Centinel AnalyticaCentinel Analytica
Platforms

WordPress

Add Centinel Analytica to your WordPress website.

Get your keys first

Go to https://dash.centinelanalytica.com/ and copy your Site Key and Secret Key.

Requirements

  • WordPress 6.3+ and PHP 8.0+
  • Administrator access
  • Ability to upload and activate plugins
Download the plugin ZIP

Download the WordPress plugin ZIP. Keep it as a .zip file, don't unzip.

Upload and activate the plugin
  1. Go to Plugins → Add New.
  2. Click Upload Plugin.
  3. Select the downloaded centinel-analytica-wordpress.zip.
  4. Click Install Now, then Activate Plugin.
wp plugin install /path/to/centinel-analytica-wordpress.zip --activate
Configure the plugin

Go to Settings → Centinel Analytica and fill in:

  • Site Key and Secret Key from your dashboard.

  • Block Page URL where blocked users land (default: /block).

  • Apply protection to the areas you want covered:

    • Front-end pages, WP REST API, Login / wp-admin.

  • Included Paths limits protection to specific paths (one per line, leave empty to protect everything). Supports wildcards: /checkout, /api/*, /wp-login.php.

  • Excluded Paths skips protection on matching paths (one per line, wins over included). Supports wildcards: /api/webhook, /wp-content/uploads/*, *.jpg.

Click Save Changes.

Tip

Start with all three areas enabled. Use included paths to narrow scope, excluded paths to skip webhooks and static assets.

Edit the block page (optional)

The plugin creates a /block page on activation. Edit it under Pages → Access Blocked whenever you want.

Changing the URL

Update Block Page URL in plugin settings to match the new permalink.

Verify

Browse your site and check Centinel Analytica → Analytics for incoming traffic.

Advanced configuration

Script injection

The plugin loads the collector script in <head> with async on every front-end page and wp-login.php. It uses the Site Key from settings automatically. No manual script placement needed.

A whenCentinelReady(cb) helper is injected after the script for theme developers who need to gate actions on collector readiness.

Path rules

When both included and excluded paths are set:

  1. Excluded match → skip (no validator call).
  2. Included paths set but no match → skip.
  3. Everything else → protect.

Excluded always wins over included.

Decision handling

DecisionFront-endREST APILogin
allow / not_matchedPass throughPass throughProceed
blockRedirect to block page403 JSONLogin error
redirectInterstitial HTMLHTML in JSONLogin error

Changelog

v1.6.1

  • Response headers from /validate are now applied to all outgoing responses (block, redirect, and allow). Headers like Content-Type are no longer hardcoded — they come from the validator.
  • Validator API requests now include a User-Agent header identifying the integration name and version.
  • 1.6.0 - Included paths, async script in <head>, script on login page, whenCentinelReady() helper, wildcard base-path fix.
  • 1.5.0 - Excluded paths with wildcard matching, updated validate API integration.
  • 1.4.0 - Response HTML handling for redirect decisions, cookie forwarding.
  • 1.3.0 - Auto-create /block page on activation, restore from trash.
  • 1.2.0 - REST API and login protection.
  • 1.1.0 - Configurable block page URL, protection area checkboxes.
  • 1.0.0 - Initial release.

Nginx / OpenResty

Bot protection for Nginx and OpenResty using a Lua module.

On this page

RequirementsAdvanced configurationScript injectionPath rulesDecision handlingChangelogv1.6.1