Audit Log

The Wordfence Audit Log is a premium feature that records a history of events on your site to assist in monitoring for unauthorized actions or signs of compromise. Events can include everything from user creation and editing to plugin/theme installation and updates. All data captured for relevant events is saved remotely to Wordfence Central to prevent any tampering that may interfere with post-incident analysis and response.

The Wordfence Audit Log is a premium feature that records a history of events on your site to assist in monitoring for unauthorized actions or signs of compromise. Events can include everything from user creation and editing to plugin/theme installation and updates. All data captured for relevant events is saved remotely to Wordfence Central to prevent any tampering that may interfere with post-incident analysis and response.

The “Audit Log” wp-admin page shows a list of recent events, while details of each event are stored off-site on Wordfence Central, similar to the example below:

Wordfence Central's Audit Log

Events are stored on Wordfence Central for 30 days for sites with a Premium license, 60 days for a Care license, and 90 days for a Response license.

 

How to use the Audit Log

By default, the Audit log is set to Preview mode for Free and Premium users. Care and Response users will find the Audit log set automatically to record Significant Events. In the Preview mode, both Free and Premium users will be able to view a summary of certain events on the plugin’s Audit Log page. In order to receive the full benefits of the Audit Log, Premium users will need to enable the Audit log.

Setup only takes a few steps:

  • Connect your site to Wordfence Central, if it has not already been connected. This can be done from the Audit Log page or the Wordfence Dashboard.
  • On the Audit Log page on your site, choose either the “Significant Events” or “All Events” mode
  • Click “Save Changes”

Events should begin recording and will appear on Wordfence Central. Some events such as disabling plugins are sent immediately to Central, while others are queued, and may take a few minutes to be sent.

 

Viewing the Audit Log on Wordfence Central

To view the audit log, you can either click the “View Audit Log” link on the Audit Log page on your site, or log in to Wordfence Central and click the “Audit Log” link for any of your sites, next to the site’s URL.

Audit log events appear like the example above. The first column contains information about the request that triggered the event, such as the request path, IP address, username, and action name. The “Details” button shows any additional parameter names in the request, though some data is redacted for security and privacy reasons.

The “Event” column shows details of the event, such as a user login, changing significant WordPress or Wordfence settings, creating users, modifying a role, updating plugins, deleting a plugin, or uploading an attachment. This section also includes version numbers, user IDs, post IDs, and other data. The “Details” button may show many more details in some cases, including additional plugin information, all capabilities of user roles, and which fields have changed for some types of records.

You can filter events by type or search for events in the upper-right corner of the page. The default time range is 1 hour, but you can choose a longer duration or use a custom date range.

 

Settings

On the Audit Log page on the Wordfence menu, there are a few buttons and settings, along with a list of the most recent events. If your site is connected to Wordfence Central, you should see a “View Audit Log” button near the top-right corner of the page, which leads directly to the detailed logs for your site on Wordfence Central. Otherwise, you should use the “Connect Site” button to connect your site to Wordfence Central in order to set up the audit log.

 

Audit Log logging modes

There are four possible modes:

  • Disabled: Disables the audit log, including the preview of recent events.
  • Preview: Events will not be sent to the log on Wordfence Central. Only a limited list of events will appear in the Recent Event Summary table at the bottom of the page, but details such as IP addresses, users, and post IDs are not saved.
  • Significant Events: This includes events related to users, settings, plugins, updates, logins, and more.
  • All Events: This includes all “significant events”, plus more content-focused events such as editing or deleting posts, adding attachments, or sending email. These event records do not include the content itself, but rather metadata and which user made the change. Similarly, email content and recipients are not stored, but subject lines and the number of recipients and number of attachments are recorded.

The “Significant Events” option is recommended for most sites, since logging all events may record a large number of events on some sites. Content-related events recorded with the “All Events” option can include custom post types from some plugins, including forum plugins, which may log an event for every new forum post and reply.

 

Display Audit Log menu option

This option is enabled by default. If you prefer a shorter Wordfence menu, you can disable it. The audit log settings will still be accessible on a tab on the Wordfence Tools menu.

 

Troubleshooting

  • Audit log events may take a few minutes to be processed and appear on a site’s Audit Log page on Wordfence Central. Audit log events can also be delayed if the wp-cron job “wordfence_batchSendAuditEvents” is not run promptly. If your site has wp-cron disabled, we recommend using a linux cron job to visit wp-cron.php or run cron with WP-CLI periodically, ideally between 1 and 5 minutes.
  • Events with missing data may not be transferred to Central but will display in the Audit log preview within the plugin. This could occur if a REST API event is sent to your site by a plugin or third-party service with missing data, or if a plugin or theme creates records in unusual ways. If you find any plugins/themes/services that cause this, please contact support.
  • Some plugins that add custom roles may not log creation of those roles, if they are not added in a way that they are permanently saved in wp_user_roles in the wp_options table.

 

Privacy and Security

Some users may have concerns about the privacy and security of their site data captured and transmitted through the Audit Log feature. In order for information to be sent off site, two things have to happen: the Audit Log must be enabled with the mode set to either “Significant Events” or “All Events” and the site has to be connected to Wordfence Central. If either of these are not setup as described, no data can be transmitted outside of your local environment.

By default, the Wordfence Audit Log is set to Preview mode for Free and Premium license holders. In Preview mode, data is stored locally only, and contains minimal information including a timestamp and type of event.

For customers with Care or Response licenses, the Audit Log is enabled by default. Sites with Care or Response licenses should already be connected to Wordfence Central as part of the monitoring and support included for these customers, and therefore any privacy and security concerns should have been addressed at the time of the license installation.

We take data privacy and security very seriously and adhere to ISO 27001:2022 standards, ensuring that our processes, systems, and storage solutions meet rigorous international compliance requirements for certification. Our privacy practices are detailed in our Privacy Policy and Notice at Collection which outlines how we manage and protect customer data in line with applicable regulations, including CCPA, GDPR, EU, UK and other high-compliance frameworks. For customers with specific regulatory needs or concerns, we offer configurable options to tailor data handling and storage processes to better meet regional compliance requirements. If a customer has further concerns about their data processing, then we always recommend that they speak to their legal team because each customers situation is unique and we can not offer legal advice.

 

Data Transmitted

Here is a comprehensive list of the data transmitted as part of the audit log for each mode. The majority of details are redacted in transmission for privacy and security. Events triggered may vary depending on other active plugins within a given site.

The following is recorded on every request:

  • Type of Request (CLI or HTTP method)
  • Request (CLI command or HTTP path)
  • IP Making the Request (non-CLI)
  • User Making the Request (if logged in: User ID, Username, List of Roles)
  • Timestamp
  • Request Body (for POST/PATCH/PUT HTTP requests: file names/types/sizes if file uploads present, only action/id/log values if HTTP-encoded or JSON-encoded — others we only record the parameter name without the value for privacy)
Event Mode: Preview Mode: Significant Mode: All Events Additional Data Collected
Content Events
Attachment Created Attachment ID
Attachment Title
Attachment Type
Attachment Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Attachment Deleted Attachment ID
Attachment Title
Attachment Type
Attachment Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Attachment Updated Attachment ID
Attachment Title
Attachment Type
Attachment Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Names of Fields Changed
Page Created Page ID
Page Title
Page Type
Page Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Page Deleted Page ID
Page Title
Page Type
Page Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Page Updated Page ID
Page Title
Page Type
Page Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Names of Fields Changed
Page Moved to Trash Page ID
Page Title
Page Type
Page Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Page Removed from Trash Page ID
Page Title
Page Type
Page Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Post Created Post ID
Post Title
Post Type
Post Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Post Deleted Post ID
Post Title
Post Type
Post Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Post Updated Post ID
Post Title
Post Type
Post Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Names of Fields Changed
Post Moved to Trash Post ID
Post Title
Post Type
Post Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
Post Removed from Trash Post ID
Post Title
Post Type
Post Status (draft, published, etc)
Author (ID, Username, List of Roles)
Creation Date
Last Modified Date
Context (e.g., upgrader)
User Events
User Created User ID
Username
List of Roles
User Deleted User ID
Username
List of Roles
User ID to Reassign Posts
User Updated User ID
Username
List of Roles
Names of Fields Changed
App Password Created User for Password (User ID, Username, List of Roles)
UUID of App Password
App ID
Password Name
Creation Date
Last Used Date
Last IP Used By
App Password Deleted User for Password (User ID, Username, List of Roles)
UUID of App Password
App ID
Password Name
Creation Date
Last Used Date
Last IP Used By
App Password Successfully Used User for Password (User ID, Username, List of Roles)
UUID of App Password
App ID
Password Name
Creation Date
Last Used Date
Last IP Used By
User Logged In User ID
Username
List of Roles
User Logged Out User ID
Username
List of Roles
User Authentication Cookie Set User for Cookie (User ID, Username, List of Roles)
Grace Period
Expiration
HTTP Scheme for Cookie
User Password Reset User ID
Username
List of Roles
Role Added to User User (User ID, Username, List of Roles)
Added Role Name
Role Removed from User User (User ID, Username, List of Roles)
Removed Role Name
Super Admin Granted to User User ID
Username
List of Roles
Super Admin Revoked from User User ID
Username
List of Roles
User’s Capabilities Meta Value Changed User (User ID, Username, List of Roles)
List of Changes
User’s Level Meta Value Changed User (User ID, Username, List of Roles)
List of Changes
User Marked as Ham User ID
Username
List of Roles
User Marked as Spam User ID
Username
List of Roles
Site Events
Site Data Exported Export Settings
Recovery Mode Key Generated No Additional Data
Email Sent Successfully Number of Recipients
Number of Attachments
Email Subject
Email Failed Sending Number of Recipients
Number of Attachments
Email Subject
Error Message
Active Plugin Option Changed List of Changes
Admin Email Option Changed New Value
Anonymous Comments Allowed Option Changed New Value
Comment Moderation Required Option Changed New Value
Default Comment Status Option Changed New Value
Default User Role Option Changed New Value
Home URL Option Changed New Value
Site URL Option Changed New Value
Child Theme Option Changed New Value
Parent Theme Option Changed New Value
User Registration Allowed Option Changed New Value
Role Capabilities Changed List of Changes
Admin Page View Denied No Additional Data
Plugin Installed Plugin Metadata
Plugin Deleted Plugin Metadata
Plugin Activated Plugin Metadata
Plugin Deactivated Plugin Metadata
Theme Installed Theme Metadata
Theme Deleted Theme Metadata
Theme Switched Theme Metadata
Theme Customized Theme Metadata
Automatic Updates Completed List of Updates
WordPress Core Version Updated Before/After Versions
Plugin Updated Plugin Metadata
Theme Updated Theme Metadata
Multisite Events
Multisite Blog Created Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Deleted Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Updated Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
List of Changes
Multisite Blog Activated Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Signup Submitted Blog Domain
Blog Path
Blog Name
Username
Multisite Blog Archived Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Trashed Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Made Public Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Marked Spam Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Unarchived Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Removed from Trash Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Made Private Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite Blog Marked Ham Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
Multisite User Created User (User ID, Username, List of Roles)
Multisite User Deleted User (User ID, Username, List of Roles)
Multisite User Added to Blog Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
User (User ID, Username, List of Roles)
Role Name
Multisite User Removed from Blog Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
User (User ID, Username, List of Roles)
Reassign to User (User ID, Username, List of Roles)
Multisite User Invited Network ID
Network Domain
Network Path
Network Name
Blog ID
Blog Domain
Blog Path
Blog Name
User (User ID, Username, List of Roles)
Role Name
Multisite User Signed Up Username
Multisite Active Plugins Option Changed List of Changes
Wordfence Events
Wordfence WAF Mode Changed Before/After Value
Wordfence WAF Rule Statuses Changed List of Changes
Wordfence WAF Protection Level Changed Before/After Value
Wordfence WAF Allow Entries Created List of Additions
Wordfence WAF Allow Entries Deleted List of Removals
Wordfence WAF Allow Entries Changed List of Changes
Wordfence Blocklist Enabled/Disabled New Value
Allowed IP List Updated List of Changes
Allowed Services List Updated List of Changes
Allowed 404s List Updated List of Changes
Ignored Alerting IPs List Updated List of Changes
Banned URL List Updated List of Changes
Banned Username List Updated List of Changes
Brute Force Protection Enabled/Disabled New Value
General Rate Limiting and Blocking Enabled/Disabled New Value
Never Block Crawlers Option Changed Before/After Value
Lock Out Invalid Usernames Enabled/Disabled New Value
Breached Password Protection Enabled/Disabled New Value
Enforce Strong Passwords Enabled/Disabled New Value
Mask Login Errors Enabled/Disabled New Value
Prevent Using admin Username Enabled/Disabled New Value
Block Author Scan Enabled/Disabled New Value
Block Application Passwords Enabled/Disabled New Value
Block Bad POST Requests Enabled/Disabled New Value
Check Password Strength on Change Enabled/Disabled New Value
Login Failure Threshold Changed Before/After Value
Maximum Forgot Password Requests Threshold Changed Before/After Value
Failure Counting Period Changed Before/After Value
Lockout Duration Changed Before/After Value
Block Duration Changed Before/After Value
Custom Block Page Text Changed Before/After Value
Global Rate Limit Changed Before/After Value
Crawler Rate Limit Changed Before/After Value
Crawler 404 Rate Limit Changed Before/After Value
Human Rate Limit Changed Before/After Value
Human 404 Rate Limit Changed Before/After Value
Scan Options Changed Before/After Value
Scan Schedule Changed Before/After Value
Country Blocking Rule Changed Before/After Value
IP/Pattern Block Rule Created Block Type
Reason
Block Parameters
Block Rule Deleted Block Type
Reason
Block Parameters
Participate in the Wordfence Security Network Enabled/Disabled New Value
Audit Log Mode Changed Before/After Value
Wordfence License Key Changed Before/After Value
IP Resolution Method Changed Before/After Value
Trusted Proxy List Updated List of Changes
Trusted Proxy Preset Changed Before/After Value
2FA Deactivated for User User ID
Username
List of Roles
2FA Activated for User User ID
Username
List of Roles
Require 2FA on XML-RPC Requests Enabled/Disabled New Value
Standalone Wordfence Login Security Allowed IPs Updated List of Changes
Standalone Wordfence Login Security IP Resolution Method Changed Before/After Value
Standalone Wordfence Login Security Trusted Proxies Changed List of Changes
2FA Required Roles List of Changes
2FA Required Grace Period Changed Before/After Value
XML-RPC Enabled/Disabled New Value
Captcha Enabled/Disabled New Value
Captcha Threshold Changed Before/After Value
WooCommerce 2FA Integration Eanbled/Disabled New Value
Captcha Test Mode Enabled/Disabled New Value