Pandora FMS WP is a monitoring plugin for WordPress. 100% free and OpenSource. It collect basic information from your WordPress and allow Pandora FMS to retrieve it remotely using a REST API. Some examples are new posts, comments or user logins in last hour. It also monitor if new plugins or themes has been isntalled, if a new user has been created of if a bruteforce login attempt has been made recently. You can expand easily by defining custom SQL queries to monitor other plugins or create your own SQL to collect information and sent it to Pandora FMS.
Dashboard: here, you can view a summary of the items monitored: plugins updated, version of WP and if they need an update, total users, new posts in last 24hr, new replies in 24hr and other checks.
Audit records: You can view a table with user access data: users, IP, if the login has been correct or incorrect and how many times, and the date of the last access. Also can see if new plugins or themes have been installed and the date on which these events occurred.
General Setup: Set general options:
- API Settings
- List of IPs with access to the API.
- Set the time to show new data in the API.
- Delete Logs Time
- Clean fields of filesystem table with status deleted for data older than X days
- Remove the status ¨new¨ on fields of filesystem table for data older than X days
- Custom SQL queries
- API Settings
PandoraFMS-WP requires (optionally) a plugin for REST API, called “JSON REST API”. Only needed if you want to integrate the monitoring/status information of the WP site into a central management console with Pandora FMS. This is an optional feature, you can manage all information from WordPress itself.
If your WordPress version is lower than 4.7, you must have the WP REST API (v2) plugin installed to use the API. (This plugin requires version 4.6 or higher).
- WP Multisite not supported on this version.
- To use the WordPress API REST, you need version 4.6 or higher.
- Upload the plugin files to the
/wp-content/plugins/plugin-namedirectory, or install the plugin directly through the WordPress plugins screen.
- Activate the plugin through the ‘Plugins’ screen in WordPress.
- In the menu, below Settings, you will see ‘PandoraFMS WP’. Use it to configure the plugin.
- If you want a more secure API access to the Pandora FMS WP REST API, set the allowed IPs. Any IP is allowed by default to access Pandora FMS WP Rest API.
- In order to get information remotely from your Pandora FMS server, you need to have running the REST API in your wordpress setup, and for that, you need also the permalinks to be running. To check if your API is running, check the API manually, for example: http://mywordpress.com/wp-json/pandorafms_wp/online
This API request should report 1 if works as intented.
- Install the .PSPZ2 package in your Pandora FMS console to load library checks that use this plugin by using the API REST over HTTP(s). You can also create the modules manually, its just a regular HTTP request on a REST API, but it’s easier if you load the PSPZ2 with predefined modules.
- Create a new Plugin Server module in your Pandora FMS WP module in Pandora FMS, define the URL to access the api rest of this plugin, like http://mywordpress.com/ and choose the predefined module from library: online, new_account, plugin check, etc).
- API Calls available under /wp-json/pandorafms_wp/xxxx :
/online – Check if WordPress is responding using Pandora FMS WP REST API
/site_name – Check WordPress sitename
/version – Return plugin version
/wp_version – Return WordPress core version
/admin – Return FALSE if ‘admin’ account exists (a very bad practice)
/new_account – Return FALSE if new user accounts has been created in last hour
/theme_registered – Return FALSE if new themes has been installed in last hour
/plugin_registered – Return FALSE if new plugins has been installed in last hour
/new_posts – New posts in last hour
/new_comments – New comments in last hour
/plugin_update – Return FALSE if a plugin needs update
/core_update – Return FALSE if wordpress core needs update
/user_login – Return FALSE if a successful login has been detected in last hour
/failed_login – Return FALSE if a unsuccessful login has been detected in last hour
/bruteforce – Return FALSE if a bruteforce attack has been detected in last hour
/custom_sql_1 – Return result of a custom SQL query.
/custom_sql_2 – Return result of a custom SQL query.
- In the /wp-content/plugins/pandorafms-wp/pspz directory you have the .pspz2 file ready to be uploaded to your Pandora FMS console to use this plugin as remote plugin modules. See more information about the process in the module library at https://pandorafms.com/library/wordpress-monitoring-plugin/
以下人員參與了開源軟體〈Pandora FMS WP – Monitoring WordPress from Pandora FMS〉的開發相關工作。參與者
- 2022-02-06 New version, 2.0 removes some filesystem hardening features. Plugin is now much more fast and lighter. API Rest adds new bruteforce detection and custom SQL queries.