Review Your Site Activities With The WP Activity Logs Viewer

When a problem occurs on your website, the first question is: "What caused it?" Identifying the cause makes finding the solution much easier. That's where the Activity Log comes in. It tracks and records all activity on your WordPress site, giving you a clear picture of what happened and what may have gone wrong. This makes it much easier to pinpoint the root cause of any issue.

Review your site activities with the Activity Logs Viewer

The Activity Log Viewer is located under the main Shield navigation menu > Investigate section > WP Activity Log.

Access to Activity Logs Viewer

Information that it currently displays include:

  • Time/date - The time*date of the request to the site
  • The event
  • Message - An optional message for the event
  • Username
  • IP Address - The originating IP address of the request.
  • Whom that IP belongs to
  • Meta information

If you click the particular IP address, you'll be able to investigate this IP directly from within activity log.

Example IP investigate

You may also filter logs if you need to.

Example filtering by Bots detection - invalid username login attempts

Advanced Logs Filtering

WP Activity Log table (viewer) has a powerful search capabilities. You can

  • Free-text search — search across all log entries naturally.
  • Targeted filters — search by IP address, username, email, user ID, event description, and metadata values.

  • Search syntax help — a built-in help panel guides you through the available search options (for example ip: and user_id:) so you don’t have to memorise anything.

    (see the below screenshots)

The goal here is simple: your security data should be usable, not just available. Being able to quickly drill down to a specific IP address or user across thousands of log entries makes a real difference when you’re investigating an issue or responding to an incident.

Search syntax help
Search syntax help
Search syntax help
Example: Search by IP (full match)

What events are logged?

The WordPress Activity Log system logs all the important events. It also identifies the actual PHP file used to send emails (so you can track it better) and identifies Post types when posts are updated.

What events are logged and how long are they kept?

From Shield 22, the WP Activity Log and Request Logging data is managed automatically. Shield stores important security and site events, links request details where available, and removes older records using retention tiers so the database does not grow indefinitely.

Data stored Default retention What this means
WP Activity Log - low-signal info events 24 hours Very low-signal informational events, when info-level local logging is enabled by debug mode or developer customisation.
WP Activity Log - standard events 30 days Normal activity and site events.
WP Activity Log - warning and security events 180 days Blocked requests, failed security checks, suspicious activity, and warning-level events.
WP Activity Log - high-value events 730 days Important security and lifecycle events kept longer for incident review and change history.
Request logs - transient 7 days Ordinary request records with no parameters, no offense, and no linked Activity Log entry.
Request logs - standard 30 days Higher-signal request records, such as requests with parameters or offenses.
Request logs linked to Activity Log entries Same as the linked Activity Log entry Shield keeps the request details while the related Activity Log entry is retained.

High-value events kept for 730 days: WordPress core updates; plugin installs, activations, deactivations, uninstallations, and upgrades; theme installs, activations, uninstallations, and upgrades; login blocks; IP offenses; IP blocks; automatic IP block-list additions; and firewall blocks.

Note: These are Shield's default retention periods for the local database. Sites with developer customisations may use different values.


What does "Unidentified and not authenticated" mean?

"Unidentified" means that the request is from an IP address that is unidentified. It might be identified if it comes from a known service provider, such as Google, Bing, Pingdom, etc.

"Unauthenticated" means that when the request was sent to the site, there was no user authenticated.

The reason it says this in the log is because at the moment when a user clicked the login button, they weren't logged-in. So they're not authenticated at the instant the request is received by the server. The request is processed and then the user is authenticated. But when the request was initially received, the user was not authenticated.

Activity Log Glossary

Activity Log Glossary will help you to interpret activity logs, what they mean, what Shield setting is related to that particular log, and what action we recommend.

For further information about the power of the WP Activity Log, read our blog article here.

For examples of the Firewall entries in the Activity Log, how to interpret and whitelist parameters, read the article here