Incident Response
Detect security incidents automatically, execute response playbooks, isolate compromised components, notify your team via email or Slack, and generate detailed incident reports for post-mortem analysis.
Overview
The VistoShield Incident Response plugin provides a structured framework for handling security incidents on your WordPress site. Instead of reacting ad-hoc to breaches, the plugin automates detection, response, and documentation so you can contain threats quickly and recover reliably.
Key capabilities include:
- Automatic incident detection from multiple security data sources
- Pre-built and custom response playbooks with automated and manual steps
- Isolation tools to contain threats (disable plugins, enable maintenance mode, block IPs)
- Multi-channel notifications via email and Slack webhooks
- Comprehensive incident reports in HTML and PDF formats
- Recovery workflow with verification steps
- Contact management for incident response team members
Installation & Activation
- Upload the
vistoshield-incident-responsefolder towp-content/plugins/ - Navigate to Plugins → Installed Plugins in your WordPress admin
- Click Activate next to VistoShield Incident Response
- Go to VistoShield → Incident Response to configure detection rules and notification channels
Incident Detection
The plugin monitors multiple data sources and triggers incidents when configured thresholds are exceeded:
| Source | Detected Events | Default Threshold |
|---|---|---|
| Login Monitor | Brute force attempts, successful logins from new IPs/countries | 10 failed logins in 5 minutes |
| File Integrity | Unauthorized changes to core files, plugin files, or theme files | Any unexpected file modification |
| WAF Events | High-frequency attack patterns, successful exploit attempts | 50 blocked requests from a single IP in 10 minutes |
| Malware Scanner | Known malware signatures, suspicious file patterns | Any detection triggers an incident |
| User Activity | Privilege escalation, new admin accounts, mass content changes | Any unauthorized admin creation |
| Database Monitor | Unexpected option changes, injected content in posts | Modification of critical options (siteurl, admin_email) |
Each source can be individually enabled or disabled, and thresholds can be adjusted from VistoShield → Incident Response → Detection.
Playbooks
Playbooks define the sequence of actions to take when a specific type of incident is detected. The plugin ships with several default playbooks:
| Playbook | Trigger | Actions |
|---|---|---|
| Brute Force Response | Login threshold exceeded | Block attacking IPs, force 2FA for targeted accounts, notify admin |
| Malware Detected | Malware scanner finding | Quarantine infected files, enable maintenance mode, notify team |
| Unauthorized Admin | New admin account created | Disable the account, force all admin password resets, notify team |
| File Tampering | Core file integrity failure | Restore files from verified checksums, scan for additional changes, notify team |
| Data Exfiltration | Unusual outbound data patterns | Block suspicious outbound connections, enable full logging, notify team |
To create a custom playbook, go to VistoShield → Incident Response → Playbooks and click Create New. Each playbook consists of ordered steps that can be:
- Automated — Executed immediately without human intervention
- Manual — Requires an operator to confirm before execution
- Conditional — Executed only if a specified condition is met (e.g., severity level, affected component)
Isolation Tools
When a threat is detected, the following isolation tools can be triggered automatically via playbooks or manually from the incident dashboard:
| Tool | Effect | Reversible |
|---|---|---|
| Disable Plugin | Deactivates a specific plugin immediately | Yes — re-activate from incident dashboard |
| Maintenance Mode | Puts the site into maintenance mode, blocking all frontend access | Yes — disable from incident dashboard or WP-CLI |
| IP Block | Adds attacking IP addresses to the VistoShield firewall blacklist | Yes — remove from firewall settings |
| Force Logout | Terminates all active user sessions | N/A — users must log in again |
| Disable REST API | Blocks all REST API access for unauthenticated users | Yes — re-enable from API Security settings |
| File Quarantine | Moves suspicious files to a quarantine directory with permissions removed | Yes — restore from quarantine manager |
Notifications
Configure notification delivery from VistoShield → Incident Response → Notifications:
| Channel | Configuration |
|---|---|
One or more email addresses. Supports separate addresses for different severity levels. Uses WordPress wp_mail() with HTML formatting. | |
| Slack Webhook | Incoming webhook URL for your Slack workspace. Messages include incident details, severity badge, and direct links to the incident dashboard. |
Each channel has an independent severity threshold. For example, send Slack messages for all incidents but only email for Critical and High severity.
Notification content includes:
- Incident type and severity level
- Timestamp and affected component
- Summary of detected indicators
- Playbook that was triggered (if any)
- Direct link to the incident in the WordPress dashboard
Incident Reports
Generate detailed incident reports from VistoShield → Incident Response → Reports. Each report includes:
- Timeline — Chronological log of all events from detection through resolution
- Indicators of Compromise (IoCs) — IP addresses, file hashes, URLs, and user agents involved
- Actions Taken — Every automated and manual response step with timestamps
- Impact Assessment — Affected users, compromised data, and service disruption duration
- Root Cause Analysis — Entry point, vulnerability exploited, and attack vector
- Recommendations — Suggested follow-up actions to prevent recurrence
Reports can be exported as HTML (for browser viewing and sharing) or PDF (for archival and compliance documentation).
Recovery Steps
After an incident is contained, the recovery workflow guides you through restoring normal operations:
- Verify containment — Confirm that the threat vector is fully blocked
- Restore affected files — Use quarantine manager or backups to restore clean files
- Reset credentials — Force password resets for all affected accounts
- Review access logs — Check for any additional unauthorized access
- Disable maintenance mode — Restore site access once verified clean
- Monitor closely — The plugin enters a heightened monitoring state for 48 hours post-recovery
Each step is tracked on the incident dashboard and must be marked complete before the incident can be closed.
Contact Management
Maintain a list of incident response team members from VistoShield → Incident Response → Contacts. Each contact has:
- Name and role (e.g., Lead Developer, Security Officer, Hosting Provider)
- Email address for incident notifications
- Phone number (displayed in incident reports for escalation)
- Escalation level — Primary, Secondary, or Emergency-only
Contacts at the Primary level receive all incident notifications. Secondary contacts are notified for High and Critical severity incidents. Emergency-only contacts are notified only for Critical severity incidents.
FAQ
Does the plugin automatically fix security breaches?
The plugin automates containment (blocking attackers, quarantining files, enabling maintenance mode) and provides guided recovery steps. Full remediation typically requires human review to verify the scope of the breach and confirm that all malicious artifacts have been removed.
Can I test playbooks without a real incident?
Yes. Each playbook has a Test Run button that simulates the incident trigger and executes all steps in a dry-run mode. Actions are logged but not actually applied (e.g., plugins are not actually disabled, IPs are not actually blocked).
How long are incident records retained?
By default, incident records and reports are retained for 365 days. You can change this from the Settings tab. Older records are automatically purged during the daily maintenance routine.
Will maintenance mode lock me out of the admin panel?
No. When maintenance mode is activated through the incident response system, logged-in administrators can still access the WordPress admin dashboard. Only frontend (public) access is blocked.