Activity Log Glossary
The Activity Log is designed to give you full insight into significant actions taken on your site. It will let you see exactly what has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong.
These activities can be seen under the Activity Log Viewer section. You may also filter logs if you want.
This Activity Log Glossary helps you to interpret activity logs, what they mean, what Shield setting is related to that particular log, and what action we recommend.
For example, you're blocked by the firewall, and your IP is blacklisted. So, you're locked out and you want to know what triggered the firewall and what action you should take to prevent future blocks. In this case, you'll follow these steps:
- Use a forceoff method to get back into your site
- Log into your site
- Go to the Manage IPs section and remove your IP from the blacklist
- Go to the Activity Log Viewer and find the firewall block
- Use this Glossary to understand this activity log better, and take the recommended action.
- Remove a "forceoff" file
So, whenever you get locked out (blacklisted) as the result of Shield:
use a forceoff to get back in => remove your IP from the blacklist => review your activity logs to find the problem cause => use this Glossary to find the related Shield settings and take action to prevent future blocks => remove a "forceoff" file.
Activity Log Glossary
| Related setting | Activity Log |
Description | Recommended action |
|---|---|---|---|
| License Check |
Pro License check succeeded. | Pro license activated on site. | No action required. |
| Import/Export |
Options imported from site: https://master-site-name.com |
Options imported from the Master site to this Slave site. | No action required. |
| Import/Export - Notify Whitelist | Sent notifications to whitelisted sites for required options import. | Notification sent to the Slave site to export options from the Master site. | No action required. |
| Import/Export - Notify Whitelist | Received notification that options import required. Current master site: https://master-site-name.com |
Slave site received notification to export options from the Master site. | No action required. |
| Security Admin PIN |
Failed authentication using Security Admin PIN. | Admin provided an incorrect PIN. |
Ensure that you're using correct PIN.
If you've forgotten it, follow this guide here. Remove your IP from the blacklist (if needed). |
| Security Admin PIN |
Successful authentication using Security Admin PIN. | Admin provided the correct PIN. | No action required. |
| Allow Email Override |
There was an attempt to send an email using the "wp_mail" function. It was sent to " your-email@site.com" with the subject "[Your Site Name] Please Confirm Security Admin Removal". |
An email notification with confirmation link for Security Admin removal sent to this user. |
|
| Allow Email Override |
There was an attempt to send an email using the "wp_mail" function. It was sent to "your-email@site.com" with the subject "[Your Site Name] Security Admin restrictions have been removed". |
An email notification that the Security Admin restriction has been removed. |
PIN removed. Security Admin disabled completely. You can set a new PIN (if you want). |
| Antibot Detection Engine |
Request passed the AntiBot Test with a Visitor Score of "100" (minimum score: 35). | You have the Antibot Detection Engine enabled in the Login Guard module. User tried to login and passed the antibot test. |
|
| Antibot Detection Engine | Request failed the AntiBot Test with a Visitor Score of "0" (minimum score: 35). | You have the Antibot Detection Engine enabled in the Login Guard module. User blocked - tried to login but failed the antibot test. |
This could be a bot but also a legit site user getting blocked. Best is to first check this log for this user's IP in the activity log, and then
If this is a legit user, you can choose a lower minimum bot score here. |
| Login Bots |
Attempted login failed by user "test-user". Auto Black List offenses counter was incremented from 0 to 1. |
User attempted to login with invalid password. Offense triggered (x1). |
Get yourself informed about this user. |
| Login Bots |
Attempted login with invalid user "test-admin". Auto Black List offenses counter was incremented from 0 to 1. |
User attempted to login with username that doesn't exist. Offense triggered (x1). |
Get yourself informed about this user. |
| Login Bots |
Attempted login with invalid user "empty username". Auto Black List offenses counter was incremented from 0 to 1. |
User attempted to login without providing username. Offense triggered (x1). |
Get yourself informed about this user. |
| Probing Bots | 404 detected at "/ads.txt". Auto Black List offenses counter was incremented from 0 to 1. |
A visitor tried to load a non-existent page. Offense triggered (x1). |
Get yourself informed about this user. |
| Probing Bots |
Link cheese access detected at "/test-wpsf-cheese-8a7b22c/". 404 detected at "/test-wpsf-cheese-8a7b22c/". |
Bot detected (it follows a fake 'no-follow' link). A non-existent page was hit. |
Get yourself informed about this visitor.. It's likely a bot.
|
| Probing Bots (see also Lockdown) |
Access to XML-RPC detected at "/xmlrpc.php". Auto Black List offenses counter was incremented from 0 to 2. |
XML-RPC system disabled. Offense triggered "0 to 2", because of the Probing Bots setting "Increment Offense Counter" (1st offense) and WP Lockdown => XML-RPC System disabled (2nd offense). |
When you disable XML-RPC system, this may break plugins that use this. You may need to enable XML-RPC system in Shield here. |
| Probing Bots |
Auto Black List offenses counter was incremented from 0 to 1. Tried to load an invalid WordPress PHP script "profile.php". |
Invalid Script Load option set to "Increment Offense Counter". Offense triggered x1. User tried to load profile page (profile.php) before they were logged-in. A non-admin user attempted to load an WP admin page which isn't the normal behavior. It could be a bot. |
Use Traffic Log to get more information about this user. Also, click an email address to analyse this IP to see if it's legit or not, etc. |
| Bot Behaviours |
Fake Web Crawler detected at "/my-account/". Auto Black List offenses counter was incremented from 0 to 1. |
Fake search engine crawler detected. Offense triggered (x1). |
Get yourself informed about this visitor. It's likely a bot.
|
| Offense Limit | Visitor found on the Black List and their connection was killed. This event repeated 2 times in the last 24hrs. |
It takes the time from when the first event happened and is incrementing the number of times. Visitor exceeded the specified offense limit, and automatically blocked from accessing the site. Their IP is blacklisted. |
If you're locked out (blacklisted), follow these steps
|
| The 'unblock' file flag |
IP address '123.45.67.217' removed from blacklist using 'unblock' file flag. | Visitor's IP removed from the blacklist via FTP. | Check your activity log to find out why this visitor's blacklisted at the first place. |
| Core File Scanner |
WP Core Files scan completed and items were discovered. | Modified WP core file detected. |
Review file in the Scans section => Scan Results. |
| Unrecognised Files Scanner |
Unrecognised Files scan completed and items were discovered. | Unrecognised file detected. |
Review file in the Scans section => Scan Results. |
| Plugins & Themes Guard Scanner |
Plugin/Theme Guard scan completed and items were discovered. | Modified plugin/theme file detected. | Review file in the Scans section => Scan Results. |
| Malware Scanner |
Malware scan completed and items were discovered. | Malware file detected. | Review file in the Scans section => Scan Results. |
| Vulnerabilities Scanner |
Vulnerabilities scan completed and items were discovered. | Vulnerable plugin detected. | Review plugin in the Scans section => Scan Results. |
| Abandoned Plugin Scanner |
Abandoned Plugins scan completed and items were discovered. | Abandoned plugin detected. | Review plugin in the Scans section => Scan Results. |
| Core File Scanner |
WP Core Files scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-includes/rss.php" | Modified WP core file repaired. | No action required. |
| Unrecognised Files Scanner |
Unrecognised Files scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-includes/test-unr-scan-1.php" | Unrecognised file repaired/deleted. | No action required. |
| Plugins & Themes Guard Scanner |
Plugin/Theme Guard scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-content/plugins/plugin-name/plugin-name.php" | Modified plugin/theme file repaired. | No action required. |
| Vulnerabilities Scanner | Vulnerabilities scan repaired a item found in the scan. Item repaired: "Plugin Name" | Update of the vulnerable plugin applied. Plugin file repaired. | No action required. |
| Vulnerabilities Scanner | Vulnerabilities scan could not repair item. Failed repair item: "Plugin Name" | Update of the vulnerable plugin couldn't be applied. Plugin not repaired. | Review plugin in the Scans section => Scan Results. Re-install plugin, or update manually from within your WP plugins page, if needed. |
| Traffic Rate Limiting |
Visitor exceeded the maximum allowable requests (x) within (x) seconds. Auto Black List offenses counter was incremented from 0 to 1. |
Max number of requests allowed in time limit exceeded. Visitor triggered Shield’s defenses. Offense recorded against their IP address (x1). |
Get yourself informed about this visitor. |
| Aggressive Rules (see also how to whitelist param) |
Firewall Trigger: Aggressive Rules. Page parameter failed firewall check. The offending parameter was "return" with a value of "/wp-admin/admin.php?page=icwp-wpsf-insights&inav=audit". Firewall Block Response: Visitor connection was killed with wp_die() and a message. Auto Black List offenses counter was incremented from 0 to 1. |
Firewall triggered. Block response is based on the Firewall => Block Response setting. In this example, it's "Die With Message". Offense triggered (x1). |
Whitelist the offending parameter " return", directly from within this activity log, or manually. Or, disable Aggressive Rules option. Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option. |
| Directory Traversal (see also how to whitelist param) |
Firewall Trigger: Directory Traversal. Page parameter failed firewall check. The offending parameter was "test002" with a value of "../../../../etc/passwd". Firewall Block Response: Visitor connection was killed with wp_die() and a message. Auto Black List offenses counter was incremented from 0 to 1. |
Firewall triggered. Block response is based on the Firewall => Block Response setting. In this example, it's "Die With Message". Offense triggered (x1). |
Whitelist the offending parameter " test002", directly from within this activity log, or manually. Or, disable Directory Traversal option. Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option. |
| Field Truncation (see also how to whitelist param) |
Firewall Trigger: Field Truncation. Page parameter failed firewall check. The offending parameter was "your-message" with a value of "Hello, I have read that you...xxxxxxxxx". Firewall Block Response: Visitor was sent 404. Auto Black List offenses counter was incremented from 0 to 1. |
Firewall triggered. Block response is based on the Firewall => Block Response setting. In this example, it's "Return 404". Offense triggered (x1). Field truncation is where someone attempts to post/submit a massive amount of data in a form which can overwhelm the form processing and data(base) storage, but it can also be used in certain scenarios where truncating data that's too large can lead to an exploit. Field Truncation firewall rule prevents this from happening. |
Visitor triggered the firewall. If you need to whitelist the offending parameter " your-message", you can do so directly from within this activity log, or manually. Or, disable Field Truncation option. Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option. |
| Send Email Report |
There was an attempt to send an email using the "wp_mail" function. It was sent to "your-email@site.com" with the subject "[Your Site Name] Firewall Block Alert". Successfully sent Firewall Block email alert to: your-email@site.com |
A visitor is blocked, the firewall sent an email with the blocking details. | Review this firewall block for this visitor provided in this email to get more info. |
| User "test-user" attempted "login" but Bot checkbox was not found. Attempted login failed by user "test-user". Auto Black List offenses counter was incremented from 0 to 2. |
User tried to login without checking the "I'm a human." checkbox. Login failed. Offense triggered (x2). |
Get yourself informed about this user. |
|
| CAPTCHA for login form | CAPTCHA Test Fail Attempted login failed by user "test-user". IP blocked after incrementing offenses from 0 to 2. |
User tried to login without checking the Captcha checkbox. Login failed. User exceeded the specified offense limit (x2), automatically blocked from accessing the site. |
Get yourself informed about this user. |
| Cooldown Period |
Login/Register request triggered cooldown and was blocked. Attempted login failed by user "test-user". Auto Black List offenses counter was incremented from 0 to 2. |
User attempted to log into the site during the cooldown period. Login failed. Offense triggered (x2) |
Get yourself informed about this user. |
| 2FA by email | There was an attempt to send an email using the "wp_mail" function. It was sent to "your-email@site.com" with the subject "Two-Factor Login Verification". The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136. User "test-user" sent two-factor authentication email to verify identity. |
Email with the 2FA verification code sent to the user. | Use 2FA verification code for login. If activity log is showing that email has been sent but you haven't received it, it's probably getting blocked somewhere. More Info We resolve email deliverability issue for 2FA with our SureSend system. |
| Allow Backup Codes |
User "test-user" verified their identity using Backup Code. There was an attempt to send an email using the "wp_mail" function. It was sent to "your-email@site.com" with the subject "[Your Site Name] Notice: Backup Login Code Just Used". |
Email notification that user's used login backup code. | No action required. |
| Login Protection |
Attempted user login by "test-user" was successful. | User logged in. | Review user session, if you want. Go to the navigation menu => Users section. You can also look for their IP in the Traffic Watch viewer here to get more details about this user. |
| Lock To Location |
Access to an established user session from a different IP address. Logging out. |
A logged-in user's IP address changed. The session is invalidated and user is forced to re-login. | If you're getting logged out, maybe you'll need to disable Lock To Location option here. |
| User Session Management |
Valid user session could not be found. Logging out. |
An active session could not be found. User logged out. | Review User Session Management settings. You may need to disable i.e. Max Simultaneous Sessions option. If that doesn't help, you may need to disable User Management module completely and test. It could be plugin conflict. |
| User Registration |
Detected user registration with invalid email address (newuser01xxx@a-bc.net). Email verification test that failed: nondisposable New WordPress user registered. New username is "newuser01xxx" with email address "newuser01xxx@a-bc.net". |
User tried to register with an invalid email address. Disposable email used. |
Get yourself informed about this user. |
| User Registration |
Detected user registration with invalid email address (test12345ccRaaa@net2force.net). Email verification test that failed: domain_registered New WordPress user registered. New username is "test12345ccRaaa" with email address "test12345ccRaaa@net2force.net". |
User tried to register with an invalid email address. Domain of this email address isn't registered. Domain doesn't have an IP: |
Get yourself informed about this user. |
| User Management |
WordPress user deleted. Username was "newuser01xxx" with email address "newuser01xxx@a-bc.net". |
User deleted from WP site. | No action required. |
| Password Policies |
Blocked attempted password update that failed policy requirements. | A user tried to update or set a new password but it doesn't meet the password policy requirements imposed by security admin. | User blocked but not blacklisted yet.
|
| Allow Manual User Suspension |
User ID 33 suspended by admin (site-admin) | User suspended by site admin. Login prevented. |
No action required. |
| Allow Manual User Suspension |
User ID 33 unsuspended by admin (site admin) | User unsuspended by site admin. Login allowed. |
No action required. |
| Admin Login Notification |
Attempted user login by "site-admin" was successful. There was an attempt to send an email using the "wp_mail" function. It was sent to "your-email@site.com" with the subject "[Your Site Name] Notice - Administrator+ Just Logged Into https://your-site-name.com". The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136. |
Shield is notifying you of a successful Administrator login to a WP site that you manage. |
Review user session, if you want. Go to the navigation menu => Users section. |
| User Login Notification Email |
There was an attempt to send an email using the "wp_mail" function. It was sent to "your-email@site.com" with the subject "[Your Site Name] Notice - A login to your WordPress account just occurred". The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136. |
Shield is notifying user that a successful login for their account occurred. | Review user session, if you want. Go to the navigation menu => Users section. |
| SPAM Bot Protection |
Blocked SPAM comment from Bot. Auto Black List offenses counter was incremented from 0 to 1. |
Visitor tried to post a comment without checking the "I'm not a spammer." checkbox. Offense triggered (x1). |
Comment blocked. Review it in the comments page of your WP site (if applicable). Get yourself informed about this visitor.
|
| Comment Cooldown |
Blocked SPAM comment from Bot. Auto Black List offenses counter was incremented from 0 to 1. |
The comment form submit button has a countdown times so that visitors must wait before posting a comment. Visitor tried to post a comment before comment cooldown period of time has expired. Offense triggered (x1). |
Comment blocked. Review it in the comments page of your WP site (if applicable). You'll see something like this: [* Shield plugin marked this comment as “Pending Moderation”. Reason: Failed Bot Test ( cooldown) *] Get yourself informed about this visitor. |
| CAPTCHA for comments form | CAPTCHA Test Fail Blocked SPAM comment that failed CAPTCHA. Auto Black List offenses counter was incremented from 0 to 1. |
Visitor tried to post a comment without checking the Captcha checkbox. Offense triggered (x1). |
Comment blocked. Review it in the comments page of your WP site (if applicable). Get yourself informed about this visitor. |
| Blocked human SPAM comment containing suspicious content. Human SPAM filter found " abercrom" in "comment_content" Auto Black List offenses counter was incremented from 0 to 1. |
Visitor tried to post a comment by using a human spam content (word "abercrom"). Offense triggered (x1). |
Comment blocked. Review it in the comments page of your WP site (if applicable).
Get yourself informed about this visitor.
|
|
| Reporting |
There was an attempt to send an email using the "wp_mail" function. It was sent to "your-email@site.com" with the subject "[Your Site Name] Site Report - Shield". The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136. |
Critical alerts about your site security (about recent scans), and non-critical information (stats) sent by email. | Critical alerts are mostly related to the recent scans. Go to the navigation menu => Scans section => and review scan results. Or, run the scans, if needed. |
| Automatic Plugins Updates |
There was an attempt to send an email using the "wp_mail" function. "[Your Site Name] Some plugins were automatically updated". |
Plugins updated automatically. Note: Activity log doesn't show when plugins are updated (either automatically or manually). It only shows that notification email about auto-update was sent. WordPress 5.5 included auto-update notification emails. |
Review plugins in your plugins page of your WP site. |
| Anonymous Rest API |
Blocked Anonymous API Access through "wp" namespace. | Anonymous Rest API disabled. Access attempt detected and blocked. | When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. You may need to enable Anonymous Rest API system in Shield here. |
| Anonymous Rest API |
Blocked Anonymous API Access through "oembed" namespace. |
Anonymous Rest API disabled. Access attempt through oembed detected and blocked. A namespace is a string between /wp-json/ and the next slash. I.e. for Contact Form 7 it's ’contact-form-7' (/wp-json/contact-form-7/). WP oembed recognizes URLs to a number of services to auto format and display them. I.e. Youtube videos or WP posts/pages. When you insert URL into your page or post, WP sees the URL and it will connect to the external service (such as Youtube) and ask for the relevant HTML code to embed the video into the page or post. It'll display the title, text snippet, comments counter etc. |
When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. You may need to enable Anonymous Rest API system in Shield here. |
| Disable XML-RPC |
Access to XML-RPC detected at "/xmlrpc.php". | XML-RPC system disabled. Access attempt detected. |
When you disable XML-RPC system, this may break plugins that use this. You may need to enable XML-RPC system in Shield here. |
| Plugins | Plugin "plugin-name/index.php" was activated. | Plugin activated. | Review plugins in your plugins page of your WP site. |
| Plugins | Plugin "plugin-name/index.php" was deactivated. | Plugin deactivated. | Review plugins in your plugins page of your WP site. |
| Plugins |
Plugin "Plugin Name" was upgraded from version 15.2.1 to version 15.3. |
Plugin updated. |
No action required. |
| Pages | Post entitled "Test Page 1" was trashed. Post Type: page |
Page trashed. | Review this page in your pages of your WP site. |
| Pages | WordPress Post entitled "Test Page 1" was permanently deleted from trash. | Page deleted from trash. | No action required. |
| Pages | Post entitled "Test Page 2" was published. Post Type: page |
Page published. | Review this page in your pages of your WP site. |
| Pages | Post entitled "Test Page 2" was updated. Post Type: page |
Page updated. | Review this page in your pages of your WP site. |
| Posts | Post entitled "Test Post 1" was trashed. Post Type: post |
Post trashed. | Review this post in your posts page of your WP site. |
| Posts | WordPress Post entitled "Test Post 1" was permanently deleted from trash. | Post deleted from trash. | No action required. |
| Posts | Post entitled "Test Post 2" was published. Post Type: post |
Post published. | Review this post in your posts page of your WP site. |
| Posts | Post entitled "Test Post 2" was updated. Post Type: post |
Post updated. | Review this post in your posts page of your WP site. |
| Permalinks |
WordPress Permalinks Structure was updated from "/y%/%monthnum%/%year%/%postname%/tegory%/" to "/%postname%/". |
Permalinks updated. |
Review permalinks in your permalinks page of your WP site (under Settings). |
Note: In case you need further help, you can reach out ShieldPRO support here.