Whenever I used to work on a website with other administrators, we always ran into the same question. Who did this? or Who updated the plugins without running a backup first? Or just, who updated the About page without talking to the marketing team?
If you ever wondered that, then this post is for you. Even if you work by yourself on your blog, this may be useful when you need to review some of the work you’ve done recently.
I want to showcase a WordPress plugin for you. This plugin helps you find out what has been happening on your blog. It lets you know who ran an update, who published a page and who changed something on your site. This plugin is ideal for any WordPress blog or website that has more than one admin, or multiple authors, but can be beneficial for you even if you’re the only one that works on your blog.
As the new “tech resident expert” at O.C. Writers, I thought it would be useful to have something like this to keep track of changes made to the site since we have several admins.
When you work with enterprise software, activity tracking is an expected feature, but for years, WordPress didn’t have anything like this. Unless you went into the server logs and trudged through thousands of log entries, it was almost impossible to find out who did what at any given time. But WP Security Audit is one of the plugins that allows you to find this information.
WP Security Audit keeps a log of most of the activity on your WordPress blog or website. Let’s take a look.
You’ll find the plugin in the WordPress plugin repository. Install it any way you prefer and activate it like any other plugin.
Once activated, the plugin creates a menu item on your dashboard. This menu is how you access settings and various options for the plugin. You’ll notice some options are only available to the premium version, but this post focuses on the free version only.
At first, you’ll see a blank log because you just installed the plugin, so head over to the settings page to review your options and set some parameters to fit your needs. In the settings page, you’ll find options to set an email address from which the notices will be sent.
You can adjust the permissions to access the plugin and turn it on or off. You can also change some of the display settings, as well as set exclusions based on WordPress roles, specific WordPress users or IP addresses.
The other section that will be interesting is the Enable/Disable Alerts section. Here is where you can select what activity to capture and display in the logs.
I turned off the 404 alerts because we keep track of them elsewhere and I don’t want to clutter the log with these. My primary focus for this plugin is to keep track of administrative changes.
The alerts are broken down by section, and each alert gets classified into a notice, a warning or a critical event. You’ll need to decide if you want to turn any of these off; they are all turned on by default.
Some of the alerts may be too “nosey” or unnecessary, like when a user views a page, but many of the other ones are critical if you’re trying to figure out why something changed or how to revert a change that is causing unintended consequences. The primary alerts that come to mind are updating plugins or WordPress; adding, removing, or modifying pages and posts; changing permalink structure, installing or removing plugins and modifying widgets.
Event though you can figure out what went wrong by looking at these logs, you should always have a backup procedure in place to help you revert if a major catastrophe happens. You can and should use something like Backupbuddy, Updraft, or even Vaultpress.
The plugin has explicit tracking of activity for some other major plugins, namely BBpress and Woocommerce; it can also track activity on a WordPress multisite installation.
You can see that after a few minutes of running the plugin and doing some basic routine maintenance tasks, the log started showing activity. That’s the kind of information I was looking for.
If you run a blog that has more than one administrator, or more than one author, this plugin should help you keep tabs on what’s happening and who’s working on what.
WP Security Audit can also help during development or when you’re designing your blog because it will tell you if a plugin modified a post or a page, or what impact some of your changes have on the site. As any good webmaster will tell you when you come to them with a problem: “Did you check the logs?”