Audit Logging (Pro)

Overview

Audit Logging provides comprehensive tracking of user activities, security events, and system changes. Essential for compliance, security monitoring, troubleshooting, and forensic analysis.

Why Use Audit Logging?

Accessing Audit Logs

Navigate to:

WordPress Admin → Settings → Attributes User Access → Audit Log

Understanding Log Entries

Log Entry Anatomy

Each audit log entry contains comprehensive details:

Field	Description	Example
Timestamp	When event occurred (UTC)	2025-11-06 14:30:15
User	Who performed action	john.doe
Event Type	Category of event	Login Attempt
Action	Specific action taken	Successful Login
IP Address	Source IP address	192.0.2.100
User Agent	Browser/device info	Chrome 118.0
Details	Additional context	Role: Administrator
Result	Success/Failure status	Success

Example Log Entries

Successful Login:

Timestamp: 2025-11-06 09:15:23
User: admin
Event Type: Authentication
Action: Login Success
IP Address: 203.0.113.50
User Agent: Mozilla/5.0 (Windows NT 10.0) Chrome/118.0
Details: Role: Administrator, 2FA: Enabled
Result: Success

Failed Login Attempt:

Timestamp: 2025-11-06 14:42:10
User: admin (attempted)
Event Type: Authentication
Action: Login Failed
IP Address: 192.0.2.75
User Agent: Python-requests/2.28
Details: Reason: Invalid password (Attempt 3 of 5)
Result: Failed

Account Locked:

Timestamp: 2025-11-06 14:45:33
User: admin
Event Type: Security
Action: Account Locked
IP Address: 192.0.2.75
User Agent: Python-requests/2.28
Details: Reason: 5 failed login attempts in 10 minutes
Result: Locked

Event Types and Categories

Authentication Events

Login/Logout tracking:

✓ Login Attempt (Success)

✓ Login Attempt (Failed)

✓ Logout

✓ Password Change

✓ Password Reset Request

✓ 2FA Verification Success

✓ 2FA Verification Failed

✓ 2FA Code Sent

✓ Session Expired

✓ Forced Logout

Security Events

Threat detection and prevention:

✓ IP Address Blocked

✓ IP Address Unblocked

✓ Failed Login Threshold Reached

✓ Account Locked

✓ Account Unlocked

✓ Suspicious Activity Detected

✓ Brute Force Attempt Detected

✓ Rate Limit Exceeded

✓ VPN/Proxy Detected

User Management Events

User lifecycle tracking:

✓ User Created

✓ User Deleted

✓ User Role Changed

✓ User Profile Updated

✓ User Activated

✓ User Deactivated

✓ User Email Changed

✓ User Permissions Modified

Administrative Actions

Configuration changes:

✓ Settings Changed

✓ Plugin Activated

✓ Plugin Deactivated

✓ Plugin Settings Modified

✓ License Key Validated

✓ Maintenance Mode Enabled

✓ Broadcast Email Sent

✓ Security Policy Updated

Content Events

Content modification tracking:

✓ Post Published

✓ Post Deleted

✓ Page Modified

✓ Media Uploaded

✓ Media Deleted

✓ Comment Approved

✓ Comment Deleted

Filtering and Searching Logs

Filter by Date Range

Preset ranges:

• Last 24 Hours – Recent activity

• Last 7 Days – Weekly review

• Last 30 Days – Monthly audit

• Last 90 Days – Quarterly compliance

• Custom Date Range – Specific investigation

Custom date range:

From: [2025-11-01] [00:00]

To: [2025-11-06] [23:59]

[Apply Filter]

Filter by Event Type

Select categories:

☑ Authentication Events

☑ Security Events

☐ User Management

☐ Administrative Actions

☐ Content Events

Quick security filters:

• Failed Logins Only

• Account Lockouts

• IP Blocks

• Suspicious Activity

• 2FA Events

Filter by User

Search options: By username:

User: john.doe

[Search]

By role:

User Role: [Administrator ▼]

Shows all administrator activity

By user ID:

User ID: 42

[Search]

Filter by IP Address

Single IP search:

IP Address: 192.0.2.100

[Search]

IP range search (CIDR):

IP Range: 192.0.2.0/24

Shows all activity from this network

Quick IP filters:

• Show only blocked IPs

• Show only external IPs (non-local)

• Show only VPN/Proxy IPs

• Show my IP only

Filter by Result

Result filters:

Show:

○ All Events

○ Successful Only

○ Failed Only

○ Suspicious Activity Only

Advanced Search

Combine multiple filters:

Date Range: Last 30 days
Event Type: Authentication Events
User: All users
Result: Failed Only
IP: External IPs only

Result: All failed login attempts from external IPs in last 30 days

Exporting Audit Logs

Export Formats

Available formats:

• CSV (Excel compatible)

• JSON (API integration)

• PDF (Audit reports)

• XML (System integration)

CSV Export

Step-by-step: 1. Apply filters

Date Range: Last 90 days

Event Type: All security events

User: All users

2. Select export format

Export → CSV Format

3. Choose columns

☑ Timestamp

☑ User

☑ Event Type

☑ Action

☑ IP Address

☑ Result

☐ User Agent (optional)

☐ Extended Details (optional)

4. Download file

Filename: audit-log-2025-11-06.csv

Download to: [Your Computer]

PDF Audit Report

Generate compliance-ready reports: 1. Configure report

Report Title: Q4 2025 Security Audit

Date Range: 2025-10-01 to 2025-12-31

Include: All security events

Group By: Event Type

2. Customize appearance

☑ Include summary statistics

☑ Include charts/graphs

☑ Include executive summary

☑ Include recommendations

3. Generate PDF

[Generate Report]

Preview → Download

Automated Export

Schedule regular exports:

Frequency: Weekly
Day: Monday 9:00 AM
Format: CSV
Email To: security@company.com
Retention: Keep for 90 days

Compliance and Retention

Retention Policies

Configure log retention:

Compliance Standard	Minimum Retention	Recommended
HIPAA	6 years	7 years
SOC 2	1 year	2 years
PCI-DSS	1 year (3 months accessible)	2 years
ISO 27001	Varies by policy	2 years
GDPR	As long as necessary	1-3 years

Retention Configuration

Set retention policy:

Settings → Audit Log → Retention

Retention Period: [365] days (1 year)

Auto-Archive: Enabled

Archive Location: /wp-content/uploads/audit-archives/

Delete After Archive: No (keep archived logs)

[Save Settings]

Archive Management

Automatic archiving:

When: Logs older than 90 days
Action: Compress and archive
Format: Encrypted ZIP file
Storage: Local or cloud (S3, Azure)
Encryption: AES-256

Using Logs for Security Analysis

Detecting Brute Force Attacks

Look for patterns:

Event: Multiple failed login attempts

User: Same username (often “admin”)

IP: Single IP or small range

Timeframe: Short duration (minutes)

User Agent: Often automated tools

Action: Block IP, alert admin

Example brute force log:

14:42:10 – Login Failed – admin – 192.0.2.75 (Attempt 1/5)

14:42:12 – Login Failed – admin – 192.0.2.75 (Attempt 2/5)

14:42:15 – Login Failed – admin – 192.0.2.75 (Attempt 3/5)

14:42:18 – Login Failed – admin – 192.0.2.75 (Attempt 4/5)

14:42:20 – Login Failed – admin – 192.0.2.75 (Attempt 5/5)

14:42:21 – Account Locked – admin – 192.0.2.75

14:42:22 – IP Blocked – 192.0.2.75 (Auto-blocked: Brute force)

Identifying Compromised Accounts

Warning signs:

✓ Login from unusual location/IP

✓ Login at unusual time (3 AM)

✓ Multiple logins from different locations simultaneously

✓ Sudden change in activity patterns

✓ Access to unusual resources

✓ Failed privilege escalation attempts

Monitoring Administrative Changes

Track critical changes:

Event: Settings Changed

Details: Password policy modified

Changed: Min length: 12 → 8 characters

User: john.doe

Timestamp: 2025-11-06 15:30

Action: Investigate unauthorized policy weakening

Alert Notifications

Real-Time Alerts

Configure email alerts: Failed login threshold:

Trigger: 5 failed login attempts in 10 minutes
Action: Send email to admin
Email: security@company.com
Include: User, IP, timestamp, user agent

Successful admin login:

Trigger: Administrator role login
Action: Send email notification
Email: admin@company.com
Include: IP address, location, device

IP block:

Trigger: IP address blocked
Action: Send email alert
Email: security@company.com
Include: Reason, IP, associated events

Security policy change:

Trigger: Security settings modified
Action: Send email to senior admin
Email: cto@company.com
Include: What changed, who changed it, when

Best Practices

Troubleshooting

Logs Not Recording

Cannot Export Logs

High Disk Usage