. Check Advanced settings on the new site form to customise the following three areas for this specific site.

Monitoring

Controls which infrastructure checks run for this site.

Option	Description
Uptime monitoring	Periodically checks whether the site is reachable. When enabled, a Check interval slider lets you set how often the check runs — from every 60 seconds up to every hour. The minimum interval available depends on your plan; a warning appears if you select a value below your plan limit.
SSL monitoring	Alerts you when the site's SSL certificate is expiring soon or has become invalid.
Domain monitoring	Alerts you when the domain registration is approaching its expiry date.

Alert events

Choose which security and availability events trigger a notification for this site. Each event can be toggled on or off independently.

Event	When it fires
Site down	The site is unreachable during an uptime check.
Modified files	File changes are detected in WordPress core or the uploads directory.
Permission issues	Unexpected file permission changes are found on critical WordPress paths.
Suspicious files	Suspicious files (e.g. PHP files in the uploads folder) are found during a scan.
Failed logins	Repeated failed WordPress login attempts are reported by the plugin.

Alert configuration

Controls how notifications are delivered for this site.

Delivery mode	Description
Email only	Sends alerts to your global email integrations only. This is the default when Advanced settings are not used.
Global alert	Uses all your global alert integrations (Slack, email, Telegram, etc.). Any integration marked as global will receive alerts for this site.
Custom alert	Lets you assign one or more specific integrations to this site only. Select a channel from your saved integrations, optionally add a label, and fill in any channel-specific fields (email address, webhook URL, signing secret, or Telegram bot token and chat ID). You can add multiple integrations.

If you leave Advanced settings unchecked, the defaults are: all three monitoring checks enabled, check interval set to 5 minutes (or your plan's minimum), all five alert events enabled, and delivery via email only (your global email integrations).

Click Add site to save. WPress Zone creates the site record and generates a unique API Key and Secret Key for it.

Getting your API keys

After saving, open the site's detail page and click the API Keys tab. Copy both the API Key and the Secret Key — you will need them in the next step when configuring the WordPress plugin.

Step 2 — Install the plugin on WordPress

Download plugin (wpress-zone.zip)

In your WordPress admin, go to Plugins → Add New → Upload Plugin.
Upload the zip file and click Install Now, then Activate.
Go to Settings → WPress Zone and enter the API Key and Secret Key copied in Step 1. Both keys are sent with every data push (metrics, scans, plugin updates, failed logins, etc.) and must match what WPress Zone has on record. The Secret Key is also used independently to sign and verify SSO login tokens — no other credential is involved in that flow.
Click Save Changes, then click Test Connection to confirm the plugin can reach your WPress Zone app.

Both keys must be saved for monitoring and SSO to work correctly. If either key is missing or incorrect, data pushes will be rejected and SSO login will fail.

The site will show Pending first scan until the plugin sends its first data push. Use the Send Now button in the WordPress plugin settings to trigger an immediate push without waiting for the cron schedule.

Websites List

Click Websites in the sidebar to open this page. Each row shows:

Column	What it shows
Site	Site name and URL.
Last Scan	How long ago the plugin last pushed data. Shows Pending first scan until the plugin connects.
WP Core	Whether a WordPress core update is available. Shows Update in amber if an update is needed, OK in green if up to date.
Plugins	Number of plugins with available updates. Shown in amber when updates are pending, green when all are up to date.
Themes	Number of themes with available updates. Same colour coding as Plugins.
Uptime	Current uptime status — Online in green, Offline in red, or a dash if uptime monitoring is not enabled.
SSL	SSL certificate status. Green if valid, amber if expiring within 30 days, red if expired, dash if not monitored.
Domain	Domain registration expiry. Same colour coding as SSL.
Suspicious Files	Number of suspicious files detected in the last 24 hours. Shows a red count linking to the Issues tab if any are found, green if clean.

WordPress Tab

The WordPress tab on a site's detail page shows the current state of your WordPress installation as reported by the plugin:

Field	Description
WordPress Version	Currently installed WP version, with a flag if an update is available.
PHP Version	PHP version the site is running on.
DB Version	MySQL/MariaDB version.
Last Scan	When the plugin last pushed data to the dashboard.
Active Plugins	Total number of active plugins.
Outdated Plugins	Plugins with available updates, with a link to the full plugin list.
Active Theme	Currently active theme name.
Outdated Themes	Themes with available updates.
Custom Login URL	Whether the default `/wp-login.php` has been replaced with a custom URL. Shows Yes if a custom URL is active, or No — wp-login.php is exposed if not.

All values are populated automatically by the plugin — no manual input is needed.

Fixing an exposed wp-login.php

/wp-login.php is publicly known and constantly targeted by brute-force bots. Moving it to a custom URL stops most automated attacks. The free WPS Hide Login plugin handles this in a few clicks:

In your WordPress admin, go to Plugins → Add New, search for WPS Hide Login, install and activate it.
Go to Settings → General and scroll to the bottom — the plugin adds a Login URL field there.
Enter a custom path (e.g. manage or staff-login) and click Save Changes.

Save your new login URL before clicking Save. If you lose it, you can temporarily recover access by adding ?whl_page=wp-login.php to your site URL.

On the next data push the warning clears and WPress Zone shows Yes for this field.

Uptime Tab

The Uptime tab shows the real-time availability status of your site along with historical uptime data.

Uptime — Up or Down, with the time of the last check.
Response time — How long the site took to respond during the last uptime check, shown in milliseconds (e.g. 578 ms).
SSL — Certificate expiry date with a warning if it expires within 30 days.
Domain — Domain registration expiry with the same warning threshold.
Uptime graph — A bar chart showing Up/Down status over the last 1 hour or 24 hours. Each bar represents a time slot — green for up, red for down, grey for no data. Toggle between 1h and 24h views using the buttons on the chart.
Response time graph — A line chart showing how long the site took to respond (in ms) for each check over the last 1 hour or 24 hours. The peak response time for the selected range is shown alongside the chart.
Uptime history — A log of downtime events including start time, end time, and duration. Both the Uptime graph and Response time graph support a 1h and 24h view, toggled via the buttons on each chart.

Uptime checks are run by the WPress Zone server on a schedule set by your plan. You can configure the check interval per site when adding or editing a site. Alerts are sent via your configured integrations when the site goes down or recovers.

Suspicious Files Tab

The Suspicious files tab shows the results of malware and heuristic scans run by the plugin. It has two sub-tabs:

Current issues — Active suspicious findings still present on the site. Each row shows the issue type (e.g. PHP file in uploads folder, malicious pattern match), the file path or key, and when it was first and last seen.
Issue history — A full log of all past findings, including issues that have since been resolved.

The plugin scans for malicious heuristic patterns, PHP files in the uploads folder, modified WordPress core files, and other indicators of compromise. An issue is automatically cleared from Current issues once it is no longer detected on the next scan.

Permission Checks

The Permission Checks tab shows the results of file permission audits on critical WordPress paths (e.g. wp-config.php, wp-admin/). Incorrect permissions can expose your site to attacks. The plugin reports current permissions and flags any that deviate from recommended values. It has two sub-tabs:

Current — Active permission issues found on the last scan. Each row shows the issue type (File or Directory), the file/directory path, the current permission mode (highlighted in red), the expected permission mode (highlighted in green), the reason it was flagged, and when it was first and last seen. Critical severity issues are additionally marked with a Critical badge. You can search and filter by file path.
History — A full log of all permission issues ever detected, including those that have since been resolved.

Modified Files

The Modified Files tab tracks modifications to WordPress core files and the uploads directory. It reports:

Modified files — Core files that have changed since the last scan.
New files — Files added to core directories since the last scan, whether intentional (e.g. a legitimate deployment) or unintentional (e.g. malware dropping files). Review each entry to confirm whether it is expected.
Suspicious files in uploads — PHP files found in the uploads folder, which should never contain executable code.
Plugin / theme installations — Newly installed or removed plugins and themes detected via file changes.

Logins

The Logins tab shows a full log of WordPress login activity reported by the plugin — both successful and failed attempts. Each entry includes the username, IP address, login type (successful or failed), and timestamp. Tracking both types gives you a complete picture of who is accessing your site and helps identify suspicious patterns such as brute-force attacks (many failed attempts) or unexpected successful logins. When the Failed logins alert event is enabled for a site, a notification is sent each time a new failed login is detected from a given username and IP address. Repeated failures from the same username and IP within a 1-hour window are grouped — the attempt count increments silently rather than firing a new alert each time. A fresh alert fires again once the 1-hour window has passed.

Vulnerabilities

The Vulnerabilities tab lists known security vulnerabilities detected in the plugins, themes, and WordPress core version running on the site. Vulnerability data is sourced from the WPScan vulnerability database and updated daily. Each entry shows:

Component name and version affected
CVE identifier (where available)
Severity level
Recommended fix (usually: update to a patched version)

Setting Up SSO Login

Single Sign-On (SSO) lets you log in to your WordPress admin directly from the WPress Zone app — no separate WordPress password needed.

Enable SSO on Your WordPress Site

In your WordPress admin, go to Settings → WPress Zone.
Check Allow SSO Login and click Save Changes.

Log In via SSO

Click the WP Admin button — it's on the WordPress tab of the site's detail page, and also in the three-dots dropdown on the Sites list. You'll be taken straight into your WordPress admin without a password.

Each token is single-use and expires immediately after use. If you get an "already been used" error, just click WP Admin again to generate a new one.

Security note: If you remove the Secret Key from the WordPress plugin settings, SSO will stop working for that site. To disable SSO without removing the key, uncheck Allow SSO Login in the plugin settings.

Alert Settings

Alert Settings (found in the left sidebar) is where you connect notification channels to WPress Zone. These are your global (default) alert channels — any site whose alert delivery is set to Email only or Global alert will send notifications through the channels configured here.

If a site has its own Custom alert configuration, Alert Settings is ignored for that site.

Available channels

Channel	What you need to connect it
Email	An email address to send alerts to.
Slack	A Slack incoming webhook URL.
Discord	A Discord webhook URL.
Microsoft Teams	A Teams incoming webhook URL.
Telegram	A Telegram bot token and chat ID.
Webhook	Any HTTPS endpoint URL. Optionally a signing secret to verify payloads.

Connecting a channel

Go to Alert Settings in the sidebar.
Find the channel card you want to connect and click Connect (or Add another if one is already connected).
Fill in the required details for that channel (email address, webhook URL, bot token, etc.) and optionally give the integration a label.
Save. The card will show a Connected badge and list the account.

You can connect multiple accounts per channel — for example, two different email addresses or two Slack workspaces. Each connected account will receive alerts independently.

Channels available to you depend on your plan. Channels not included in your plan show an Upgrade required badge and cannot be connected until you upgrade.

Site-specific alerts

Alert Settings only controls your global channels. If you need a specific site to alert a different person, channel, or integration, you can override this per site. Open the site, go to its Edit page, and under Alert configuration switch the delivery mode to Custom alert — then assign whichever channels should receive alerts for that site only.

Email Alerts

In WPress Zone, go to Alert Settings in the sidebar.
Find the Email card and click Connect.
Enter the email address you want alerts sent to and optionally give it a label.
Save. The Email card will show a Connected badge.

Alerts are sent from the address configured in Admin → Settings → SMTP. Make sure SMTP is configured correctly or emails may land in spam.

Slack Alerts

Go to api.slack.com/apps and create a new app.
Under Incoming Webhooks, activate and add a new webhook for your desired channel.
Copy the Webhook URL (starts with https://hooks.slack.com/services/...).
In WPress Zone, go to Alert Settings, find the Slack card, click Connect, and paste the webhook URL.

Telegram Alerts

Open Telegram and message @BotFather. Use /newbot to create a bot and get your Bot Token.
Start a chat with your new bot (send any message to it).
Find your Chat ID by visiting:
https://api.telegram.org/bot<YOUR_TOKEN>/getUpdates
In WPress Zone, go to Alert Settings, find the Telegram card, click Connect, and enter the Bot Token and Chat ID.

Discord Alerts

In your Discord server, go to Server Settings → Integrations → Webhooks → New Webhook.
Select the channel, copy the Webhook URL.
In WPress Zone, go to Alert Settings, find the Discord card, click Connect, and paste the webhook URL.

Microsoft Teams Alerts

In your Teams channel, click ⋯ → Workflows.
Search for "Post to a channel when a webhook request is received" and select it.
Follow the setup steps — choose the team and channel, then copy the generated Webhook URL.
In WPress Zone, go to Alert Settings, find the Microsoft Teams card, click Connect, and paste the webhook URL.

Webhook Alerts

The Webhook channel sends a signed JSON POST request to any HTTP endpoint you control — your own server, Zapier, Make, n8n, or any custom API.

Setup

In WPress Zone, go to Alert Settings, find the Webhook card, and click Connect.
Enter a label and paste your endpoint URL.
Optionally enter a Signing Secret — a random string you also configure on your receiver so it can verify requests came from WPress Zone.
Save. The integration can be set as Global (all sites) or Custom (per-site).

Request Format

Every alert fires a POST request with the following JSON body:

{
  "event":     "downtime",
  "site": {
    "name": "Online Store",
    "url":  "https://store.example.com"
  },
  "message":   "Site Online Store is DOWN. Last checked at 2026-05-08 14:30.",
  "timestamp": 1746700800
}

Event Types

event	When it fires
`site_down`	Site detected as down
`site_recovery`	Site came back up
`ssl_expired`	SSL certificate expiring soon or expired
`domain_expired`	Domain expiring soon or expired
`failed_login`	Failed WordPress login attempt(s) detected
`modified_files`	File changes detected on site
`suspicious_files`	Suspicious files found during scan

Request Headers

Header	Always sent	Description
`Content-Type`	Yes	`application/json`
`X-Timestamp`	Yes	Unix timestamp (seconds) when the request was sent
`X-Signature`	Only if signing secret is set	`sha256=<hex-encoded HMAC-SHA256>`

Signature Verification

If you configure a Signing Secret on the webhook integration, WPress Zone will include an X-Signature: sha256=<hex> header on every request. The signature is computed as HMAC-SHA256(signing_secret, raw_request_body). Your endpoint should recompute the same value and compare — if they match, the request genuinely came from WPress Zone. If no signing secret is set, the header is omitted.

Also reject requests where |now − X-Timestamp| > 300 seconds to prevent replay attacks. X-Timestamp is a Unix timestamp in seconds.

Always read the raw body bytes before JSON-parsing. Parsing first can change byte ordering and break the HMAC comparison.

Receiver Example — PHP

<?php
$secret    = 'your_signing_secret';
$rawBody   = file_get_contents('php://input');
$timestamp = $_SERVER['HTTP_X_TIMESTAMP'] ?? '';
$signature = $_SERVER['HTTP_X_SIGNATURE'] ?? '';

// 1. Reject stale requests
if (abs(time() - (int) $timestamp) > 300) {
    http_response_code(400); exit('Request too old');
}

// 2. Verify signature
$expected = 'sha256=' . hash_hmac('sha256', $rawBody, $secret);
if (! hash_equals($expected, $signature)) {
    http_response_code(401); exit('Invalid signature');
}

// 3. Handle the event
$payload = json_decode($rawBody, true);

match ($payload['event']) {
    'site_down'        => notifyTeam('DOWN: '  . $payload['site']['url']),
    'site_recovery'    => notifyTeam('UP: '    . $payload['site']['url']),
    'suspicious_files' => notifyTeam('Scan: '  . $payload['message']),
    'failed_login'     => notifyTeam('Login: ' . $payload['message']),
    default            => null,
};

http_response_code(200);

Receiver Example — Node.js (Express)

const crypto = require('crypto');

// Use express.raw() — do NOT parse JSON before verifying
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
    const secret    = 'your_signing_secret';
    const timestamp = req.headers['x-timestamp'];
    const signature = req.headers['x-signature'];

    if (Math.abs(Date.now() / 1000 - parseInt(timestamp)) > 300)
        return res.status(400).send('Request too old');

    const expected = 'sha256=' + crypto
        .createHmac('sha256', secret).update(req.body).digest('hex');

    if (! crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature)))
        return res.status(401).send('Invalid signature');

    const payload = JSON.parse(req.body);
    if (payload.event === 'site_down')     notifyTeam('DOWN: '  + payload.site.url);
    if (payload.event === 'site_recovery') notifyTeam('UP: '    + payload.site.url);
    console.log(`Alert [${payload.event}]: ${payload.message}`);
    res.status(200).send('OK');
});

Receiver Example — Python (Flask)

import hmac, hashlib, time
from flask import Flask, request, abort

app = Flask(__name__)
SECRET = b'your_signing_secret'

@app.route('/webhook', methods=['POST'])
def webhook():
    timestamp = request.headers.get('X-Timestamp', '')
    signature = request.headers.get('X-Signature', '')
    raw_body  = request.get_data()

    if abs(time.time() - int(timestamp)) > 300:
        abort(400, 'Request too old')

    expected = 'sha256=' + hmac.new(SECRET, raw_body, hashlib.sha256).hexdigest()
    if not hmac.compare_digest(expected, signature):
        abort(401, 'Invalid signature')

    payload = request.get_json(force=True)
    event = payload.get('event')
    if event == 'site_down':     notify_team('DOWN: '  + payload['site']['url'])
    if event == 'site_recovery': notify_team('UP: '    + payload['site']['url'])
    print(f"Alert [{event}]: {payload['message']}")
    return 'OK', 200

Retries: WPress Zone makes up to 3 attempts (2 retries) with a 1-second delay between each. Return a 2xx response quickly and do any heavy processing asynchronously to avoid triggering retries.

Unsigned requests: The signing secret is optional. If left blank, requests are sent without an X-Signature header. Suitable for internal endpoints or platforms like Zapier/Make that have their own authentication.

Account Settings

Click your name in the top-right corner and select Edit profile from the dropdown.

Update your name or email and click Save Changes. Note that changing your email also changes where alert notifications and invoices are delivered.

To change your password, scroll to the Change Password section — enter your current password, your new one, confirm it, and click Update Password.

Orders & Invoices

Click your name in the top-right corner and select Orders & Invoices. This page lists all your past orders with the date, amount, and status. Each order has a downloadable PDF invoice.

Plans

Go to Plans in the left sidebar to view and purchase a plan. Select a plan and complete checkout — the new plan activates on payment.

If your subscription expires, your account reverts to the free tier — data is kept, nothing is deleted. Reactivate at any time by purchasing a plan.

Tickets

Go to Tickets in the sidebar, fill in a subject and message, optionally attach a file (PNG, JPG, or PDF — max 5 MB), and submit.

Your tickets and their status are listed on the Tickets page. Click any ticket to read the thread and reply.

Status
Open	Waiting for a staff reply
Replied	Staff replied — open the ticket to continue the conversation
Closed	Resolved. Send a new reply to re-open it.

Alert Logs

A history of all alerts that have been sent — useful to confirm that a notification was dispatched for a specific site and event.

Find it under Alert Logs in the left sidebar — this shows alert history across all your sites.

Column	Description
Site	The site the alert was triggered for.
Alert type	The event that triggered the alert — e.g. site down, failed login, suspicious files, modified files.
Channel	The integration used to deliver the notification — e.g. email, Slack, Telegram.
Sent at	When the alert was sent.