Last updated on September 14th, 2022 at 11:01 pm
Many WordPress websites are run without any auditing in place. Here's how to audit WordPress activity on your site and make sure you have a WordPress activity log when you need it.
This post contains affiliate links. We may earn a commission if you purchase an item through our links. It costs you nothing and helps us to fund this blog. Please see our Affiliate Disclosure & Notification for details.
Whether you run a single website or you’re an agency managing dozens of websites for many clients, having an audit trail of all the changes happening to your site is incredibly useful. Unfortunately, the WordPress Core doesn’t come with this type of functionality. There is no built-ing WordPress activity log.
So today we’re going to talk about some examples of when you’d need this type of information and how to set up your WordPress installation so that it’s capturing everything you want to see.
Why Do I Need to Audit WordPress Activity Anyway?
If you’re landing on this page, you probably already know the answer to this question – but just in case, I’m going to spell it out for you. There are 3 main reasons why you might need this functionality in your WordPress site.
First and foremost, any cybersecurity professional will tell you that having a log of all activity on a system is paramount to not only discovering malicious activity but also in finding out how it was initiated in the first place.
While the WordPress hacks that generally make the media involve those that wipe out entire sites and make obvious changes to infected websites, there’s a more sinister class of malware that operates in the background. These hard-to-see actors could be stealing CPU cycles to mine bitcoin, harvesting customer information, hijacking ads, or performing other nefarious activities.
Having a strong audit WordPress site strategy in place with accurate time stamping of activities is the best way to know what’s happening on your website, and if you’ve been hacked, it’s really the best way to figure out when things started going awry and even how the infection took hold.
Unless you just now started using WordPress, odds are pretty good that you’ve had problems with your website. With the vast number of themes and plugins, it’s only a short while before something doesn’t work the way you wanted it to.
Issues with WordPress can normally come about with a new plugin update or core update and while many times it’s easy to remember that you updated ‘XYZ’ plugin just before things went haywire, with WordPress 5.5’s auto-update feature (and many plugins already having this built-in for quite some time now) you may not even know an update happened without a good WordPress audit log.
By far, this is one that really goes amiss by lots of administrators. If you have multiple people authoring or editing content on a WordPress website, or you have a client who has the admin role, it’s important to know what changes are being made and who is making them.
Perhaps an admin user installs a new plugin from the WordPress 5.5 block directory without realizing it (which is really easy to do now) and it breaks something on the site. That user may be able to come to you, the support person, knowing that it broke while they were using it, but they don’t even realize they installed a plugin.
Another example that has happened to probably every single WordPress agency out there, is when a client comes to you after breaking their site and insists they made no changes. Not only might you be on the hook to fix it without charging them a cleanup fee, but it’s much harder to fix without a history of the changes that were made.
Having a way to look into the history of changes on a WordPress site via a WordPress activity log gives you the tools you need to overcome these challenges.
Tools for Auditing WordPress
Just like security happens in layers, so does auditing. The general rule of thumb is you want to audit everything and you want to save those logs for at least 1 year if you have the space to do so.
Ideally, WordPress audit logs should be copied to an offsite storage location with very limited access. Malicious actors sometimes try to modify log files to hide their tracks, so offloading your logs to another system is incredibly useful for cybersecurity purposes as it helps to ensure the integrity of the log data.
WordPress Activity Logs
For most issues, the first (and easiest) location to find information would be a WordPress-specific logging system that tells you in plain easy-to-read language what users are doing on the site. Unfortunately, WordPress doesn’t really come with any built-in system to accomplish this, but there are a couple of ways you can get a log of events on your system via plugins.
My go-to plugin to audit WordPress activity is a free plugin called WP Activity Log. This free plugin allows you to keep track of WordPress-specific changes to your site and tells you which user made which change and when. Theme and plugin installs, as well as activations/deactivations, are all tracked along with a myriad of other actions that can be taken. It also scans files and lets you know which files have been modified.
For security, the plugin allows you to install it yourself and ‘hide’ it from all other users so that only you can view the logs. If you’re an agency, it integrates perfectly with the MainWP Dashboard so you can view the activity logs of all your child sites in one place.
Like other free plugins, WP Activity Log also comes with a premium version that provides additional features such as the ability to see who’s currently logged into your site, and email & SMS notifications of critical changes in real-time.
If you can’t find what you’re looking for in the WP Activity Log (it won’t record FTP or SSH events or direct calls to your database from outside WordPress), then you’ll need to dig into your server or application logs to audit WordPress activity.
Depending on your hosting, you may not have much control over your server logs. Shared hosting and reseller hosting, which are the most common hosting plans used by websites, are limited when it comes to how you can configure server logs.
If you do happen to have control of your server logs, you definitely want to make sure you capture everything and offload it to a storage location that has room to store 1 years’ worth of log files. In Linux-based hosting environments, Apache log locations differ depending on what flavor of Linux you have to be running. In Windows-based hosting environments, IIS logs are easily configured to be stored wherever you may want them and it’s best to check the location by looking at the log file settings in your IIS configuration.
For offloading logs to a safe place, your available tools also depend largely on your hosting environment. You can set up CRON tasks to FTP the logs to another location and some backup plugins for WordPress like UpdraftPlus allow you to backup files outside your WordPress installation to offsite storage.
PHP and MySQL logs can also provide good forensic information especially if you’re trying to track down errors to debug an issue. They can be helpful if you’re doing a deep dive into a compromised site, but reading them might take a professional.
PHP Error logging is normally turned off by default because it can severely affect the loading of your website. But there are ways to configure them. Similarly, the configuration for MySQL logs can be tricky but worth the effort. Both of these can help in your quest to audit WordPress site activity.
In this post, we talked about why you should log as much activity as possible on your WordPress site and the tools you can utilize to audit WordPress activity by your users.
You may never need to dig into your WordPress audit log files, but it’s better to have them and not need them than to find out you need them and don’t have them.