Centinel AnalyticaCentinel Analytica
Platforms

WordPress

Add Centinel Analytica to your WordPress website.

Get your keys first

Go to https://dash.centinelanalytica.com/ and copy your Site Key and Secret Key.

Requirements

  • WordPress 5.6+ (tested up to 6.7) and PHP 8.0+
  • Administrator access
  • Ability to upload and activate plugins
  • Server rewrite access if you enable uploads protection on nginx or IIS
Download the plugin ZIP

Download the WordPress plugin ZIP. Keep it as a .zip file, don't unzip.

Upload and activate the plugin
  1. Go to Plugins → Add New.
  2. Click Upload Plugin.
  3. Select the downloaded centinel-analytica-wordpress.zip.
  4. Click Install Now, then Activate Plugin.
wp plugin install /path/to/centinel-analytica-wordpress.zip --activate
Configure the plugin

Go to Settings → Centinel Analytica and fill in:

  • Site Key and Secret Key from your dashboard.

  • Block Page URL where blocked users land (default: /block).

  • Apply protection to the areas you want covered:

    • Front-end pages, WP REST API, Login / wp-admin, and optional Uploads directory.

  • Uploads directory protection routes /wp-content/uploads/* requests through the validator. Enable it only for gated downloads, premium PDFs, or media that needs bot protection.

  • Included Paths limits protection to specific paths (one per line, leave empty to protect everything). Supports wildcards: /checkout, /api/*, /wp-login.php.

  • Excluded Paths skips protection on matching paths (one per line, wins over included). Supports wildcards: /api/webhook, /wp-content/uploads/*, *.jpg.

Click Save Changes.

Tip

Start with front-end, REST API, and login protection enabled. Add uploads protection only for folders that need static-file gating.

Enable uploads protection (optional)

Turn on Uploads directory if you want Centinel to validate files under /wp-content/uploads/*.

On Apache or LiteSpeed, the plugin attempts to write the required .htaccess rewrite automatically when you save settings. If WordPress shows a warning, copy the .htaccess block from the settings panel into your site root .htaccess file.

Copy the nginx snippet from the settings panel into your server block, then reload nginx. The rewrite sends uploads requests to WordPress with ca_uploads_file so the plugin can validate and serve the file.

Copy the IIS rewrite rule from the settings panel into <system.webServer><rewrite><rules> in web.config, then reload the site.

Uploads protection adds request overhead

Every protected upload request boots WordPress and calls the validator. Use included paths to narrow protection to sensitive folders like /wp-content/uploads/private/*, and excluded paths to skip public images or thumbnails.

Edit the block page (optional)

The plugin creates a /block page on activation. Edit it under Pages → Access Blocked whenever you want.

Changing the URL

Update Block Page URL in plugin settings to match the new permalink.

Verify

Browse your site and check Centinel Analytica → Analytics for incoming traffic.

Advanced configuration

Script injection

The plugin loads the collector script in <head> with async on every front-end page and wp-login.php. It uses the Site Key from settings automatically. No manual script placement needed.

A whenCentinelReady(cb) helper is injected after the script for theme developers who need to gate actions on collector readiness.

Path rules

When both included and excluded paths are set:

  1. Excluded match → skip (no validator call).
  2. Included paths set but no match → skip.
  3. Everything else → protect.

Excluded always wins over included.

Uploads protection

The uploads toggle protects files under /wp-content/uploads/* by routing static-file requests through WordPress before the file is served. Included and excluded paths apply to the public uploads URL, so /wp-content/uploads/private/* can be protected while /wp-content/uploads/cache/* stays public.

The plugin serves allowed files with Last-Modified, ETag, and Range support so browsers can cache, resume, and stream PDFs, video, and audio. It rejects path traversal, null bytes, and script-like file extensions before validation.

If your WordPress install stores uploads outside the default location, developers can override the resolved base directory with the centinel_uploads_basedir filter.

Decision handling

DecisionFront-endREST APILoginUploads
allow / not_matchedPass throughPass throughProceedServe file
blockRedirect to block page403 JSONLogin errorBlock HTML or 403
redirectInterstitial HTMLHTML in JSONLogin errorChallenge HTML

Changelog

v1.7.0

  • Added opt-in uploads-directory protection for /wp-content/uploads/*, with automatic Apache / LiteSpeed .htaccess rewrites and manual nginx / IIS snippets.
  • Allowed static files now support conditional GET (Last-Modified, ETag) and Range requests so PDFs, audio, and video continue to cache and stream correctly.
  • Hardened uploads path resolution, validator-supplied headers, and cookie handling; added i18n coverage and fixed multisite child-site uploads path resolution.

v1.6.1

  • Response headers from /validate are now applied to all outgoing responses (block, redirect, and allow). Headers like Content-Type are no longer hardcoded — they come from the validator.
  • Validator API requests now include a User-Agent header identifying the integration name and version.
  • 1.6.0 - Included paths, async script in <head>, script on login page, whenCentinelReady() helper, wildcard base-path fix.
  • 1.5.0 - Excluded paths with wildcard matching, updated validate API integration.
  • 1.4.0 - Response HTML handling for redirect decisions, cookie forwarding.
  • 1.3.0 - Auto-create /block page on activation, restore from trash.
  • 1.2.0 - REST API and login protection.
  • 1.1.0 - Configurable block page URL, protection area checkboxes.
  • 1.0.0 - Initial release.

Nginx / OpenResty

Bot protection for Nginx and OpenResty using a Lua module.

On this page

RequirementsAdvanced configurationScript injectionPath rulesUploads protectionDecision handlingChangelogv1.7.0v1.6.1