Simula Security Telemetry for Wordfence
·
Export metrics from Wordfence into a node_exporter textfile collector .prom file and append incidents detected by wordfence to a local log file.
Simula Security Telemetry for Wordfence exports Wordfence security telemetry in two forms:
- Prometheus metrics for the node_exporter textfile collector that can be scraped by Prometheus
- A local incident log containing blocked Wordfence requests that can be shipped with Grafana-Alloy
This plugin is intended for WordPress sites that already use Wordfence and Prometheus-based infrastructure. Instead of exposing a public metrics endpoint from WordPress, the plugin writes local files that node_exporter and log-based tooling can consume.
By default, the plugin runs a fast collector every 15 minutes and a slow collector hourly using WP-Cron. It supports:
- Exporter health and plugin metadata metrics
- Configurable cron interval
- Separate fast and slow collector intervals
- Per-metric-family enable or disable controls
- Blocked event counters and recent activity windows
- Blocked event counts by HTTP status code over the last 24 hours
- Failed login, rate-limited, and brute-force activity windows
- Current lockout counts for IPs and users
- Wordfence two-factor status and protected user counts
- Scan issue counts by severity
- Malware, file change, and vulnerable component findings
- Top blocked attack sources by country and normalized IP range
- Incident log export for newly observed blocked requests
- Incident privacy controls for IPs, URLs, referers, user agents, and internal traffic
- Manual export and incident cursor reset from the admin UI
- Current exporter and incident state visibility in the admin UI
- Optional JSON Lines incident output
- WP-CLI exports for system cron
- Source freshness and WordPress/Wordfence posture metrics
- A ready-to-import Grafana dashboard and sample Prometheus alert rules
Blocked events are currently identified from the Wordfence hits table where:
- action matches blocked:*
- or the HTTP status code is 403 or 503
The plugin includes an admin settings screen under Settings > Security Telemetry, where you can:
- Enable or disable the exporter master switch
- Choose the export cron interval
- Choose the slow collector interval
- Set the .prom output path
- Set a custom metric prefix
- Set a custom site label
- Enable or disable individual metric families
- Enable or disable incident log export
- Set the incident log path
- Choose text or JSON Lines incident output
- Limit the number of incidents appended per run
- Configure incident IP privacy and field-dropping filters
- Add an optional retention note to emitted incident events
- Trigger a manual export
- Reset the incident cursor for backfill
- Review current exporter and incident state