WP Security Audit Log Review: A WordPress Security & Tracking Plugin
WP Security Audit Log is a free WordPress plugin that keeps track of everything that’s happening in your WordPress admin area. It maintains a history of actions taken by all users, and will notify you about suspicious behavior. Not only is this a fantastic security tool to have in place, but you can keep tabs on your clients, as well.
WP Security Audit Log was developed by Robert Abela, founder of WP White Security, a European-based company that also provides WordPress security services & consultation.
Over 100 (and counting) different actions are tracked, including support for the popular bbPress plugin, as well as WordPress multisite networks. WP Security Audit Log also has several premium add-ons that give you even more insight & control over what’s happening behind the scenes of your WordPress site. These add-ons include email notifications, search & filtering, enhanced reports & the use of an external DB to store audit logs.
Let’s take a look at the features of the free plugin, and then I’ll dive into the power of the add-ons.
Getting Started with WP Security Audit Log
When you first activate WP Security Audit Log, you’ll notice a new menu item in the left-hand navigation called Audit Log. It should appear just below your Dashboard. There are 6 sub-pages to be explored, but I’ll mainly focus on the first 3. Use the links below to jump straight to that section.
- Audit Log Viewer – This is where all of your user activity is stored, each row representing a user action
- Enable/Disable Alerts – This is where you can choose which actions you want to track. Turn on/off alerts about certain user activity. This determines what gets added to your audit log viewer.
- Settings – This page contains general plugin settings. I recommend you start here before setting up your alerts.
- Add Functionality – Links to the add-ons that I’ll discuss below
- Help – Links to documentation, support forums & a security blog by the plugin author. A note about support »
- About – General information about the plugin & the types of user activity it tracks
Let’s dig deeper into how to best setup your security audit log, which alerts you should care about, and how to read the audit log viewer screen.
Setting Up For Success
Let’s talk about what each setting does, and help you decide what’s best for your site.
Security Alerts Pruning determines how you want to remove alerts from your audit log. Alerts are stored in your database, so it’s a good idea to clean them up regularly. I recommend either deleting alerts older than 3-4 months, or keep up to 2,000 or so alerts. This will give you the alerts you need while also keeping your database optimized.
Alerts Dashboard Widget, if enabled, will add a widget to your WordPress dashboard showing the latest 5 security alerts. Completely optional.
Reverse Proxy / Firewall Options are for advanced users who are running WordPress behind a firewall or proxy server.
Can View Alerts allows you to add specific Users and Roles (admin, editor, contributor, etc.) who can see the security audit log.
Can Manage Plugin allows you to control who has access to the plugin’s settings.
Refresh Audit Log Viewer gives you the option to refresh the log manually. For most sites, leave this set to “Automatic.”
Alerts Time Format / Alerts Timestamp allows you to choose between 12- and 24-hour time formats, as well as choosing local vs. UTC time.
Audit Log Columns Selection lets you customize what information you see on the audit log viewer screen. Perhaps you don’t care to see the “Alert Code,” so you would hide it here. NOTE: Even if you disable them here, they will still be collected in the database.
Hide Plugin in Plugins Page will do just that. This might be helpful if you have a client logging into the site and you don’t want them to see you’re using an audit log plugin.
Disable Alerts for WordPress Background Activity will hide alerts for things like the automatic deletion of auto-drafts and spam comments older than 30 days.
The Exclude Objects tab gives you the power to exclude users, roles, custom fields and IP addresses from monitoring. You might be tempted to exclude your username, or all “administrator” users, but be careful. Some attackers could gain access to your site and pretend to be one of your admin users. You would then miss out on all the malicious activity that the attacker is performing.
If you have a private IP address that only you (or a few people you trust) are using, then you could exclude all actions at this IP address from being tracked.
Disable/Enable Security Alerts
This page lets you choose which user activities you want to track. There are over 100 activities to choose from, broken down into the following categories for easier navigation. All alerts are enabled by default.
Monitor User Activity
The User Profiles and Other User Activity tabs allow you to track things like:
- Successful & failed login attempts
- Uploading or deleting a media file
- Edits to a theme or plugin using the built-in editor
- New user creation
- Email address & password changes
Monitor System Activity
The System Activity tab allows you to track general WordPress settings & automated activity performed by the WordPress core:
- Updates to WordPress core
- New user registration options
- Permalink changes
- Changes to the WordPress admin email
Monitor Page & Posts Activity
The Blog Posts, Pages and Custom Posts tabs allow you to track activity on your WordPress content:
- When posts/pages/custom post types are created, modified or deleted
- Any changes in author, permalink, status, categories or tags
- Any change to the page parent, page template or a page’s custom field
Monitor Multisite Activity
The Multisite tab adds alerts for:
- Users being added or removed from a site
- Any changes to Super Admin privileges
- Adding, archiving or deactivating new sites
- Theme changes on a network site
Monitor bbPress Activity
The bbPress tab adds over 20 alerts for:
- Forums being added, modified or deleted
- Users being added or removed from forums
- Changes to the status, type or URL of a forum
- Changes to the status, type or URL of a forum topic
Monitor Other Activity
The Plugins & Themes, Widgets and Menus tabs allow you to track:
- Installation, activation, deactivation & uninstallation of themes and plugins
- Adding, modifying, deleting, or changing of a widgets position (moved to another sidebar area)
- Adding, modifying or deleting a menu item
- Any change in a menu’s order or settings
Monitor WordPress Database Activity
The Database tab allows you to monitor some important actions happening on your WordPress database. Some of these are crucial for ensuring optimal WordPress security. Many attackers will try to edit your database directly so that your WordPress admin area doesn’t look any different. Some of these alerts could provide valuable insight into a potential security breach.
- Any time a theme or plugin adds or deletes a table, or modifies a table’s structure
- Any time an unknown source adds, deletes or modifies anything in the database
Check out the external database add-on below.
Security Audit Log Viewer
Once you’ve adjusted your settings & customized which alerts you want to track, you shouldn’t need to go back to those settings. The rest of your time will be spent on the Audit Log Viewer page. This is where all your alerts will appear.
There are 6 main pieces of information for each alert:
- Code – A proprietary 4-digit code used for tracking the different types of alerts and advanced triggering for notifications
- Type – A color-coded icon that explains the severity of the alert
- Notice: least severe
- Warning: medium severity
- Critical: most severe
- Date & Time – When the action took place
- Username (and role) – The user who initiated the action, along with their assigned role
- This would come in handy if you wanted to keep tabs on a client website, or if you run a multi-author blog. You can see who is creating & updating which pages/posts, if they’ve updated their password, etc.
- Source IP Address – The IP address of the network on which the action was initiated
- This could be useful in detecting suspicious activity. If the IP address for an action taken by Amy is different than all of Amy’s previously listed IP addresses, someone else might be logging into her account.
- Message – This provides a description of the user activity, including any plugin or theme names, post or page IDs, usernames, etc. Reading the message is the best way to determine suspicious activity.
Most of these columns are sortable, which allows you to view all alerts from the same IP address in a row. Or all alerts from the same user. If you need more control over your alerts, consider the search/filtering add-on.
You can optionally choose to show a widget on your Dashboard that contains the last 5 alerts from your audit log. Easily turn it on or off in your settings, or show/hide it using Screen Options at the top of the page.
Premium Add-Ons WP Security Audit Log
The free version of WP Security Audit Log will be enough for some people. For those who want more control over user activity, consider one of these add-ons. You can purchase any of them individually, but you’ll receive a huge discount if you buy the entire bundle.
Don’t want to login to your WordPress admin area just to check your audit log? No problem. The email notifications add-on will send the alerts straight to your inbox. Every alert that is tracked in the viewer can also be sent to your email.
The add-on comes with a handful of built-in notifications that the author thought would be used frequently. You can turn them on with one click, or setup your own custom alerts using a combination of various triggers. There are no restrictions on what you monitor, and no limit on how many email notifications you setup.
Search / Filtering
The search & filtering add-on is great for those with a lot of user activity. It would take forever to scroll through thousands of alerts. This add-on provides a text-based search option to find specific alerts. You could search for specific theme or plugin names, specific posts/pages, etc.
You can combine a search with additional filtering rules. For example, you could search for all alerts about the “Jetpack” plugin that occurred between 1/1/2016 and 4/21/2016. You can filter by:
- type of alert
- IP address
With the reports add-on, you can:
- generate reports in HTML and CSV format
- have reports sent via email (multiple emails supported)
- schedule reports to run weekly or monthly
- create on-demand reports at any time
You might want to keep tabs on a particular user. You can have that user’s activity sent to you via email every month. You could also have a weekly report sent to you about all the changes that occurred on a certain post or page on your website. Reports are completely customizable, and the CSV format allows you to import user activity into other programs.
With this add-on, you can select a custom database to store your alerts in, keeping your WordPress database as small as possible. Right now, only MySQL database servers are supported, but they plan to add support for more servers in the future.
One of the other neat aspects of this add-on is that you can migrate your alerts from one database to another. So if you started storing alerts in your WordPress database, you can migrate them to a separate database at any time. Likewise, you can move them back into your WordPress database.
Just enter your database credentials on the settings page, click “Save,” and you’re good to go.
Security Add-On NEW
This is a brand new add-on that will be released soon. It provides the ability for you to see all the active sessions on your WordPress site. Everyone who is currently logged in will show up. You’ll see details about the user’s session, such as:
- when they last logged in
- when their login will expire, and they’ll have to login again
- their IP address
- the last action they took
- the ability to terminate their session with the click of a button
If an attacker gained access to your site through an old user account, you could quickly terminate their session. Or just anyone in general who shouldn’t be logged in. If you run a large, multi-author blog, or a site with many editors/contributors, this could definitely come in handy.
Free support is provided via the WordPress.org support forums, as well as via email. The plugin author has been very active in the forums, and all reported issues have been resolved. I’ve had the opportunity to personally interact with Robert, the developer behind the plugin, and he’s been great to work with.
While support is provided for users of the free plugin, priority is given to premium users who pay for add-ons & support.
WP Security Audit Log is a quality plugin, built by a WordPress security professional. For anyone looking to track user activity in WordPress, or a little extra security peace-of-mind, I can definitely recommend this one.
WP Security Audit Log Review Video
Increase the video speed to 1.25 or 1.5x to save some time.
Subscribe for more WordPress Plugin videos →