What are severity levels in the WordPress activity log?

You are here:
Back to KB search

WP Security Audit Log keeps a record of every change that happens on your website in a WordPress activity log.

For every change the plugin records it creates an event in the activity log. Every event type has a severity level and a unique ID. This post highlights the different severity levels that are used in the activity log and explains what each is.

What are the activity log severity levels?

If you own or manage a WordPress website uou do not need to know every time a user logs in. However, you should know of critical changes. For example, when a user installs a new plugin, or changes the role of another user.

Different changes and user actions can have different impact on the security, performance and functionality of the website. Therefore we use severity levels in the activity log to assist you in better understanding which events are important and which are not that important. Below is a list of all the WordPress activity log severity levels:

Severity levelIcon
CrititalCritical severity icon
HighHigh severity icon
MediumMedium severity icon
LowLow severity icon
InformationalInformational severity icon

The severity levels explained

Critical severity events in the activity logs

Events with critical severity can have a direct impact on the website’s security, performance and functionality. Therefore you should check all these events to confirm they are legitimate when reviewing the activity logs. Below are a few examples of events with critical severity:

  • new user is  created on the website (ID: 4001) or multisite network (ID: 4012),
  • user is granted super admin access on a multisite network (ID: 4008),
  • a user changes the role of another user (ID: 4002),
  • installs a new plugin on the website or network (ID: 5000),
  • someone adds a new source code file to the WordPress installation (ID: 6029),
  • a user changes important website or network settings, such as the default role for new users (ID: 6002).

Critical severity event

For more details on every individual event refer to the complete list of activity log events and IDs.

High severity events in the activity logs

Events with high severity can also have an impact on the website’s or user accounts’ security, performance and functionality. However, the impact is a little less than that of critical severity events. Also, these events happen more often. However, you should still double check all the events with high severity and confirm they are legitimate changes. Below are a few examples of high severity events:

  • users change their password (ID: 4003) or change another user’s password (ID: 4004),
  • delete another user (ID: 4007),
  • activate an installed plugin or theme (IDs: 5001 and 5006),
  • an unknown component creates tables in the database (ID: 5016),
  • the source code of a file on the website has changed (ID: 6028),
  • a user changes the WordPress website permalinks (ID: 6005),

 

High severity event

For more details on every individual event refer to the complete list of activity log events and IDs.

Medium severity events in the activity logs

Events with medium severity are mostly user changes or actions that happen on a daily basis. These types of events do not have a direct impact on the website’s security, performance or functionality.

However, should you notice something suspicious on the website, need to troubleshoot a technical issue, or want to find out who did what on the website you should check these events. They are the ones which most probably will lead you to the answer. Below are a few examples of events with medium severity:

  • failed user logins (ID: 1002) or blocked sessions due to multiple sessions (ID: 1004),
  • user moves a post to trash (ID: 2012) or permanently deletes it (ID: 2008),
  • creates a new category (ID: 2023) or deletes one (ID: 2024),
  • changes the email address (ID: 4005) or other profile properties,
  • changes non-critical WordPress settings, such as enabling the setting for comments to be manually approved (ID: 6014).

Medium severity event

For more details on every individual event refer to the complete list of activity log events and IDs.

Low severity events in the activity logs

Events with low severity are mostly day to day user changes or actions, and under the hood automated WordPress changes. In most cases these events do not have any impact on the website’s security, performance or functionality.

Website owners and administrators use the information from these events to monitor user productivity, improve user accountability, troubleshoot technical issues, generate reports and also to do forensic work. Below are a few examples of low severity alerts:

  • user logs in to the website (ID: 1000),
  • publishes a post (ID: 2001), modifies it (ID: 2002) etc,
  • moves a widget in a section (ID: 2045),
  • changes the order of items in a menu (ID: 2085),
  • updates an installed plugin (ID: 5004).

Low severity event

For more details on every individual event refer to the complete list of activity log events and IDs.

Informational events in the activity logs

Events with informational severity level are day to day user changes or actions. These events do not have any impact on the website’s security, performance or functionality.

Similar to events with low severity, website owners and administrators need the information in these events to monitor user productivity, improve user accountability, troubleshoot an issue and generate reports. Below are a few examples of informational events:

  • user creates a post and saves it as draft (ID: 2000),
  • changes the author of a post (ID: 2019),
  • submitted a post for review (ID: 2073),
  • add tags to a post (ID: 2119),
  • posts a comment on a post (ID: 2099).

Informational event

For more details on every individual event refer to the complete list of activity log events and IDs.

Best practice and recommendations

Every business has different requirements for their website. However, some website changes are always critical, especially from a security point of view. Therefore you should know when a new plugin is installed on your WordPress website, or when a user’s role is changed, especially if granted administrative privileges. So when reviewing the WordPress activity logs, always review and confirm events with critical and high severity.

Setup email and SMS notifications for some of the critical and high severity events. Configure the plugin to send a weekly report with all the critical and high severity events from the activity log.

In most cases you won’t need to refer to events with the other severity levels unless you are doing something specific, such as monitor users productivity, troubleshoot a technical issue, or doing forensic work.