A WordPress activity log is a must have tool in every website’s security suite. However, determining which plugin is best for incorporating this feature can be tricky, given there are quite a few activity log plugins available.
In order to make an informed decision, there are a few key features to look for when evaluating WordPress activity log plugins. With a bit of research, you can pin down the option that is most suited to your site’s needs.
This post will provide a brief introduction to activity log plugins. It will also discuss why it’s important to evaluate them before installing one on your WordPress website. Then we’ll share five key areas to consider when assessing these tools. Let’s get to it!
An introduction to activity log plugins (and why your choice matters)
In a nutshell, an activity log is a record of everything that happens on your website. This typically includes information about login attempts, post publications, platform updates, and more. Activity logs are useful for security, administration and general troubleshooting purposes. However, it isn’t a native feature in WordPress.
This means that, in order to take advantage of the benefits of activity logs, you’ll need to install a WordPress activity log plugin. There are many choices available in the WordPress plugins repository and elsewhere, including our own WP Security Audit Log:
While every type of website stands to benefit from maintaining an activity log, it’s also true that each site has its own specific needs and goals. Likewise, every plugin that provides this functionality has unique features.
When choosing a WordPress activity log plugin, it’s wise to evaluate each option to determine which one provides the features that can meet your site’s needs. This research may take a little extra time upfront, but should save you valuable hours in the long run.
The last thing you want is to install and invest in a plugin that doesn’t report activities you wish to monitor. You may also find yourself with a tool that doesn’t integrate with the other solutions you use, causing major issues for your workflow.
5 key tips for evaluating WordPress activity log plugins
There’s no doubt that choosing the right WordPress activity log plugin is a big decision. However, you can break the aspects you need to evaluate down into five key categories, as we’ve done below.
1. Consider the plugin’s activity coverage
‘Coverage’ refers to the range and variety of activities that a plugin can keep a log of. You may not think about it when you’re carrying out your regular WordPress maintenance tasks, but a lot happens on a website with multiple users, even on slow days.
When choosing an activity log plugin, it’s important to note which events the tool records, as well as exactly what you want to monitor. For example, some security plugins keep a log of basic user events, such as logins, logouts and plugin changes (e.g. new plugin is installed).
Other tools focus on changes to post and page content, login attempts, or other specific types of activity. If you have a very small site with just a few users, one of these plugins might be able to fulfill your needs.
However, for larger sites with lots of users, as well as those that deal with sensitive information such as credit card numbers, wider coverage is usually better. With more people logging into your site, there are more opportunities for mistakes and even malicious attacks.
For WP Security Audit Log we provide a complete lists of the activity log events it track. This list gives you a good overview of all the changes the plugin can keep a log of (coverage). However, such a list is only available for WP Security Audit Log. The other option you have to evaluate the coverage of other plugins is by installing and testing them out for yourself. Performing a variety of tasks and then evaluating the resulting log should give you a good sense of the tool’s coverage.
2. Determine the level of detail you want in your WordPress activity logs
Finding out that a plugin was installed on your website, or that a user’s role was changed is one thing. Knowing who actually changed the user profile or installed the plugin, where the plugin is installed and having the IP address and location associated with the user who did these changes is an even more impressive level of cyber security:
The detail your activity log provides can mean the difference between it being a valuable asset in your security and admin strategy or a source of frustration.
To use a less dramatic example, consider an update to a published post. Some WordPress activity log plugins will simply notify you that a post has changed. Others, such as WP Security Audit Log provide more specific details to let you know what was changed, such as the title, URL, body content, or publication date:
Similarly, some tools will let you know a bit more, for example when new content has been published. However, more detailed logs will keep a log of the title and URL of the new post or page. In the latter scenario, it’s easier to tell from a brief glance in the logs whether the activity is likely problematic or benign.
Of course, more detailed activity logging means more notifications and longer reports. However, in WP Security Audit Log you can disable and enable individual activity log events, allowing you to determine the right balance between thoroughness and convenience for your site.
3. Logs of changes on your other installed plugins
One of the most appealing aspects of WordPress is how extendable it is. Chances are you’re using a variety of plugins on your website and you’ll want to keep a log of what is happening on them as well.
Obviously, the support you need to check for will depend on your preferred plugins. However, some popular ones you might want to consider include:
- E-commerce plugins. If you sell anything online, it’s important that the activity log plugin you choose keeps a log of important changes, such as changes to products, prices, and other key elements. WooCommerce is the most popular e-commerce plugin for WordPress, and if you are using it, activity logs for WooCommerce are crucial for the success of your store.
- Search Engine Optimization (SEO) tools. Almost all WordPress websites use plugins such as Yoast SEO to optimize their posts. An activity log plugin that can keep a log of changes to SEO titles, SEO description and also plugin settings changes can help you stay on top of your visibility efforts. WP Security Audit Log has a dedicated sensor just for Yoast SEO.
- WordPress multisite. If you’re running a network of sites, being able to monitor all of them and the network itself from a single log can streamline your maintenance workflow. Therefore when evaluating the plugins choose one that has activity logs for WordPress multisite networks.
Testing plugins support by installing plugins together is risky and time consuming, and can also lead to errors and downtime. Instead, check each plugin’s documentation for lists of supported third party plugins. User reviews and support forum posts are also prime sources for this information.
4. Account for interoperability to automate large-scale systems
In this context, ‘interoperability’ refers to whether a plugin can be incorporated into a larger system, in order to send the logs to that system. This could be a central syslog server or a central team communications system such as Slack. In plainer terms, this aspect is a lot like integration, but on a deeper level.
With larger organizations and big e-commerce sites, interoperability can get more complex. For instance, you may want to be able to connect your activity log with other security systems you have in place, such as a WordPress intrusion detection system (IDS), or to trigger malware and security scans when there are file changes reported in the WordPress activity logs.
The possibilities are nearly endless, but it depends on the platforms you’re using and the type of site you run. A quick and easy way to determine if your activity logs solution can be used for third party integrations are event IDs:
By assigning unique identifiers to the different changes on your WordPress site in the logs, the solution can provide the information needed to automate tasks performed by other platforms. Without such unique IDs it is almost impossible to configure and automatically trigger a process in a third party system.
5. Check how configurable the plugin is
Strict compliance regulations in every industry stipulate different requirements for businesses to adhere to. For example for how long should the logs be kept, who can access them, where are they stored, what level of detail should the logs have and many other factors. For example financial institutions in Europe have very strict requirements. They are required by law to:
- keep up to eight years of log data,
- restrict access to the logs on a need to know basis,
- store the logs in a different database than the website one.
All WordPress activity log plugins have a default configuration. However, you should check that you can actually configure the plugin to meet your business and regulations requirements. Some aspects of the logs and the plugin you should be able to configure are:
- activity logs data retention policies,
- access rights to the activity logs (who can read the logs),
- privileges to the plugin’s settings (who can configure the plugin’s settings),
- the detail level and coverage of the logs (e.g. ability to disable the logging of specific user changes),
- the database or location where the activity logs are stored.
6. Weigh any additional features your activity log plugin provides
The five points discussed above are important to evaluate, in order to ensure that the activity log plugin you choose will provide the functionality you need it to. However, there are other features to consider as well. Some features to look for in this category that most probably you will need include:
- Instant notification options. Receiving alerts, especially for suspicious activity, is key. Consider each plugin’s notification options, including the medium (email, SMS, or other) and available event triggers.
- Reports. Being able to view digestible reports makes user management, website maintenance and auditing easier.
- Search and filter functionality. You need good tools to quickly find specific activity that you want to track and monitor.
- Regulation compliance. By necessity, activity logs deal with user data. Therefore, compliance with privacy laws such as the General Data Protection Regulation (GDPR) is a must.
- Login and session management. If your log picks up on suspicious activity on your site, you’ll want to be able to take action. Being able to remotely log out users and block simultaneous sessions can help you keep your site safe.
Evaluation of these and any other features as you deem significant depends on your website’s and business’ needs and requirements. Don’t forget to check each plugin’s available add-ons or extensions for additional functionality that might prove useful to you.
Find the best activity logs solution for your WordPress website
Keeping an activity log on your WordPress website is a smart move. However, it’s hard to put this feature to good use if the plugin you’ve chosen isn’t the best fit for your site. When deciding which WordPress activity log plugin to use, remember to assess these six crucial areas:
- Consider the plugin’s activity log coverage.
- Determine the level of detail you want in your WordPress activity log.
- Ensure that your plugin integrates with other key tools.
- Account for interoperability to automate large-scale systems.
- Check how configurable the activity log plugin is.
- Weigh any additional features the activity log plugin provides.