WordPress Activity Log Glossary

The Activity Log is designed to give you full insight into significant actions taken on your site. It will let you see exactly what has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong.

These activities (events) can be seen with the Activity Log Viewer. You may also filter logs if you want.

Note: What events will be logged depend on the configured logging levels here.

This Activity Log Glossary helps you to interpret activity logs, what they mean, what Shield setting is related to that particular log, and what action we recommend.

Since Shield is a huge plugin, there are many activity logs. We are going to list the most common ones.

Activity Log Glossary


EVENT

ACTIVITY LOG MESSAGE

LOG DESCRIPTION

RELATED SETTING /RECOMMENDED ACTION

Security PIN Fail

Security PIN authentication failed.


Admin provided an incorrect PIN. Offense triggered.

Related setting: Security Admin PIN

Ensure that you're using correct PIN.

If you've forgotten it, follow this guide here.

Remove your IP from the blocklist (if needed).

Email Sent

(Security Admin)

There was an attempt to send an email using the "wp_mail" function.

It was sent to " your-email@site.com" with the subject

"[Your Site Name] Please Confirm Security Admin Removal".

An email notification with confirmation link for Security Admin removal sent to this admin account.

Related setting: Allow Email Override

Follow this guide here.
PIN will be removed, and Security Admin disabled completely. 
AntiBot Fail Request failed the AntiBot Test with a Visitor Score of "0" (minimum score: 35). User blocked - tried to login but failed the antibot test.

Related setting: AntiBot Minimum Score

This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse.

If this is a legit user, you can unblock their IP and choose a lower minimum bot score.

Bots: Failed Login Attempted login failed by user "admin". User attempted to login with invalid password.

Related setting: Login Bots: Bot Behaviours > Failed Login

This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse.

If this is a legit user, you can unblock their IP.

Bots: Invalid Username Login Attempted login with invalid user "test-admin". User attempted to login with username that doesn't exist.

Related setting: Login Bots: Bot Behaviours > Invalid Usernames

This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse.

If this is a legit user, you can unblock their IP.

Bots: 404 404 detected at "/wp-includes/Requests/Text/admin.php". A visitor tried to load a non-existent page.

Related setting: Probing Bots: Bot Behaviours > 404 Detect

This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse.

If this is a legit user, you can unblock their IP.

Note: You could have legitimate 404 links on your site which normal users are going to click and get blocked.


Bots: Link Cheese Link cheese access detected at "/test-wpsf-cheese-8a7b22c/". Bot detected (it follows a fake 'no-follow' link).

Related setting: Probing Bots: Bot Behaviours > Link Cheese

Check this IP in the activity log, and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

Bots: XML-RPC

and

Blocked: XML-RPC

Access to XML-RPC detected at "//xmlrpc.php".

and

XML-RPC Request Blocked.

XML-RPC request blocked.

Related settings:

Probing Bots: Bot Behaviours > XML-RPC Access

and

WP Lockdown > Disable XML-RPC

Note: When you disable XML-RPC system, this may break plugins that use this. 

You may need to enable XML-RPC system in Shield.

Bots: Invalid Scripts

Tried to load an invalid WordPress PHP script "wp-load.php".


Visitor not logged in but tried to load this page.

Related setting: Probing Bots: Bot Behaviours > Invalid Script Load

This could be a bot.

Check this IP in the activity log, and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

Bots: Fake Web Crawler Fake Web Crawler detected at "/favicon.ico". Fake Crawler misrepresented itself as "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" . Fake search engine crawler detected.

Related setting: Bot Behaviours > Fake Web Crawler

This could be a bot.

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

IP Block List Add (Auto) IP address '184.168.123.46' automatically added to block list as an offender. The IP may not be blocked yet.

It takes the time from when the first event happened and is incrementing the number of times.

When this visitor exceeds the specified offense limit, they'll be automatically blocked from accessing the site.


Related setting: Offense Limit

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

If it's a legit user, remove this IP from a block list if needed.



Items Found In Scan

Vulnerabilities or Abandoned Plugins or WordPress Filesystem Scan

scan completed and items were discovered.

Scans completed.


Related settings: Hack Guard module

Follow this guide here.

Scan Item Delete Success Item found in the scan was deleted. Item deleted: "/xxxxx/public/wp-admin/test scan core.php" Detected file deleted manually.

Related settings: to review Hack Guard module

Follow this guide here.

Scan Item Repair Success Repaired item found in the scan. Item repaired: "/xxxxx/public/wp-includes/media-template.php Detected file repaired (automatically or manually).

Related settings to review: Hack Guard module

Follow this guide here.

Rate Limit Exceeded Rate limit (5) was exceeded with 11 requests within 30 seconds.

Max number of requests allowed in time limit exceeded.

Visitor triggered Shield’s defenses.

Related setting to review: Traffic rate Limiting

Look for its IP under the Traffic Watch here to get more details.

If it's a legit user, remove this IP from a block list if needed.

Firewall Block

Request blocked by firewall rule: Aggressive Scan.

Rule pattern detected: " #etc/passwd#i" .

The offending request parameter was "test12"

with a value of "../../../../etc/passwd".


Firewall triggered.

Rule: Aggressive Scan

Related setting: Firewall Blocking

Follow this guide here.

Cooldown Fail Login/Register request triggered cooldown and was blocked. User attempted to login during the cooldown period.

Related setting to review: Cooldown Period

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

If it's a legit user, remove this IP from a block list if needed.


Email Sent

(2FA login)

There was an attempt to send an email using the "wp_mail" function. This log entry doesn't mean it was sent or received successfully, but only that an attempt was made. It was sent to "test-user@gmail.com" with the subject "My Site Name Two-Factor Login Verification". CC/BCC Recipients: - / - The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/lib/src/Controller/Email/EmailCon.php" on line 50. Email with the 2FA verification code sent to this user's email address.

Related setting: 2FA By Email

If activity log is showing that email has been sent but you haven't received it, it's probably getting blocked somewhere. You'll need to solve email deliverability issue.

Site admins can also try our SureSend system.

Invalid User Email Registration

and

Registration Blocked

Detected user registration with invalid email address (spam-email-test-196@0x207.info). Email verification test that failed: nondisposable

and

User registration request blocked.

User tried to register with an invalid email address.

Disposable email used.

Related setting: User Registration

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

Session Locked Core properties of an established user session (username) have changed. Logging out. User session changed. Logged out.

Related setting to review: User Session Lock

This could be a legit user or bot. Disable options if needed but first Analyse this IP.

Password Change Blocked Blocked attempted password update that failed policy requirements. A user tried to update or set a new password but it doesn't meet the password policy requirements imposed by security admin.

Related setting: Password Policies

Offense will not be triggered.

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

User Manually Suspended User "username" suspended by admin.

User suspended by site admin.

Login prevented.

Related setting: Allow Manual User Suspension

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.


Comment SPAM Blocked

and

SPAM Blocked: AntiBot System

Comment SPAM Blocked.

and

Blocked SPAM comment that failed AntiBot tests.

Visitor tried to post a comment but triggered the ADE.

Related setting: Automatic Bot Comment SPAM Protection

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.


SPAM Blocked: Cooldown Triggered Blocked comment that triggered the Comment Cooldown. Comment cooldown triggered.

Related setting: Comments Cooldown

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

SPAM Blocked: Human Blocked human SPAM comment containing suspicious content. Human SPAM filter found "abercrom" in "comment_content" Visitor tried to post a comment by using a human spam content (word "abercrom").

Related setting: Human SPAM Filter

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

Blocked: Anonymous REST API Blocked Anonymous API Access through "wp" namespace. Anonymous Rest API disabled. Access attempt detected and blocked.

Related setting: Anonymous Rest API

When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. 

You may need to enable this in Shield.

Blocked: Author Fishing Blocked Author Discovery via username fishing technique. Blocked the ability to discover WP usernames based on author IDs.

Related setting: Block Username Fishing

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

Connection Killed Visitor found on the Block List and their connection was killed. This event repeated 79 times in the last 24hrs.

Visitor exceeded the specified offense limit, and automatically blocked from accessing the site.

They tripped offenses 79 times in 24hrs.

Related setting: Offense Limit

Review actions - activity logs taken by this IP and then Analyse.

Look for its IP under the Traffic Watch here to get more details.

If it's a legit user, remove this IP from a block list if needed.

CrowdSec: Connection Killed Visitor found on the CrowdSec Block List and their request was killed. This event repeated 3 times in the last 24hrs. Visitor automatically blocked from accessing the site.

Related setting: CrowdSec IP Blocking

Analyse this IP to get more info.

Hidden Login URL Fail Redirecting wp-login due to hidden login URL Visitor tried to load hidden login URL.

Related setting: Hide WP Login & Admin

Offense not triggered.

Analyse this IP to get more info.

Look for its IP under the Traffic Watch here if you'd like.

License Deactivated A valid license could not be found - Deactivating Pro. Your ShieldPRO license is deactivated for some reason.

Please follow this guide here

If you still have a problem, reach out Shield Support here.

Options Imported

Options imported from site: https://your-master-site-url.com

or

Options imported from site: import file.

Options imported from a site or a file.

Related setting: Import/Export

No specific action required.

Site Lockdown Started Site was placed into lockdown by username.

All access to the site except from IPs on the bypass/white list has been blocked.


Related setting to review: Site Lockdown

If you get locked out, please use forceoff and disable this option.



How to use Activity Log Glossary

Example: Firewall Block > Locked out

You're blocked by the firewall, and your IP is blacklisted. So, you're locked out and you want to know what triggered the firewall and what action you should take to prevent future blocks. In this case, you'll follow these steps:

  1. Use a forceoff method to get back into your site
  2. Log into your site
  3. Go to the IP Rules section and remove your IP from the blacklist
  4. Go to the Activity Log Viewer and find the firewall block. You may filter logs by your IP and Firewall Block event.
  5. Use this Glossary to understand this activity log better, review the related settings and take the recommended action.
  6. Remove a "forceoff" file

So, if you get locked out:

use a forceoff to get back in > remove your IP from the blacklist > review your activity  logs to find the block cause > use this Glossary to find the related Shield settings and take recommended action to prevent future blocks > remove a "forceoff" file. 

Note: If you need further help, you can reach out ShieldPRO support here.