How to Get Real-Time Slack, Discord
& Telegram Alerts for WordPress Logins
Stop finding out about WordPress security incidents hours after they happen. This guide shows you how to route the right alerts to the right channels so your team knows instantly, every time.
Updated 2026
Practical Setup Guide

Your WordPress admin account gets logged into from an IP address in a country where none of your team is located. It happens at 3 AM. The attacker creates a new administrator account, uploads a file to the server, and is gone before anyone wakes up. You discover the breach the next morning when a user reports the site is behaving strangely. By then, the damage is already done.
This scenario plays out on WordPress sites every day. The fix is not complicated. It is a properly configured real-time alert system that sends a notification to your Slack, Discord, or Telegram the moment a high-risk event occurs. Not an email digest in the morning. Not a dashboard you check when you remember to. An immediate notification on the channel where your team already lives and pays attention.
This guide covers exactly how to set that up using Nexu Activity Log, which supports real-time notifications via Slack, Discord, Telegram, and email with fully configurable alert rules. We go through the logic of what should trigger which kind of alert, the technical setup for each channel, and the common mistakes that turn a good alert system into noise everyone ignores.
By the end of this guide you will have a working multi-channel WordPress alert setup that catches the events that matter, routes them intelligently, and does not create the alert fatigue that causes people to start ignoring everything.
Why email is not a real-time alert channel for WordPress security
Email is how most WordPress plugins send security notifications, and there is a straightforward reason for this: it is the path of least resistance. Every WordPress installation can send emails. No additional configuration, no external service, no API key required. You set up a notification, it goes to your inbox, done.
The problem is that email is not a real-time medium in practice. Most people do not monitor their inbox continuously. Emails sit unread for minutes, hours, sometimes longer. They get buried under other messages. They hit spam filters. They arrive with no sense of urgency because the inbox itself has no urgency. An email saying an unknown admin account was just created on your WordPress site carries the same visual weight in your inbox as a newsletter you forgot to unsubscribe from.
The channels where people actually pay real-time attention in 2026 are the ones where their teams communicate. Slack. Discord. Telegram. Notifications from these platforms on a phone or desktop are checked within minutes, often within seconds. When a WordPress security alert arrives in your team’s Slack channel at 3 AM, the person on call sees it. When it arrives in an email inbox, it waits.
For a brute force attack in progress or a compromised admin session actively making changes to your site, the difference between a 5-minute response and a 5-hour response is the difference between catching the incident while damage is limited and discovering a fully compromised site. Email cannot reliably deliver sub-hour response times. Slack, Discord, and Telegram can.
The WordPress login and security events that need immediate alerts
Before configuring anything, it is worth being precise about which events actually deserve the immediate attention that a Slack or Telegram notification demands. Not every WordPress event is urgent. Building an alert system that notifies you of everything creates noise that trains people to ignore the channel. The goal is surgical precision: the right events, the right channels, no more.
Critical events should route to your real-time channels (Slack, Discord, Telegram). High-priority events can go to a security-focused channel. Operational events belong in digest reports and email summaries rather than immediate notifications.
Inside Nexu Activity Log: the alert system that makes this possible
Most WordPress plugins treat alerts as an afterthought. They offer a checkbox to send an email and call it done. Nexu Activity Log was built with the alert system as a primary feature, not a secondary one. Before walking through the setup steps, it helps to understand what the system is actually capable of.

The alert rules engine in Nexu lets you define exactly which WordPress events trigger which notifications on which channels. A single alert rule can be configured to fire on Slack, Discord, Telegram, and email simultaneously, or you can route different severity levels to different channels. The rule builder exposes the full range of conditions: event type, severity level, specific user or role, IP address range, time of day, and more.
Cooldown periods prevent alert fatigue by ensuring a given rule does not fire more than once within a defined window, even if the triggering condition continues. This is critical for brute force scenarios where a single attack might otherwise generate hundreds of individual notifications before you have had a chance to respond.
The notification messages themselves are rich with context. Each alert includes the user who triggered the event, the IP address, the geolocation data, a timestamp, and a description of exactly what happened. You can act on the alert without logging into WordPress first, because the notification contains the information you need to assess the situation.
Setting up Slack alerts for WordPress logins and security events
Slack is the most common team communication platform and typically the best choice for WordPress security alerts if your team already uses it. Alerts delivered to a dedicated security channel in Slack are visible to everyone on the team with access to that channel, creating shared awareness without requiring anyone to manually forward information.
Create a new channel in your Slack workspace specifically for site security notifications. Naming it something like #wordpress-security or #site-alerts makes the purpose immediately clear to anyone who joins. Invite only the people who need to be in the loop: site administrators, the developer on call, and anyone else whose role requires awareness of security events. A focused channel with the right people is far more effective than routing alerts to a general channel where they get buried.
Go to api.slack.com and navigate to Your Apps. Create a new app, choose the option to configure it from scratch, and select your workspace. Under the Features menu, enable Incoming Webhooks and activate them. Click Add New Webhook to Workspace, select the channel you just created, and allow the access request. Slack will generate a unique webhook URL that looks like https://hooks.slack.com/services/T000/B000/XXXX. Copy this URL and keep it somewhere safe. This is what connects Nexu Activity Log to your channel.
In your WordPress admin, navigate to Nexu Activity Log and open the Settings panel. Find the notification channels section and select Slack. Paste the webhook URL you generated. Use the built-in test button to send a test message and confirm it appears in your Slack channel before saving. If the test message arrives correctly formatted with the Nexu branding and event details, the connection is working.
Go to the Alert Rules section in Nexu Activity Log and create a new rule. Give it a clear name like “Critical Security Events to Slack.” Set the trigger condition to the event type or category you want to monitor — new administrator user creation is the best starting point. Set the notification channel to Slack. Configure a cooldown period appropriate for the event type. Save the rule and then trigger a test event manually to confirm the full chain works end to end: WordPress event captured, rule matched, Slack notification delivered.

Setting up Discord alerts for WordPress security events
Discord is increasingly common in developer and technical teams as a primary communication platform. Its webhook system is straightforward and the notification experience on mobile is excellent, making it a strong choice for real-time WordPress security alerts. If your team already communicates in Discord, routing alerts there keeps everything in one place.
In your Discord server, create a new text channel for site security alerts. Right-click the channel and go to Edit Channel. Navigate to the Integrations tab and click Create Webhook. Give the webhook a meaningful name and optionally set a custom avatar. Click Copy Webhook URL to get the endpoint you need. Discord webhooks follow the format https://discord.com/api/webhooks/CHANNEL_ID/TOKEN. This is the URL you will paste into Nexu Activity Log settings.
In the Nexu Activity Log notification settings, select Discord as a channel and paste the webhook URL. Send a test notification. Discord renders the alert as a formatted embed with a colored sidebar indicating severity, the event description, user information, IP address, and timestamp. High-severity alerts can be configured to use a red sidebar. Normal events use a blue or grey sidebar. The visual formatting makes it immediately clear whether an incoming notification requires urgent attention.
For the highest-severity alerts, configure the notification to include a mention of the relevant Discord role, such as @security-team or @dev-on-call. A mention generates a distinct notification on every team member’s device that holds that role, regardless of whether they have the Discord window open. This is meaningfully different from a regular channel message that only surfaces when someone happens to look at the channel. Use mentions sparingly, only for events that genuinely require immediate human response, to preserve the urgency signal.
Setting up Telegram alerts for WordPress logins and security events
Telegram is the best choice for solo site owners and small teams where the audience for security alerts is one or two people rather than a full team channel. Telegram bot notifications arrive directly in a personal or group chat with immediate mobile push notifications. The setup is slightly more involved than Slack or Discord but delivers extremely reliable notification delivery with no dependency on a third-party workspace.
Open Telegram and search for @BotFather. Start a conversation and send the command /newbot. BotFather will ask you for a display name and a username for your bot. The username must end in “bot” by convention. Once created, BotFather sends you a token in the format 123456789:AABBCCddeeFFggHH. This token is what authenticates your WordPress site to send messages through this bot. Keep it secure and do not share it.
Start a conversation with your newly created bot by searching for its username in Telegram and sending any message. Then visit the URL https://api.telegram.org/botYOUR_TOKEN/getUpdates in a browser, replacing YOUR_TOKEN with the token BotFather gave you. The JSON response will include a chat object containing an id field. This is your chat ID, a number that looks like 123456789. For group alerts, add the bot to a Telegram group and the getUpdates method will return the group’s chat ID, which will be a negative number like -1001234567890.
In the Nexu Activity Log notification settings, select Telegram and enter both your bot token and chat ID. Use the test button to send a test message. If it arrives correctly in your Telegram conversation or group, the connection is confirmed. Telegram notifications from Nexu Activity Log include the full event context: the event type, the username and role of the user who triggered it, the IP address with country code, the timestamp, and a direct link back to the relevant WordPress admin page if applicable.
The multi-channel alert strategy that works in practice
Having all three channels configured does not mean every alert needs to go to all three. The value of a multi-channel setup is the ability to route different events to the most appropriate destination based on their urgency and audience. Here is the framework that works well for most teams.
Route your critical events, the ones listed in red in the table above, to whichever channel generates the most reliable mobile push notification for your team. New admin accounts, privilege escalation, security plugin deactivations, and password changes on admin accounts all go here. These should wake someone up if they arrive at 3 AM. The notification must be loud enough to guarantee a response.
High-priority events that warrant awareness but not necessarily immediate action go to your team channel. Plugin installations by non-primary admins, WordPress core file modifications, and unusual login patterns that do not cross the critical threshold go here. The team can see them, discuss them if needed, and respond during normal working hours unless something escalates.
Everything else goes to a daily or weekly email digest. Successful logins, content updates, plugin updates, and routine administrative actions do not need real-time notification. They belong in a structured report that someone reviews once a day or once a week as part of normal site management. Routing these to real-time channels just dilutes the urgency of the things that actually matter.

What happens after the alert arrives: using the live stream and user profiles for rapid response
Getting the alert quickly is only the first part. What you do in the next five minutes after a critical security notification arrives determines whether the incident is contained or whether it compounds. Here is how the Nexu Activity Log features work together to support a fast response.

When a critical Slack or Telegram alert fires, the first thing to do after logging into WordPress is open the live stream. The live stream shows every event on the site as it occurs, auto-refreshing without requiring a page reload. If the session that triggered the alert is still active and actions are still being taken, you will see them happening in real time. This gives you a clear view of whether the incident is ongoing or whether the attacker has already completed their actions and left.

The second step is to pull up the user activity profile for the account that triggered the alert. This view shows the complete history of everything that specific user has done: every login with timestamps and IP addresses, every action taken, every session. If the account was recently used from a different IP or country, that history is immediately visible. If the behavior of the current session is dramatically different from all previous sessions, that shows up clearly in the pattern.
With the live stream and user profile open simultaneously, you have the information to make a fast decision: is this a compromised account that needs to be suspended immediately, or is there an innocent explanation that a quick message to the user will confirm? That decision, made with accurate real-time data rather than guesswork, is what separates a five-minute incident response from a five-hour one.
Alert fatigue and how to prevent it from killing your monitoring setup
Alert fatigue is the single most common reason good WordPress monitoring setups fail in practice. It starts when too many notifications go to real-time channels for events that are not actually urgent. The team starts seeing the alerts as background noise. Someone turns off notifications from the channel. Someone else stops checking it. Within a few weeks, the monitoring exists but no one is paying attention to it.
Set meaningful cooldown periods for repetitive events
Never put routine successful logins in real-time channels
Use scoped conditions to eliminate false positives
Review and tune your alert rules monthly
Real-time Slack, Discord, and Telegram alerts for WordPress are not a luxury security feature for enterprise sites. For any WordPress site where a security incident during the night could cause real damage, they are the difference between being alerted in time to respond and discovering a problem after the fact. The technical setup is straightforward. The configuration thinking is what makes the difference between a monitoring system that works and one that gets ignored.
Nexu Activity Log gives you the complete infrastructure for this: the event coverage to capture everything that matters, the alert rules engine to route it correctly, the multi-channel delivery to reach your team wherever they are, and the live stream plus user profiles to support fast investigation once an alert fires. Everything covered in this guide is built into a single plugin with a setup time measured in an afternoon.
The next critical login happens on your site whether or not you are watching. Setting up the alerts determines which of those two outcomes you are in.
Discord
Telegram
Know the moment anything critical happens on your WordPress site
Nexu Activity Log connects your WordPress security events directly to Slack, Discord, Telegram, and email with fully configurable alert rules, cooldown periods, and multi-channel routing. Set it up once, and it watches while you sleep.

Caught a breach at 3 AM. saved us.
Woke up to my site already hacked because your "real time" alerts showed up 8 hours late in my email. pretty useless if you ask me.
Finally got the alerts working right no more relying on email. that 3 AM login example in the guide was exactly what we needed to fix.
Finally got our login alerts working right after years of missed breaches. the guide walks you through setting up Slack notifications for actual suspicious logins not just every failed attempt that clogs the channel. My team ignored email alerts before, but now we see and act on the important ones immediately. worth the setup time