Simula Security Telemetry for Wordfence

Simula Security Telemetry for Wordfence exports Wordfence security telemetry in two forms:

• Prometheus metrics for the node_exporter textfile collector that can be scraped by Prometheus
• A local incident log containing blocked Wordfence requests that can be shipped with Grafana-Alloy

This plugin is intended for WordPress sites that already use Wordfence and Prometheus-based infrastructure. Instead of exposing a public metrics endpoint from WordPress, the plugin writes local files that node_exporter and log-based tooling can consume.

By default, the plugin runs a fast collector every 15 minutes and a slow collector hourly using WP-Cron. It supports:

• Exporter health and plugin metadata metrics
• Configurable cron interval
• Separate fast and slow collector intervals
• Per-metric-family enable or disable controls
• Blocked event counters and recent activity windows
• Blocked event counts by HTTP status code over the last 24 hours
• Failed login, rate-limited, and brute-force activity windows
• Current lockout counts for IPs and users
• Wordfence two-factor status and protected user counts
• Scan issue counts by severity
• Malware, file change, and vulnerable component findings
• Top blocked attack sources by country and normalized IP range
• Incident log export for newly observed blocked requests
• Incident privacy controls for IPs, URLs, referers, user agents, and internal traffic
• Manual export and incident cursor reset from the admin UI
• Current exporter and incident state visibility in the admin UI
• Optional JSON Lines incident output
• WP-CLI exports for system cron
• Source freshness and WordPress/Wordfence posture metrics
• A ready-to-import Grafana dashboard and sample Prometheus alert rules

Blocked events are currently identified from the Wordfence hits table where:

• action matches blocked:*
• or the HTTP status code is 403 or 503

The plugin includes an admin settings screen under Settings > Security Telemetry, where you can:

• Enable or disable the exporter master switch
• Choose the export cron interval
• Choose the slow collector interval
• Set the .prom output path
• Set a custom metric prefix
• Set a custom site label
• Enable or disable individual metric families
• Enable or disable incident log export
• Set the incident log path
• Choose text or JSON Lines incident output
• Limit the number of incidents appended per run
• Configure incident IP privacy and field-dropping filters
• Add an optional retention note to emitted incident events
• Trigger a manual export
• Reset the incident cursor for backfill
• Review current exporter and incident state