Audit Log
The Wordfence Audit Log is a premium feature that records a history of events on your site to assist in monitoring for unauthorized actions or signs of compromise. Events can include everything from user creation and editing to plugin/theme installation and updates. All data captured for relevant events is saved remotely to Wordfence Central to prevent any tampering that may interfere with post-incident analysis and response.
The Wordfence Audit Log is a premium feature that records a history of events on your site to assist in monitoring for unauthorized actions or signs of compromise. Events can include everything from user creation and editing to plugin/theme installation and updates. All data captured for relevant events is saved remotely to Wordfence Central to prevent any tampering that may interfere with post-incident analysis and response.
The “Audit Log” wp-admin page shows a list of recent events, while details of each event are stored off-site on Wordfence Central, similar to the example below:
Events are stored on Wordfence Central for 30 days for sites with a Premium license, 60 days for a Care license, and 90 days for a Response license.
How to use the Audit Log
By default, the Audit log is set to Preview mode for Free and Premium users. Care and Response users will find the Audit log set automatically to record Significant Events. In the Preview mode, both Free and Premium users will be able to view a summary of certain events on the plugin’s Audit Log page. In order to receive the full benefits of the Audit Log, Premium users will need to enable the Audit log.
Setup only takes a few steps:
- Connect your site to Wordfence Central, if it has not already been connected. This can be done from the Audit Log page or the Wordfence Dashboard.
- On the Audit Log page on your site, choose either the “Significant Events” or “All Events” mode
- Click “Save Changes”
Events should begin recording and will appear on Wordfence Central. Some events such as disabling plugins are sent immediately to Central, while others are queued, and may take a few minutes to be sent.
Viewing the Audit Log on Wordfence Central
To view the audit log, you can either click the “View Audit Log” link on the Audit Log page on your site, or log in to Wordfence Central and click the “Audit Log” link for any of your sites, next to the site’s URL.
Audit log events appear like the example above. The first column contains information about the request that triggered the event, such as the request path, IP address, username, and action name. The “Details” button shows any additional parameter names in the request, though some data is redacted for security and privacy reasons.
The “Event” column shows details of the event, such as a user login, changing significant WordPress or Wordfence settings, creating users, modifying a role, updating plugins, deleting a plugin, or uploading an attachment. This section also includes version numbers, user IDs, post IDs, and other data. The “Details” button may show many more details in some cases, including additional plugin information, all capabilities of user roles, and which fields have changed for some types of records.
You can filter events by type or search for events in the upper-right corner of the page. The default time range is 1 hour, but you can choose a longer duration or use a custom date range.
Settings
On the Audit Log page on the Wordfence menu, there are a few buttons and settings, along with a list of the most recent events. If your site is connected to Wordfence Central, you should see a “View Audit Log” button near the top-right corner of the page, which leads directly to the detailed logs for your site on Wordfence Central. Otherwise, you should use the “Connect Site” button to connect your site to Wordfence Central in order to set up the audit log.
Audit Log logging modes
There are four possible modes:
- Disabled: Disables the audit log, including the preview of recent events.
- Preview: Events will not be sent to the log on Wordfence Central. Only a limited list of events will appear in the Recent Event Summary table at the bottom of the page, but details such as IP addresses, users, and post IDs are not saved.
- Significant Events: This includes events related to users, settings, plugins, updates, logins, and more.
- All Events: This includes all “significant events”, plus more content-focused events such as editing or deleting posts, adding attachments, or sending email. These event records do not include the content itself, but rather metadata and which user made the change. Similarly, email content and recipients are not stored, but subject lines and the number of recipients and number of attachments are recorded.
The “Significant Events” option is recommended for most sites, since logging all events may record a large number of events on some sites. Content-related events recorded with the “All Events” option can include custom post types from some plugins, including forum plugins, which may log an event for every new forum post and reply.
Display Audit Log menu option
This option is enabled by default. If you prefer a shorter Wordfence menu, you can disable it. The audit log settings will still be accessible on a tab on the Wordfence Tools menu.
Troubleshooting
- Audit log events may take a few minutes to be processed and appear on a site’s Audit Log page on Wordfence Central. Audit log events can also be delayed if the wp-cron job “wordfence_batchSendAuditEvents” is not run promptly. If your site has wp-cron disabled, we recommend using a linux cron job to visit wp-cron.php or run cron with WP-CLI periodically, ideally between 1 and 5 minutes.
- Events with missing data may not be transferred to Central but will display in the Audit log preview within the plugin. This could occur if a REST API event is sent to your site by a plugin or third-party service with missing data, or if a plugin or theme creates records in unusual ways. If you find any plugins/themes/services that cause this, please contact support.
- Some plugins that add custom roles may not log creation of those roles, if they are not added in a way that they are permanently saved in wp_user_roles in the wp_options table.
Privacy and Security
Some users may have concerns about the privacy and security of their site data captured and transmitted through the Audit Log feature. In order for information to be sent off site, two things have to happen: the Audit Log must be enabled with the mode set to either “Significant Events” or “All Events” and the site has to be connected to Wordfence Central. If either of these are not setup as described, no data can be transmitted outside of your local environment.
By default, the Wordfence Audit Log is set to Preview mode for Free and Premium license holders. In Preview mode, data is stored locally only, and contains minimal information including a timestamp and type of event.
For customers with Care or Response licenses, the Audit Log is enabled by default. Sites with Care or Response licenses should already be connected to Wordfence Central as part of the monitoring and support included for these customers, and therefore any privacy and security concerns should have been addressed at the time of the license installation.
We take data privacy and security very seriously and adhere to ISO 27001:2022 standards, ensuring that our processes, systems, and storage solutions meet rigorous international compliance requirements for certification. Our privacy practices are detailed in our Privacy Policy and Notice at Collection which outlines how we manage and protect customer data in line with applicable regulations, including CCPA, GDPR, EU, UK and other high-compliance frameworks. For customers with specific regulatory needs or concerns, we offer configurable options to tailor data handling and storage processes to better meet regional compliance requirements. If a customer has further concerns about their data processing, then we always recommend that they speak to their legal team because each customers situation is unique and we can not offer legal advice.
Data Transmitted
Here is a comprehensive list of the data transmitted as part of the audit log for each mode. The majority of details are redacted in transmission for privacy and security. Events triggered may vary depending on other active plugins within a given site.
The following is recorded on every request:
- Type of Request (CLI or HTTP method)
- Request (CLI command or HTTP path)
- IP Making the Request (non-CLI)
- User Making the Request (if logged in: User ID, Username, List of Roles)
- Timestamp
- Request Body (for POST/PATCH/PUT HTTP requests: file names/types/sizes if file uploads present, only action/id/log values if HTTP-encoded or JSON-encoded — others we only record the parameter name without the value for privacy)
Event | Mode: Preview | Mode: Significant | Mode: All Events | Additional Data Collected |
Content Events | ||||
Attachment Created | Attachment ID Attachment Title Attachment Type Attachment Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Attachment Deleted | Attachment ID Attachment Title Attachment Type Attachment Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Attachment Updated | Attachment ID Attachment Title Attachment Type Attachment Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) Names of Fields Changed |
|||
Page Created | Page ID Page Title Page Type Page Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Page Deleted | Page ID Page Title Page Type Page Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Page Updated | Page ID Page Title Page Type Page Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) Names of Fields Changed |
|||
Page Moved to Trash | Page ID Page Title Page Type Page Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Page Removed from Trash | Page ID Page Title Page Type Page Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Post Created | Post ID Post Title Post Type Post Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Post Deleted | Post ID Post Title Post Type Post Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Post Updated | Post ID Post Title Post Type Post Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) Names of Fields Changed |
|||
Post Moved to Trash | Post ID Post Title Post Type Post Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
Post Removed from Trash | Post ID Post Title Post Type Post Status (draft, published, etc) Author (ID, Username, List of Roles) Creation Date Last Modified Date Context (e.g., upgrader) |
|||
User Events | ||||
User Created | User ID Username List of Roles |
|||
User Deleted | User ID Username List of Roles User ID to Reassign Posts |
|||
User Updated | User ID Username List of Roles Names of Fields Changed |
|||
App Password Created | User for Password (User ID, Username, List of Roles) UUID of App Password App ID Password Name Creation Date Last Used Date Last IP Used By |
|||
App Password Deleted | User for Password (User ID, Username, List of Roles) UUID of App Password App ID Password Name Creation Date Last Used Date Last IP Used By |
|||
App Password Successfully Used | User for Password (User ID, Username, List of Roles) UUID of App Password App ID Password Name Creation Date Last Used Date Last IP Used By |
|||
User Logged In | User ID Username List of Roles |
|||
User Logged Out | User ID Username List of Roles |
|||
User Authentication Cookie Set | User for Cookie (User ID, Username, List of Roles) Grace Period Expiration HTTP Scheme for Cookie |
|||
User Password Reset | User ID Username List of Roles |
|||
Role Added to User | User (User ID, Username, List of Roles) Added Role Name |
|||
Role Removed from User | User (User ID, Username, List of Roles) Removed Role Name |
|||
Super Admin Granted to User | User ID Username List of Roles |
|||
Super Admin Revoked from User | User ID Username List of Roles |
|||
User’s Capabilities Meta Value Changed | User (User ID, Username, List of Roles) List of Changes |
|||
User’s Level Meta Value Changed | User (User ID, Username, List of Roles) List of Changes |
|||
User Marked as Ham | User ID Username List of Roles |
|||
User Marked as Spam | User ID Username List of Roles |
|||
Site Events | ||||
Site Data Exported | Export Settings | |||
Recovery Mode Key Generated | No Additional Data | |||
Email Sent Successfully | Number of Recipients Number of Attachments Email Subject |
|||
Email Failed Sending | Number of Recipients Number of Attachments Email Subject Error Message |
|||
Active Plugin Option Changed | List of Changes | |||
Admin Email Option Changed | New Value | |||
Anonymous Comments Allowed Option Changed | New Value | |||
Comment Moderation Required Option Changed | New Value | |||
Default Comment Status Option Changed | New Value | |||
Default User Role Option Changed | New Value | |||
Home URL Option Changed | New Value | |||
Site URL Option Changed | New Value | |||
Child Theme Option Changed | New Value | |||
Parent Theme Option Changed | New Value | |||
User Registration Allowed Option Changed | New Value | |||
Role Capabilities Changed | List of Changes | |||
Admin Page View Denied | No Additional Data | |||
Plugin Installed | Plugin Metadata | |||
Plugin Deleted | Plugin Metadata | |||
Plugin Activated | Plugin Metadata | |||
Plugin Deactivated | Plugin Metadata | |||
Theme Installed | Theme Metadata | |||
Theme Deleted | Theme Metadata | |||
Theme Switched | Theme Metadata | |||
Theme Customized | Theme Metadata | |||
Automatic Updates Completed | List of Updates | |||
WordPress Core Version Updated | Before/After Versions | |||
Plugin Updated | Plugin Metadata | |||
Theme Updated | Theme Metadata | |||
Multisite Events | ||||
Multisite Blog Created | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Deleted | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Updated | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name List of Changes |
|||
Multisite Blog Activated | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Signup Submitted | Blog Domain Blog Path Blog Name Username |
|||
Multisite Blog Archived | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Trashed | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Made Public | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Marked Spam | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Unarchived | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Removed from Trash | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Made Private | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite Blog Marked Ham | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name |
|||
Multisite User Created | User (User ID, Username, List of Roles) | |||
Multisite User Deleted | User (User ID, Username, List of Roles) | |||
Multisite User Added to Blog | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name User (User ID, Username, List of Roles) Role Name |
|||
Multisite User Removed from Blog | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name User (User ID, Username, List of Roles) Reassign to User (User ID, Username, List of Roles) |
|||
Multisite User Invited | Network ID Network Domain Network Path Network Name Blog ID Blog Domain Blog Path Blog Name User (User ID, Username, List of Roles) Role Name |
|||
Multisite User Signed Up | Username | |||
Multisite Active Plugins Option Changed | List of Changes | |||
Wordfence Events | ||||
Wordfence WAF Mode Changed | Before/After Value | |||
Wordfence WAF Rule Statuses Changed | List of Changes | |||
Wordfence WAF Protection Level Changed | Before/After Value | |||
Wordfence WAF Allow Entries Created | List of Additions | |||
Wordfence WAF Allow Entries Deleted | List of Removals | |||
Wordfence WAF Allow Entries Changed | List of Changes | |||
Wordfence Blocklist Enabled/Disabled | New Value | |||
Allowed IP List Updated | List of Changes | |||
Allowed Services List Updated | List of Changes | |||
Allowed 404s List Updated | List of Changes | |||
Ignored Alerting IPs List Updated | List of Changes | |||
Banned URL List Updated | List of Changes | |||
Banned Username List Updated | List of Changes | |||
Brute Force Protection Enabled/Disabled | New Value | |||
General Rate Limiting and Blocking Enabled/Disabled | New Value | |||
Never Block Crawlers Option Changed | Before/After Value | |||
Lock Out Invalid Usernames Enabled/Disabled | New Value | |||
Breached Password Protection Enabled/Disabled | New Value | |||
Enforce Strong Passwords Enabled/Disabled | New Value | |||
Mask Login Errors Enabled/Disabled | New Value | |||
Prevent Using admin Username Enabled/Disabled | New Value | |||
Block Author Scan Enabled/Disabled | New Value | |||
Block Application Passwords Enabled/Disabled | New Value | |||
Block Bad POST Requests Enabled/Disabled | New Value | |||
Check Password Strength on Change Enabled/Disabled | New Value | |||
Login Failure Threshold Changed | Before/After Value | |||
Maximum Forgot Password Requests Threshold Changed | Before/After Value | |||
Failure Counting Period Changed | Before/After Value | |||
Lockout Duration Changed | Before/After Value | |||
Block Duration Changed | Before/After Value | |||
Custom Block Page Text Changed | Before/After Value | |||
Global Rate Limit Changed | Before/After Value | |||
Crawler Rate Limit Changed | Before/After Value | |||
Crawler 404 Rate Limit Changed | Before/After Value | |||
Human Rate Limit Changed | Before/After Value | |||
Human 404 Rate Limit Changed | Before/After Value | |||
Scan Options Changed | Before/After Value | |||
Scan Schedule Changed | Before/After Value | |||
Country Blocking Rule Changed | Before/After Value | |||
IP/Pattern Block Rule Created | Block Type Reason Block Parameters |
|||
Block Rule Deleted | Block Type Reason Block Parameters |
|||
Participate in the Wordfence Security Network Enabled/Disabled | New Value | |||
Audit Log Mode Changed | Before/After Value | |||
Wordfence License Key Changed | Before/After Value | |||
IP Resolution Method Changed | Before/After Value | |||
Trusted Proxy List Updated | List of Changes | |||
Trusted Proxy Preset Changed | Before/After Value | |||
2FA Deactivated for User | User ID Username List of Roles |
|||
2FA Activated for User | User ID Username List of Roles |
|||
Require 2FA on XML-RPC Requests Enabled/Disabled | New Value | |||
Standalone Wordfence Login Security Allowed IPs Updated | List of Changes | |||
Standalone Wordfence Login Security IP Resolution Method Changed | Before/After Value | |||
Standalone Wordfence Login Security Trusted Proxies Changed | List of Changes | |||
2FA Required Roles | List of Changes | |||
2FA Required Grace Period Changed | Before/After Value | |||
XML-RPC Enabled/Disabled | New Value | |||
Captcha Enabled/Disabled | New Value | |||
Captcha Threshold Changed | Before/After Value | |||
WooCommerce 2FA Integration Eanbled/Disabled | New Value | |||
Captcha Test Mode Enabled/Disabled | New Value |