FreelanceBo Sentra Control

Do I need a Sentra account?

Yes, the plugin connects to a Sentra central console for centralized monitoring and management. Visit freelancebo.it to set up your console.

Does this plugin slow down my site?

No. Sentra is designed to be lightweight. The firewall runs inline with minimal overhead, and scans are performed in the background without affecting site performance.

Can I use this on multiple sites?

Yes. Sentra is designed for managing security across multiple WordPress sites from a single central console.

What PHP version is required?

PHP 7.4 or higher is required.

Hide FAQ

2.7.1

• Fix: sincronizzazione flag dal server via heartbeat. Quando l’admin attiva Baseline o Quarantena dal portale Sentra, il plugin riceve il flag nel prossimo heartbeat (entro 5 minuti) e si configura di conseguenza.
• Nuovo: pulsante “Esegui ora” nel portale per forzare uno snapshot baseline immediato senza aspettare il cron daily.

2.7.0

• Nuovo: Baseline Collector (opt-in). Genera snapshot sha256 giornaliero di wp-admin, wp-includes, file core root e mu-plugins e li invia al server Sentra. Rileva modifiche ai file core non autorizzate. Attivato da portale per sito (flag baseline_enabled).
• Nuovo: infrastruttura per auto-quarantena (feature flag per sito, spenta di default). Nessun cambio comportamento finche l’admin abilita esplicitamente.
• Server: cron interno ogni 6h ricalcola confidence signature, auto-promuove signature viste su >=3 siti, auto-disabilita signature con >=5 falsi positivi.
• Server: endpoint /api/signatures/{id}/verify-all per forzare rescan cross-site di una signature.

2.6.0

• Nuovo: Heuristic Scanner driven da Threat Intelligence centrale. Rileva webshell in dir annidate, file multimediali con PHP embedded, loader goto-offuscati, wp_options rogue, index.php root riscritto da persister, hash MD5 noti, pattern gzinflate+base64. Seed iniziale basato sull’incident ilariasaddleservice (apr 2026).
• Nuovo: il plugin scarica signature aggiornate dal server Sentra ogni 6h (endpoint /api/signatures/latest). Nessun auto-update richiesto per nuove firme.
• Nuovo: passive-first — nessuna quarantena automatica, solo report. Feedback loop server-side per promote/demote signature in base a veri/falsi positivi cross-site.
• Compatibilita: nessuna modifica al comportamento esistente, solo detector addizionali nel Malware Scanner.

2.5.4

• Fix: whitelist delle action WP standard gestite via wp_loaded (logout, postpass, resetpass, rp, lostpassword, register, confirmaction) quando accompagnate da _wpnonce. WordPress genera URL tipo /qualsiasi-pagina/?action=logout&_wpnonce=… ancorati a qualunque pagina, non solo wp-login.php, e il WAF li valutava come query string sospette.

2.5.3

• Fix: wp-login.php ora sempre whitelistato dal WAF. Risolve il falso positivo “Request blocked by Sentra firewall” durante il logout (il secondo hop ?loggedout=true avviene da utente anonimo e veniva rivalutato dalle regole XSS).
• Brute-force sui form di login resta protetto dal modulo Login Guard.

2.5.2

• Fix: Integrity scanner no longer flags wp-includes/* and wp-admin/* files as modified when they simply reflect the current WordPress core release. Every core-path finding is now verified against the official md5 checksum from api.wordpress.org for the installed WP version; matches are silently merged into the baseline instead of producing false-positive findings.
• Fix: Core checksums are cached for 6 hours to avoid repeated API calls.

2.5.1

• UI: Rewrote the Auto-Patch suggestion cards with dedicated CSS classes (severity-colored left border, CVE chip, CVSS pill, version badges, premium badge). The previous version stripped inline styles without providing class equivalents, leaving raw unstyled blocks.
• UI: Empty state on Auto-Patch when no suggestions exist.
• UI: Patch History table uses severity badges and status pills consistent with the Scans view.

2.5.0

• Hotfix: Severity bar in Scans view was rendering vertically. Restored horizontal flex layout on .sentra-sev-bar; responsive wrap only kicks in below 700px.

2.4.9

• Hotfix: Reverted AJAX proxy to prefix-based allowlist — the granular route list in 2.4.8 rejected legitimate calls with “Path not allowed”.
• Hotfix: Removed prefers-color-scheme dark-mode CSS block that produced white-on-white text on WP admin screens when the OS was set to dark. Admin UI now uses a single consistent light palette.
• Hotfix: .sentra-wrap now forces explicit foreground/background colors so contrast is preserved regardless of OS or admin color scheme.

2.4.8

• Security: Login Guard no longer locks out by username (removed DoS vector allowing attackers to permanently lock known accounts).
• Security: Admin AJAX proxy now uses a granular (method + path) allowlist instead of broad path prefix.
• Security: SSL certificate verification is always enforced — the insecure toggle was removed from the UI. Local dev may still opt out via define(‘SENTRA_INSECURE_SSL’, true) in wp-config.php.
• Security: Core file restore (handle_restore_core) now requires a verified md5 checksum from api.wordpress.org; aborts instead of writing unverified content.
• Security: WAF pcre.backtrack_limit raised from 10k to 1M — complex patterns no longer silently fail to match on medium-sized bodies.
• Security: Backup and quarantine directories are hardened on creation with .htaccess + web.config + index.php.
• Security: Quarantined files now renamed with a .bin suffix to defuse double-extension execution.
• Security: IPv6 support in the IP blocker CIDR matcher; client IP detection centralized in a new Sentra_IP helper class.
• Performance: Integrity scanner caches mtime/size; unchanged files skip SHA-256 rehashing.
• Performance: Scanners now skip node_modules, vendor, .git, upgrade, cache and build directories.
• UI: Full admin redesign with CSS design tokens, dark mode via prefers-color-scheme, accessible focus rings, responsive breakpoints at 960/600px, skeleton loaders, unified page header on every screen, ARIA tab pattern on Scans, toast notifications for Test Connection.
• UI: Settings page rebuilt as grouped cards (Connection, Security options, Test) — no more legacy form-table.
• UI: Removed all inline style attributes from admin views (CSP-friendly).
• Cleanup: Added uninstall.php that removes every sentra_* option, transient and scheduled event on plugin delete.

2.4.7

• Added: PREMIUM badge visible in both Scans and AutoPatch panels of WP admin, matching the dashboard UI.

2.4.6

• Improved: Error message on failed premium plugin updates now includes vendor-specific hint and upgrade_messages for debugging.
• Improved: Premium detection also in error response path.

2.4.5

• Fixed: WAF no longer scans wp-admin/wp-json/admin-ajax/admin-post requests from logged-in editors (edit_posts cap), preventing false-positive lockout when editing pages via Gutenberg, Elementor, WPBakery.
• Fixed: WAF no longer inspects POST body on admin-context URIs where HTML markup is legitimate.
• Security: URI and query string are still inspected for all users including admins.

2.4.4

• Fixed: AutoPatch was incorrectly reporting success for premium plugins (plugin not on wordpress.org) when no update available. Now returns manual_required status with clear message.
• Added: Premium plugin detection via wp.org API check. Premium plugins are flagged in UI.
• Added: Aggressive update check (clears cache, triggers hooks) before concluding no update is available.
• Fixed: Upgrade reporting success but version unchanged is now caught and returns error.

2.4.3

• Improved: AutoPatch Priority label now reflects CVE severity (1:1 mapping critical/high/medium/low) instead of hardcoded Low. Clearer urgency indication for users.

2.4.2

• Improved: AutoPatch labels clarified – “Risk” renamed to “Update Risk” to distinguish from CVE severity badge.

2.4.1

• Fixed: Severity badge showing LOW for critical CVEs due to JavaScript falsy 0 bug in sort comparison. Changed || operator to ?? (nullish coalescing) in view-scans.js so sevOrder index 0 (critical) is correctly compared.

2.4.0

• Security: SSL verification now configurable with default ON (C3)
• Security: Auto-patching from server now disabled by default, requires admin approval (C4)
• Security: Added filter hook for surgical patch approval (C5)
• Security: HMAC nonce anti-replay protection on REST API endpoints (H8)
• Security: Firewall regex rules validated on sync (H10)
• Security: Nginx deny rule file added to backup/quarantine directories (H11)
• Security: Recursive sanitization on source_finding in auto-patch (M11)
• Security: Rate limiting on REST API endpoints (M14)
• Security: Login guard uses wp_hash instead of md5 for transient keys (M15)
• Security: Content length check before reading php://input in firewall (M16)
• Improved: Malware scanner file limit increased from 500 to 2000 (L1)
• Fixed: JSON body double-sanitization in AJAX proxy (L3)
• Security: Trusted proxy IPs validated with FILTER_VALIDATE_IP (L5)

2.3.1

• Fixed heartbeat reliability: server push now triggers heartbeat directly
• Self-healing cron: heartbeat schedule auto-recovers if lost
• WP-Cron trigger script for all active Sentra sites

2.3.0

• NEW: Database spam detection – scans wp_options, wp_posts, wp_postmeta for SEO spam injection
• NEW: Homepage HTML output scanning – detects hidden gambling/casino link injection
• Improved hidden content detection: now catches position:fixed off-screen elements (not just absolute)
• Added gambling/SEO spam link signatures for PHP file scanning
• Detects common spam patterns: amazonslots, merkurslots, lottoland, justcasino, etc.

2.2.5

• Security audit: fixed path traversal in rollback (C1), removed raw_replace fix type (C2)
• Strict path validation with no fallback on realpath failure (M2, H5)
• Checksum verification for restored core files via WordPress.org API (H4)
• Input sanitization: whitelist patch_type, extract only allowed fields from JSON (H1, H2)
• Slug validation on analyze-patches to prevent SSRF (H3)
• Rate limiting on vulnerability analysis (1 per 2 minutes) (M4)
• Nginx protection: index.php in backup/quarantine directories (M1)
• File scan limit: max 500 PHP files, skip files over 2MB (L3)
• Removed sensitive data (plugin list) from patch results (L2)

2.2.4

• Auto-patch now runs its own live scans (vulnerability + malware + integrity) independently
• CVE details shown in patch suggestions with CVSS score, references and fix version
• Aggregated CVEs per plugin for unified patch suggestions
• Fixed patch execution flow: patches now execute immediately from the UI
• Improved error handling for already-updated plugins

2.2.3

• Added Auto-Patch admin page in WordPress plugin
• View patch suggestions, apply patches, and rollback from WP admin

2.2.2

• NEW: Auto-patching system for security vulnerabilities
• Auto-update vulnerable plugins and themes via WordPress native API
• Quarantine detected malware files with automatic backup
• Restore modified WordPress core files from official checksums
• Surgical code patching for abandoned plugins (SQL injection, XSS, CSRF, file inclusion, auth bypass, upload validation)
• Automatic backup before any patch with rollback capability
• PHP syntax validation after surgical patches
• Server-to-plugin push notification for immediate patch execution

2.2.1

• Fixed critical bug: event queue flush never cleared events from database (save_queue reloaded stale data from WP option cache)
• Fixed missing WP-cron schedule: sentra_flush_events could become unscheduled, stopping all event delivery
• Improved load_queue with loaded flag to prevent redundant database reads

2.1.9

• Fixed WAF blocking legitimate REST API calls from admin users (AIOSEO, Gutenberg, etc.)
• Admin users are now whitelisted for wp-json REST API requests

2.1.8

• Scans triggered from the console now execute immediately (push notification)
• Added REST API endpoint for server-to-plugin communication

2.1.7

• Improved malware scanner with 12 new detection signatures
• Added heuristic detection for SEO spam injection, cloaking, and hidden content
• Can now detect obfuscated malware that mimics WordPress function names

2.1.6

• Added setup guide in Settings page with link to Sentra console registration
• Added Italian translations for setup guide

2.1.5

• Added full internationalization (i18n) support
• Added Italian translation (it_IT)
• All user-facing strings are now translatable
• Added languages/ directory with .pot and .mo files

2.1.9

• Fixed WAF blocking legitimate REST API calls from admin users (AIOSEO, Gutenberg, etc.)
• Admin users are now whitelisted for wp-json REST API requests

2.1.8

• Scans triggered from the console now execute immediately (push notification)
• Added REST API endpoint for server-to-plugin communication

2.1.7

• Improved malware scanner with 12 new detection signatures
• Added heuristic detection for SEO spam injection, cloaking, and hidden content
• Can now detect obfuscated malware that mimics WordPress function names

2.1.6

• Added setup guide in Settings page with link to Sentra console registration
• Added Italian translations for setup guide

2.1.5

• Added full internationalization (i18n) support with Italian translation

2.1.4

• Renamed plugin slug, folder and main file to freelancebo-sentra-control per WordPress.org guidelines
• Fixed Text Domain to match plugin slug (freelancebo-sentra-control)
• Extracted all inline scripts to separate JS files using wp_enqueue_script
• Fixed pcre.backtrack_limit handling: save original once, restore once after loop
• Added recursive sanitization for JSON POST body in AJAX proxy
• Sanitized $_SERVER[SERVER_SOFTWARE] with sanitize_text_field
• Added External Services section documenting Sentra console and WordPress.org API usage

2.1.2

• Renamed plugin to “FreelanceBo Sentra Control” per WordPress.org naming guidelines
• Added “External Services” section documenting all third-party service connections
• Documented data transmission to FreelanceBo Sentra Control console and WordPress.org API
• Included links to Terms of Service and Privacy Policy for all external services

2.1.1

• Firewall: fixed logout blocked for authenticated users on wp-login.php
• Firewall: admin users in backend logged as waf_admin_alert instead of blocked
• Integrity scanner: lowered severity to LOW for plugin/theme directory files
• Malware scanner: excluded own plugin directory to prevent false positives
• Fixed residual CSS selectors from previous rename

1.9.3

• Improved login guard module with enhanced brute force detection
• Updated vulnerability scanner with latest CVE database integration
• Renamed plugin to Sentra
• Bug fixes and performance improvements

1.9.0

• Added file integrity monitoring module
• Added IP blocklist management
• Improved WAF rules engine
• Central console integration improvements

1.0.0

• Initial release
• WAF, malware scanner, vulnerability scanner
• Brute force protection
• Central console connectivity