July 18, 2023 by Paul G. | Blog, Features, Shield Pro, Shield Security

Change Reporting for WordPress With Enhanced Activity Logging

Shield Security Pro Logo

Perhaps the hardest part of keeping a WordPress site secure is knowing exactly what is happening on it.

Without any sort of activity logging, a WordPress site is a black box and there are few ways to know what’s happening, or what might have happened.

Without activity logging, the only way to get a sense of what’s happened, is to look at the current state of the site and try to work backwards from there.

We recently wrote about how to perform a WordPress Security Audit and why it’s so important. This inspired us to take a fresh look at how easy Shield Security makes this for our members.

And to be honest, we found gaps and places in much need of improvement.

In this article we’ll talk about some of what we found and outline how we’ve made improvements to Shield in our upcoming release.

Shield Lacked Activity Logging In Certain Areas

When we first built Shield, we recognised that being able to clearly see what has happened on a site is critical to understanding the current state of the site.

But in our review we discovered that there were some areas that we just couldn’t see clearly enough. And there were a number of reasons of that, some of which were:

  • The Activity Log is one of Shield’s oldest features. Tracking for certain events wasn’t added because the WordPress API didn’t allow for it at the time.
  • Setting up reliable logging for events is a large body of work, so decisions are made to balance what to track vs investment required to track it
  • Certain things can never be tracked directly from within WordPress (we’ll get to that later)

With our upcoming release, we’ve done a lot of work to ensure Shield shines a brighter light into these darker areas of WordPress activity.

To illustrate this, the list below outlines the newly added activity logging for many events on WordPress sites:

WordPress Core

  • Site title updated
  • Site tagline updated
  • Site home URL updated
  • Site WP URL updated
  • Site admin email address updated
  • Site option “Anyone can register” updated
  • Site option “Default User Role” updated


  • User promoted to administrator
  • User demoted from administrator
  • User email address updated
  • User password updated
  • User roles updated

Post & Pages

  • New Page/Post created
  • Page/Post content updated
  • Page/Post title updated
  • Page/Post slug updated


  • DB tables added
  • DB tables removed


  • Plugin manually installed (e.g. via FTP)
  • Plugin manually upgraded (e.g. via FTP)
  • Plugin uninstalled
  • Plugin manually uninstalled (e.g. via FTP)
  • Plugin manually downgraded (e.g. via FTP)


  • Theme manually installed (e.g. via FTP)
  • Theme manually upgraded (e.g. via FTP)
  • Theme uninstalled
  • Theme manually uninstalled (e.g. via FTP)
  • Theme manually downgraded (e.g. via FTP)


  • Comment created
  • Comment deleted
  • Comment status updated

NEW: Activity Logging That Captures Changes Made Outside Of WordPress

To-date Shield’s Activity Logging features has relied soley on the native WordPress API to track changes on a site. For any developers, this means hooking into WordPress’ array for action hooks and filters.

If you’re not familiar with this, you can think of it like an “events” system built directly into WordPress, that allow plugins like Shield to integrate.

For example, imagine you activate a plugin. WordPress will perform the task and then fire out an announcment to say “To anyone listening, plugin XYZ has just been activated“.

Developers can “listen” for those events and take any actions it needs to. Shield will write an entry to the Activity Log to say “Plugin XYZ was activated by Jim, at 3:05pm“, for example.

This is the standard approach to WordPress activity logging.

But many things can happen on a WordPress site without loading WordPress itself.

This can cause a problem for activity logging, since if WordPress isn’t running, then WordPress won’t fire an event, and Shield won’t create the activity log for what happened.

So what sort of WordPress-related activity am I referring to here? There are many possibilities, and here are some of them:

  • Activating or Deactivating a plugin directly via the WordPress Database
  • Installing plugins/themes via FTP (or similar, e.g. cPanel File Manager)
  • Deleting plugins/themes via FTP (or simlar)
  • Deleting/creating WordPress database tables using a database manager
  • Updating WordPress database records using a database manager
  • Creating/deleting/updating users directly on the database using a database manager

The most critical of these are the final few which involve directly accessing the WordPress database and making modifications without WordPress itself “knowing” about it.

Sometimes there is legitimate reason to do this, particularly if something has gone wrong and you’re making repairs.

However, there are more nefarious cases where malicious changes can be made. This might happen if a site has been hacked and a backdoor has been added that provides direct access to the site and the database.

Some time ago there was a vulnerability in the Elementor platform that allowed certain users to make changes directly to the database. Since it bypassed the WordPress load, there’s no way you could have known that this had happened unless you were checking all your WordPress settings.

So what does all this mean and how does it help with your WordPress security?

New: Shield’s Change Report Feature

As I mentioned earlier, having a clear view what exactly is happening on a site is crucial to keeping a site secure. The more we can see, the more we know, and the sooner we can take action to correct issues.

To make this easier, we’re introducing Shield’s first major reporting feature: Change Reporting

A WordPress Change Report does 1 job – it displays an easy-to-read report on all changes made to a WordPress site between 2 specific dates. The changes are broken up into “Zones”, namely:

  • WordPress
  • Plugins
  • Themes
  • Users
  • Posts
  • Pages
  • Database
  • Comments

We will add more zones in the future, and even provide support for integrating with popular platforms, such as WooCommerce and Yoast SEO.

How Does The Change Report Differ To The Activity Log?

The purpose of the activity log is to be able to view all the details of activity on the site.

If you want to dig into the activity from a specific IP address, or instances of particular events and see who did what and when, then the activity log is the tool to use.

If you want to see what has “changed” on a site, the Change Report is what you need. It’ll not tell you when a user logged-in, but it’ll tell you that they changed their password, updated their email address, or were promoted to administrator.

How Can You Get Access To Shield’s Change Report Feature?

The Change Report feature and all the new activity logging features will be available with ShieldPRO 18.2, due for release in a couple of weeks.

Questions or Suggestions?

As always, we encourage our members to offer feedback and new and changing features. We’d love to hear what you think and whether you feel you’d find all these additions useful.

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@gctracer's Gravatar @gctracer

Great Security Plug-in!

Simple Firewall has everything needed to keep any WordPress site safe from hackers. It is easy to use and has lots of great features. I wouldn’t want to run my websites without it!

@tburkart's Gravatar @tburkart

Works Really Well, No Plugin Conflicts Either

This firewall is really, really effective. But unlike some other ones, it is able to be turned off when i lock myself out. The interface does not have an overwhelming number of options, which i like. simple, clear instructions make it a must-use plugin for everyone. MOST IMPORTANTLY, however, is…

@widenous's Gravatar @widenous


good plug in.

@marcosabcarvalho's Gravatar @marcosabcarvalho

Solved the problem by brute-force attack on the login page.

I think wordpress has low security and how I’m always monitoring my web address with the plugin wp SLIMStat, I see high risk of invasion, brutal force mainly on the login page. when I was looking for a plugin solution for my problem, I find your wonderful plugin firewall. Thank…

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese