Change Reporting for WordPress With Enhanced Activity Logging

July 18, 2023 by Paul G. | Blog, Features, Shield Pro, Shield Security

Perhaps the hardest part of keeping a WordPress site secure is knowing exactly what is happening on it.

Without any sort of activity logging, a WordPress site is a black box and there are few ways to know what’s happening, or what might have happened.

Without activity logging, the only way to get a sense of what’s happened, is to look at the current state of the site and try to work backwards from there.

We recently wrote about how to perform a WordPress Security Audit and why it’s so important. This inspired us to take a fresh look at how easy Shield Security makes this for our members.

And to be honest, we found gaps and places in much need of improvement.

In this article we’ll talk about some of what we found and outline how we’ve made improvements to Shield in our upcoming release.

Shield Lacked Activity Logging In Certain Areas

When we first built Shield, we recognised that being able to clearly see what has happened on a site is critical to understanding the current state of the site.

But in our review we discovered that there were some areas that we just couldn’t see clearly enough. And there were a number of reasons of that, some of which were:

The Activity Log is one of Shield’s oldest features. Tracking for certain events wasn’t added because the WordPress API didn’t allow for it at the time.
Setting up reliable logging for events is a large body of work, so decisions are made to balance what to track vs investment required to track it
Certain things can never be tracked directly from within WordPress (we’ll get to that later)

With our upcoming release, we’ve done a lot of work to ensure Shield shines a brighter light into these darker areas of WordPress activity.

To illustrate this, the list below outlines the newly added activity logging for many events on WordPress sites:

WordPress Core

Site title updated
Site tagline updated
Site home URL updated
Site WP URL updated
Site admin email address updated
Site option “Anyone can register” updated
Site option “Default User Role” updated

Users

User promoted to administrator
User demoted from administrator
User email address updated
User password updated
User roles updated

Post & Pages

New Page/Post created
Page/Post content updated
Page/Post title updated
Page/Post slug updated

Database

DB tables added
DB tables removed

Plugins

Plugin manually installed (e.g. via FTP)
Plugin manually upgraded (e.g. via FTP)
Plugin uninstalled
Plugin manually uninstalled (e.g. via FTP)
Plugin manually downgraded (e.g. via FTP)

Themes

Theme manually installed (e.g. via FTP)
Theme manually upgraded (e.g. via FTP)
Theme uninstalled
Theme manually uninstalled (e.g. via FTP)
Theme manually downgraded (e.g. via FTP)

Comments

Comment created
Comment deleted
Comment status updated

NEW: Activity Logging That Captures Changes Made Outside Of WordPress

To-date Shield’s Activity Logging features has relied soley on the native WordPress API to track changes on a site. For any developers, this means hooking into WordPress’ array for action hooks and filters.

If you’re not familiar with this, you can think of it like an “events” system built directly into WordPress, that allow plugins like Shield to integrate.

For example, imagine you activate a plugin. WordPress will perform the task and then fire out an announcment to say “To anyone listening, plugin XYZ has just been activated“.

Developers can “listen” for those events and take any actions it needs to. Shield will write an entry to the Activity Log to say “Plugin XYZ was activated by Jim, at 3:05pm“, for example.

This is the standard approach to WordPress activity logging.

But many things can happen on a WordPress site without loading WordPress itself.

This can cause a problem for activity logging, since if WordPress isn’t running, then WordPress won’t fire an event, and Shield won’t create the activity log for what happened.

So what sort of WordPress-related activity am I referring to here? There are many possibilities, and here are some of them:

Activating or Deactivating a plugin directly via the WordPress Database
Installing plugins/themes via FTP (or similar, e.g. cPanel File Manager)
Deleting plugins/themes via FTP (or simlar)
Deleting/creating WordPress database tables using a database manager
Updating WordPress database records using a database manager
Creating/deleting/updating users directly on the database using a database manager

The most critical of these are the final few which involve directly accessing the WordPress database and making modifications without WordPress itself “knowing” about it.

Sometimes there is legitimate reason to do this, particularly if something has gone wrong and you’re making repairs.

However, there are more nefarious cases where malicious changes can be made. This might happen if a site has been hacked and a backdoor has been added that provides direct access to the site and the database.

Some time ago there was a vulnerability in the Elementor platform that allowed certain users to make changes directly to the database. Since it bypassed the WordPress load, there’s no way you could have known that this had happened unless you were checking all your WordPress settings.

So what does all this mean and how does it help with your WordPress security?

New: Shield’s Change Report Feature

As I mentioned earlier, having a clear view what exactly is happening on a site is crucial to keeping a site secure. The more we can see, the more we know, and the sooner we can take action to correct issues.

To make this easier, we’re introducing Shield’s first major reporting feature: Change Reporting

A WordPress Change Report does 1 job – it displays an easy-to-read report on all changes made to a WordPress site between 2 specific dates. The changes are broken up into “Zones”, namely:

WordPress
Plugins
Themes
Users
Posts
Pages
Database
Comments

We will add more zones in the future, and even provide support for integrating with popular platforms, such as WooCommerce and Yoast SEO.

How Does The Change Report Differ To The Activity Log?

The purpose of the activity log is to be able to view all the details of activity on the site.

If you want to dig into the activity from a specific IP address, or instances of particular events and see who did what and when, then the activity log is the tool to use.

If you want to see what has “changed” on a site, the Change Report is what you need. It’ll not tell you when a user logged-in, but it’ll tell you that they changed their password, updated their email address, or were promoted to administrator.

How Can You Get Access To Shield’s Change Report Feature?

The Change Report feature and all the new activity logging features will be available with ShieldPRO 18.2, due for release in a couple of weeks.

Questions or Suggestions?

As always, we encourage our members to offer feedback and new and changing features. We’d love to hear what you think and whether you feel you’d find all these additions useful.

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials

@doctorlj2017

Great Product!

Shield Security has worked great for me so far. I have had no hacks, no intrusions, no spams, and no problems. I love it!

@achr15

Great Security Plugin

Very easy and comprehensive.

@srinivas-gaikwad

Excellent plugin

@dajoel2000

Goog

Very good, I like it

ESSENTIAL WORDPRESS SECURITY NEWS

Get ShieldNOTES, our excellent weekly WordPress security newsletter!