WordPress Activity Log Glossary
The WordPress Activity Log is designed to give you full insight into significant actions taken on your site. It will let you see exactly what has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong.
These activities (events) can be seen with the Activity Log Viewer. You may also filter logs if you want.
Note: What events will be logged depend on the configured logging levels here.
This WordPress Activity Log Glossary helps you to interpret activity logs, what they mean, what Shield setting is related to that particular log, and what action we recommend.
Since Shield is a huge plugin, there are many activity logs. We are going to list the most common ones.
WordPress Activity Log Glossary
EVENT |
ACTIVITY LOG MESSAGE |
LOG DESCRIPTION |
RELATED SETTING /RECOMMENDED ACTION |
| Security PIN Fail | Security PIN authentication failed. |
Admin provided an incorrect PIN. Offense triggered. | Related setting: Security Admin PIN Ensure that you're using correct PIN. If you've forgotten it, follow this guide here. Remove your IP from the blocklist (if needed). |
Email Sent (Security Admin) |
There was an attempt to send an email using the "wp_mail" function. It was sent to " your-email@site.com" with the subject "[Your Site Name] Please Confirm Security Admin Removal". |
An email notification with confirmation link for Security Admin removal sent to this admin account. | Related setting: Allow Email Override
Follow this guide
here.
PIN will be removed, and Security Admin disabled completely.
|
| AntiBot Fail | Request failed the AntiBot Test with a Visitor Score of "0" (minimum score: 35). | User blocked - tried to login but failed the antibot test. | Related setting: silentCAPTCHA Bot Minimum Score This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse. If this is a legit user, you can unblock their IP and choose a lower minimum bot score. |
| Bots: Failed Login | Attempted login failed by user "admin". | User attempted to login with invalid password. | Related setting: Login Bots: Bot Actions > Failed Login This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse. If this is a legit user, you can unblock their IP. |
| Bots: Invalid Username Login | Attempted login with invalid user "test-admin". | User attempted to login with username that doesn't exist. | Related setting: Login Bots: Bot Actions > Invalid Usernames This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse. If this is a legit user, you can unblock their IP. |
| Bots: 404 | 404 detected at "/wp-includes/Requests/Text/admin.php". | A visitor tried to load a non-existent page. | Related setting: Probing Bots: Bot Actions > 404 Detect This could be a bot but also a legit site user getting blocked. Best is to first check logs for this user's IP in the activity log, and then Analyse. If this is a legit user, you can unblock their IP. Note: You could have legitimate 404 links on your site which normal users are going to click and get blocked. |
| Bots: Link Cheese | Link cheese access detected at "/test-wpsf-cheese-8a7b22c/". | Bot detected (it follows a fake 'no-follow' link). | Related setting: Probing Bots: Bot Actions > Link Cheese Check this IP in the activity log, and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
Bots: XML-RPC and Blocked: XML-RPC |
Access to XML-RPC detected at "//xmlrpc.php". and XML-RPC Request Blocked. |
XML-RPC request blocked. | Related settings: Probing Bots: Bot Actions > XML-RPC Access and Firewall Zone > Disable XML-RPC Note: When you disable XML-RPC system, this may break plugins that use this. You may need to enable XML-RPC system in Shield. |
| Bots: Invalid Scripts | Tried to load an invalid WordPress PHP script "wp-load.php". |
Visitor not logged in but tried to load this page. | Related setting: Probing Bots: Bot Actions > Invalid Script Load This could be a bot. Check this IP in the activity log, and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| Bots: Fake Web Crawler | Fake Web Crawler detected at "/favicon.ico". Fake Crawler misrepresented itself as "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" . | Fake search engine crawler detected. | Related setting: Bot Actions > Fake Web Crawler This could be a bot. Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| IP Block List Add (Auto) | IP address '184.168.123.46' automatically added to block list as an offender. The IP may not be blocked yet. | It takes the time from when the first event happened and is incrementing the number of times. When this visitor exceeds the specified offense limit, they'll be automatically blocked from accessing the site. |
Related setting: Offense Limit Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. If it's a legit user, remove this IP from a block list if needed. |
| Items Found In Scan | Vulnerabilities or Abandoned Plugins or WordPress Filesystem Scan scan completed and items were discovered. |
Scans completed. |
Related settings: Scans & Integrity Zone Follow this guide here. |
| Scan Item Delete Success | Item found in the scan was deleted. Item deleted: "/xxxxx/public/wp-admin/test scan core.php" | Detected file deleted manually. | Related settings: to review Scans & Integrity Zone Follow this guide here. |
| Scan Item Repair Success | Repaired item found in the scan. Item repaired: "/xxxxx/public/wp-includes/media-template.php | Detected file repaired (automatically or manually). | Related settings to review: Scans & Integrity Zone Follow this guide here. |
| Rate Limit Exceeded | Rate limit (5) was exceeded with 11 requests within 30 seconds. | Max number of requests allowed in time limit exceeded. Visitor triggered Shield’s defenses. |
Related setting to review: Traffic Rate Limiting Look for its IP under the HTTP Request Log Viewer here to get more details. If it's a legit user, remove this IP from a block list if needed. |
| Firewall Block | Request blocked by firewall rule: Aggressive Scan. Rule pattern detected: " #etc/passwd#i" . The offending request parameter was "test12" with a value of "../../../../etc/passwd". |
Firewall triggered. Rule: Aggressive Scan |
Related setting: Firewall Blocking Follow this guide here. |
| Cooldown Fail | Login/Register request triggered cooldown and was blocked. | User attempted to login during the cooldown period. | Related setting to review: Cooldown Period Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. If it's a legit user, remove this IP from a block list if needed. |
Email Sent (2FA login) |
There was an attempt to send an email using the "wp_mail" function. This log entry doesn't mean it was sent or received successfully, but only that an attempt was made. It was sent to "test-user@gmail.com" with the subject "My Site Name Two-Factor Login Verification". CC/BCC Recipients: - / - The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/lib/src/Controller/Email/EmailCon.php" on line 50. | Email with the 2FA verification code sent to this user's email address. | Related setting: 2FA By Email If activity log is showing that email has been sent but you haven't received it, it's probably getting blocked somewhere. You'll need to solve email deliverability issue. Site admins can also try our SureSend system. |
Invalid User Email Registration and Registration Blocked |
Detected user registration with invalid email address (spam-email-test-196@0x207.info). Email verification test that failed: nondisposable and User registration request blocked. |
User tried to register with an invalid email address. Disposable email used. |
Related setting: User Registration Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| Session Locked | Core properties of an established user session (username) have changed. Logging out. | User session changed. Logged out. | Related setting to review: User Session Lock This could be a legit user or bot. Disable options if needed but first Analyse this IP. |
| Password Change Blocked | Blocked attempted password update that failed policy requirements. | A user tried to update or set a new password but it doesn't meet the password policy requirements imposed by security admin. | Related setting: Password Policies Offense will not be triggered. Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| User Manually Suspended | User "username" suspended by admin. | User suspended by site admin. Login prevented. |
Related setting: Allow Manual User Suspension Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
Comment SPAM Blocked and SPAM Blocked: AntiBot System |
Comment SPAM Blocked. and Blocked SPAM comment that failed AntiBot tests. |
Visitor tried to post a comment but triggered the ADE. | Related setting: Automatic Bot Comment SPAM Protection Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| SPAM Blocked: Cooldown Triggered | Blocked comment that triggered the Comment Cooldown. | Comment cooldown triggered. | Related setting: Comments Cooldown Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| SPAM Blocked: Human | Blocked human SPAM comment containing suspicious content. Human SPAM filter found "abercrom" in "comment_content" | Visitor tried to post a comment by using a human spam content (word "abercrom"). | Related setting: Human SPAM Filter Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| Blocked: Anonymous REST API | Blocked Anonymous API Access through "wp" namespace. | Anonymous Rest API disabled. Access attempt detected and blocked. | Related setting: Anonymous Rest API When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. You may need to enable this in Shield. |
| Blocked: Author Fishing | Blocked Author Discovery via username fishing technique. | Blocked the ability to discover WP usernames based on author IDs. | Related setting: Block Username Fishing Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. |
| Connection Killed | Visitor found on the Block List and their connection was killed. This event repeated 79 times in the last 24hrs. | Visitor exceeded the specified offense limit, and automatically blocked from accessing the site. They tripped offenses 79 times in 24hrs. |
Related setting: Offense Limit Review actions - activity logs taken by this IP and then Analyse. Look for its IP under the HTTP Request Log Viewer here to get more details. If it's a legit user, remove this IP from a block list if needed. |
| CrowdSec: Connection Killed | Visitor found on the CrowdSec Block List and their request was killed. This event repeated 3 times in the last 24hrs. | Visitor automatically blocked from accessing the site. | Related setting: CrowdSec IP Blocking Analyse this IP to get more info. |
| Hidden Login URL Fail | Redirecting wp-login due to hidden login URL | Visitor tried to load hidden login URL. | Related setting: Hide WP Login & Admin Offense not triggered. Analyse this IP to get more info. Look for its IP under the HTTP Request Log Viewer here if you'd like. |
| License Deactivated | A valid license could not be found - Deactivating Pro. | Your ShieldPRO license is deactivated for some reason. | Please follow this guide here If you still have a problem, reach out Shield Support here. |
| Options Imported | Options imported from site: https://your-master-site-url.com or Options imported from site: import file. |
Options imported from a site or a file. | Related setting: Import/Export No specific action required. |
| Site Lockdown Started | Site was placed into lockdown by username. | All access to the site except from IPs on the bypass/white list has been blocked. |
Related setting to review: Site Lockdown If you get locked out, please use forceoff and disable this option. |
How to use the WordPress Activity Log Glossary
Example: Firewall Block > Locked out
You're blocked by the firewall, and your IP is blacklisted. So, you're locked out and you want to know what triggered the firewall and what action you should take to prevent future blocks. In this case, you'll follow these steps:
- Use a forceoff method to get back into your site
- Log into your site
- Go to the Bots & IP Rules section and remove your IP from the blacklist
- Go to the WP Activity Log Viewer and find the firewall block. You may filter logs by your IP and Firewall Block event.
- Use this Glossary to understand this activity log better, review the related settings and take the recommended action.
- Remove a "forceoff" file
So, if you get locked out:
use a forceoff to get back in > remove your IP from the blacklist > review your activity logs to find the block cause > use this Glossary to find the related Shield settings and take recommended action to prevent future blocks > remove a "forceoff" file.
Note: If you need further help, you can reach out ShieldPRO support here.