Coming Soon - The Watchman Tower WordPress plugin is currently in development. This documentation is prepared in advance for the upcoming release.

Site Token Overview

Site tokens will be unique identifiers that authenticate your WordPress site with Watchman Tower. Each token will be:
  • Unique: One token per WordPress installation
  • Secure: 64-character cryptographically secure string
  • Revocable: Can be regenerated at any time
  • Scoped: Limited to specific site permissions

Token Format

Tokens will follow this format: 
wmt_prod_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6
Structure breakdown:
  • wmt_ - Watchman Tower prefix
  • prod - Environment indicator (prod, staging, dev)
  • a1b2... - 58-character random string

Generating Tokens

Via Dashboard

1

Navigate to WordPress Integration

Go to Integrations → WordPress in your Watchman Tower dashboard
2

Add New Site

Click Add Site button
3

Fill Site Details

  • Site Name: Friendly identifier (e.g., “Production Blog”)
  • Site URL: Full URL including protocol
  • Environment: Production, Staging, or Development
4

Generate Token

Click Generate Token - token will be created and displayed
5

Copy Token

Copy token immediately - it won’t be shown again for security

Token Security

Storage Options

wp-config.php

Recommended methodStore token in wp-config.php above database settingsBenefits:
  • Not in database
  • Not accessible via admin UI
  • Safe from SQL injection
  • Environment-specific

Environment Variable

For advanced setupsLoad token from server environment variableBenefits:
  • Separated from code
  • Easy rotation
  • Deployment-friendly
  • Secure

Database (Encrypted)

Automatic fallbackPlugin auto-encrypts tokens in database using WordPress saltsBenefits:
  • No manual setup
  • Encrypted storage
  • Simple for beginners

Token Rotation

For security, tokens should be rotated regularly: Via Dashboard:
  1. Go to Integrations → WordPress → Your Site
  2. Click Rotate Token
  3. Copy new token
  4. Update your wp-config.php or environment variable
  5. Old token is immediately revoked
Recommended rotation schedule:
  • Every 90 days for active sites
  • When team members leave
  • After security incidents
  • For compliance requirements

Token Permissions

What tokens can access:
  • Site performance metrics
  • Plugin list (names and versions only)
  • WordPress version information
  • PHP version and settings
  • Active theme name
  • Database size and statistics
What tokens cannot do:
  • Modify WordPress settings
  • Access user data or passwords
  • Read post or page content
  • Execute code on your site
  • Access database directly
  • Make changes to your site
This read-only approach ensures your site’s security while enabling comprehensive monitoring.

Token Lifecycle

Token States

1

Created

Token is generated in the Watchman Tower dashboard and ready to use
2

Active

Token is configured in WordPress and successfully sending metrics
3

Revoked

Token has been revoked via dashboard - plugin will show connection error
4

Regenerated

New token created, old token immediately revoked - requires updating configuration
Token Expiration: Tokens don’t expire by default, but you can optionally set an expiration date in the dashboard for temporary access or compliance requirements.

Multi-Environment Setup

Best Practice: Separate Tokens

Create and use different tokens for each environment:

Production

wmt_prod_…Live site with real visitors

Staging

wmt_staging_…Testing environment before deployment

Development

wmt_dev_…Local development environment
Why separate tokens?
  • Monitor each environment independently
  • Revoke staging/dev tokens without affecting production
  • Track metrics per environment
  • Better security isolation

Environment Detection

The plugin can automatically detect your environment based on:
  • Domain name (localhost, staging subdomain, production domain)
  • WP_ENV constant in wp-config.php
  • Custom environment detection logic
Configure different tokens per environment in your wp-config.php file using conditional logic.

Token Transmission Security

HTTPS Requirement

Tokens are only transmitted over HTTPS connections. The plugin will:
  • Refuse to activate without HTTPS
  • Show admin notice if SSL is not configured
  • Prevent token leakage over insecure connections

Authorization Method

Tokens are sent in the Authorization header of API requests to ensure secure transmission and standard authentication practices.

Token Masking

For security, tokens are automatically masked in:
  • WordPress debug logs
  • Admin dashboard displays
  • Error messages
  • System logs
Only the first few and last few characters are visible for identification purposes.

Revoking Tokens

When to Revoke

Revoke tokens immediately when:
  • Team member with access leaves
  • Token may have been compromised
  • Site is being decommissioned
  • Migrating to new token
  • Security audit requires it

How to Revoke

Via Dashboard:
  1. Go to Integrations → WordPress
  2. Find your site in the list
  3. Click Revoke Token button
  4. Confirm the revocation
  5. Generate new token if you want to reconnect
Effect of Revocation:
  • Token becomes invalid immediately
  • Plugin will show “Connection Failed” status
  • No more metrics will be sent
  • Historical data remains accessible
  • You can generate a new token to reconnect

Troubleshooting

Common Causes:
  • Token was revoked in the dashboard
  • Token was regenerated but not updated in WordPress
  • Wrong token copied (typo or wrong environment)
  • Token string has extra spaces
Solutions:
  1. Verify token in Watchman Tower dashboard
  2. Check token definition in wp-config.php
  3. Generate fresh token and update configuration
  4. Ensure no trailing spaces when copying
Common Causes:
  • Token constant not defined in wp-config.php
  • Environment variable not set on server
  • Configuration file not loaded properly
Solutions:
  1. Check if WATCHMAN_TOWER_TOKEN is defined in wp-config.php
  2. Verify wp-config.php is being loaded
  3. For environment variables, check server configuration
  4. Add token definition above the “That’s all, stop editing!” comment
Common Causes:
  • Firewall blocking outbound HTTPS connections
  • Server can’t reach api.watchmantower.com
  • DNS resolution issues
  • cURL not available in PHP
Solutions:
  1. Test connectivity to api.watchmantower.com from your server
  2. Check firewall rules and whitelist our API domain
  3. Verify DNS is resolving correctly
  4. Confirm PHP cURL extension is installed and enabled
  5. Contact your hosting provider if issue persists

Security Best Practices

Always store tokens in wp-config.php above database settings, not in WordPress admin settings or database. This prevents tokens from being exposed via admin UI or SQL injection.
Create different tokens for production, staging, and development. This allows independent monitoring and secure token rotation without affecting other environments.
Regular token rotation reduces security risks. Also rotate immediately when team members leave or if you suspect compromise.
Add wp-config.php and .env files to .gitignore. Use environment variables or deployment scripts to inject tokens during deployment.
When decommissioning a site or stopping monitoring, revoke the token right away to prevent potential security issues.
Check the “Last used” timestamp in your dashboard. If a token hasn’t been used recently but should be active, investigate why.
Ensure your WordPress site runs on HTTPS. The plugin requires SSL/TLS to protect token transmission.
Only share tokens with team members who need access. Store them securely in password managers, not in plain text files or emails.

Next Steps

Installation

Install the WordPress plugin

Setup & Connection

Connect your WordPress site

Metrics Overview

Explore collected metrics

Troubleshooting

Common issues and solutions