Audit Trail Glossary

The Audit Trail is designed to give you full insight into significant actions taken on your site. It will let you see exactly what has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong.

These activities can be seen under the Audit Trail Viewer section. You may also filter logs if you want.

This Audit Trail Glossary helps you to interpret audit trail logs, what they mean, what Shield setting is related to that particular log, and what action we recommend.

For example, you're blocked by the firewall, and your IP is blacklisted. So, you're locked out and you want to know what triggered the firewall and what action you should take to prevent future blocks. In this case, you'll follow these steps:

  1. Use a forceoff method to get back into your site
  2. Log into your site
  3. Go to the Manage IPs section and remove your IP from the blacklist
  4. Go to the Audit Trail Viewer and find the firewall block
  5. Use this Glossary to understand this audit trail log better, and take the recommended action.
  6. Remove a "forceoff" file

So, whenever you get locked out (blacklisted) as the result of Shield:

use a forceoff to get back in => remove your IP from the blacklist => review your audit trail logs to find the problem cause => use this Glossary to find the related Shield settings and take action to prevent future blocks => remove a "forceoff" file. 

Audit Trail Glossary

Related setting Audit Trail log
Description Recommended action
License Check
Pro License check succeeded. Pro license activated on site. No action required.
Import/Export
Options imported from site:
https://master-site-name.com
Options imported from the Master site to this Slave site. No action required.
Import/Export - Notify Whitelist  Sent notifications to whitelisted sites for required options import. Notification sent to the Slave site to export options from the Master site. No action required.
Import/Export - Notify Whitelist    

Received notification that options import required.

Current master site: https://master-site-name.com


Slave site received notification to export options from the Master site. No action required.
Security Admin PIN
Failed authentication using Security Admin PIN. Admin provided an incorrect PIN.
Ensure that you're using correct PIN.
If you've forgotten it, follow this guide here.
Remove your IP from the blacklist (if needed).
Security Admin PIN
Successful authentication using Security Admin PIN. Admin provided the correct PIN. No action required.
Allow Email Override
There was an attempt to send an email using the "wp_mail" function.

It was sent to " your-email@site.com" with the subject
"[Your Site Name] Please Confirm Security Admin Removal".
An email notification with confirmation link for Security Admin removal sent to this user.

  • Click the link provided in this email to confirm the removal of the Security Admin restriction.
  • Check email sent to the email address specified in this log.
    PIN will be removed, and Security Admin disabled completely. 
Allow Email Override
There was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject
"[Your Site Name] Security Admin restrictions have been removed".
An email notification that the Security Admin restriction has been removed.
PIN removed. Security Admin disabled completely.

You can set a new PIN (if you want).
Antibot Detection Engine
Request passed the AntiBot Test with a Visitor Score of "100" (minimum score: 35). You have the Antibot Detection Engine enabled in the Login Guard module

User tried to login and passed the antibot test.
  • Use IP Analysis tool under the IPs section here to analyse this user's IP, if you want. 
  • Look for their IP in the Traffic Watch viewer here to get more details. 
Antibot Detection Engine Request failed the AntiBot Test with a Visitor Score of "0" (minimum score: 35). You have the Antibot Detection Engine enabled in the Login Guard module

User blocked - tried to login but failed the antibot test.
This could be a bot but also a legit site user getting blocked. Best is to first check this log for this user's IP in the audit trail, and then

  • Use IP Analysis tool under the IPs section here to analyse this user's IP.

If this is a legit user, you can choose a lower minimum bot score here.

Login Bots

Attempted login failed by user "test-user".

Auto Black List offenses counter was incremented from 0 to 1.

User attempted to login with invalid password.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP. Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details. 
Login Bots

Attempted login with invalid user "test-admin".

Auto Black List offenses counter was incremented from 0 to 1.

User attempted to login with username that doesn't exist.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
Login Bots

Attempted login with invalid user "empty username".

Auto Black List offenses counter was incremented from 0 to 1.

User attempted to login without providing username.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP. Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
Probing Bots

404 detected at "/ads.txt".

Auto Black List offenses counter was incremented from 0 to 1.

A visitor tried to load a non-existent page.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
  • Look for their IP in the Traffic Watch viewer here to get more details.
Probing Bots

Link cheese access detected at "/test-wpsf-cheese-8a7b22c/".

404 detected at "/test-wpsf-cheese-8a7b22c/".

Bot detected (it follows a fake 'no-follow' link).

A non-existent page was hit.

Get yourself informed about this visitor.. It's likely a bot.

  • Look for its IP under the Traffic Watch here to get more details.
Probing Bots 
(see also Lockdown)

Access to XML-RPC detected at "/xmlrpc.php".

Auto Black List offenses counter was incremented from 0 to 2.

XML-RPC system disabled.
Access attempt detected.

Offense triggered "0 to 2", because of the Probing Bots setting "Increment Offense Counter" (1st offense)

and WP Lockdown => XML-RPC System disabled (2nd offense).

When you disable XML-RPC system, this may break plugins that use this. 

You may need to enable XML-RPC system in Shield here.

Probing Bots
Auto Black List offenses counter was incremented from 0 to 1.

Tried to load an invalid WordPress PHP script "profile.php".
Invalid Script Load option set to "Increment Offense Counter".

Offense triggered x1.

User tried to load profile page (profile.php) before they were logged-in.

A non-admin user attempted to load an WP admin page which isn't the normal behavior. It could be a bot.



Use Traffic Log to get more information about this user.

Also, click an email address to analyse this IP to see if it's legit or not, etc.
Bot Behaviours
Fake Web Crawler detected at "/my-account/".

Auto Black List offenses counter was incremented from 0 to 1.

Fake search engine crawler detected.

Offense triggered (x1).

Get yourself informed about this visitor. It's likely a bot.

  • Look for its IP under the Traffic Watch here to get more details.
Offense Limit

Visitor found on the Black List and their connection was killed.

This event repeated 2 times in the last 24hrs.

It takes the time from when the first event happened and is incrementing the number of times.

Visitor exceeded the specified offense limit, and automatically blocked from accessing the site.
Their IP is blacklisted.
  • Review/remove this IP from the block list here, if needed.

If you're locked out (blacklisted), follow these steps

  1. Use a forceoff method to get back in.
  2. Go to the IPs section and remove your IP from the block list.
  3. Review your audit trail to see why you got blocked. Then, change the related Shield setting (if needed)
The 'unblock' file flag
IP address '123.45.67.217' removed from blacklist using 'unblock' file flag. Visitor's IP removed from the blacklist via FTP.  Check your audit trail logs to find out why this visitor's blacklisted at the first place.
Core File Scanner 
WP Core Files scan completed and items were discovered. Modified WP core file detected.

Review file in the Scans section => Scan Results.
Unrecognised Files Scanner 
Unrecognised Files scan completed and items were discovered. Unrecognised file detected.

Review file in the Scans section => Scan Results.
Plugins & Themes Guard Scanner
Plugin/Theme Guard scan completed and items were discovered. Modified plugin/theme file detected. Review file in the Scans section => Scan Results.
Malware Scanner 
Malware scan completed and items were discovered. Malware file detected. Review file in the Scans section => Scan Results.
Vulnerabilities Scanner
Vulnerabilities scan completed and items were discovered. Vulnerable plugin detected. Review plugin in the Scans section => Scan Results.
Abandoned Plugin Scanner 
Abandoned Plugins scan completed and items were discovered. Abandoned plugin detected. Review plugin in the Scans section => Scan Results.
Core File Scanner 

WP Core Files scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-includes/rss.php" Modified WP core file repaired. No action required.
Unrecognised Files Scanner
Unrecognised Files scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-includes/test-unr-scan-1.php" Unrecognised file repaired/deleted. No action required.
Plugins & Themes Guard Scanner
Plugin/Theme Guard scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-content/plugins/plugin-name/plugin-name.php" Modified plugin/theme file repaired.  No action required.
Vulnerabilities Scanner Vulnerabilities scan repaired a item found in the scan. Item repaired: "Plugin Name" Update of the vulnerable plugin applied. Plugin file repaired. No action required.
Vulnerabilities Scanner Vulnerabilities scan could not repair item. Failed repair item: "Plugin Name" Update of the vulnerable plugin couldn't be applied. Plugin not repaired. Review plugin in the Scans section => Scan Results.

Re-install plugin, or update manually from within your WP plugins page, if needed.


Traffic Rate Limiting 
Visitor exceeded the maximum allowable requests (x) within (x) seconds.
Auto Black List offenses counter was incremented from 0 to 1.

Max number of requests allowed in time limit exceeded.

Visitor triggered Shield’s defenses.

Offense recorded against their IP address (x1).

Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
Aggressive Rules

(see also how to whitelist param)

Firewall Trigger: Aggressive Rules.

Page parameter failed firewall check.

The offending parameter was "return" 

with a value of "/wp-admin/admin.php?page=icwp-wpsf-insights&inav=audit".

Firewall Block Response: Visitor connection was killed with wp_die() and a message.

Auto Black List offenses counter was incremented from 0 to 1.

Firewall triggered.

Block response is based on the Firewall => Block Response setting. In this example, it's "Die With Message".

Offense triggered (x1).
Whitelist the offending parameter " return", directly from within this audit trail log, or manually.

Or, disable Aggressive Rules option.

Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option.

Directory Traversal

(see also how to whitelist param)

Firewall Trigger: Directory Traversal.

Page parameter failed firewall check.

The offending parameter was "test002" 

with a value of "../../../../etc/passwd".

Firewall Block Response: Visitor connection was killed with wp_die() and a message.

Auto Black List offenses counter was incremented from 0 to 1.

Firewall triggered.

Block response is based on the Firewall => Block Response setting. In this example, it's "Die With Message".

Offense triggered (x1).
Whitelist the offending parameter " test002", directly from within this audit trail log, or manually.

Or, disable Directory Traversal option.

Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option.
Field Truncation

(see also how to whitelist param)
Firewall Trigger: Field Truncation.

Page parameter failed firewall check.
The offending parameter was "your-message" with a value of "Hello, I have read that you...xxxxxxxxx".

Firewall Block Response: Visitor was sent 404.

Auto Black List offenses counter was incremented from 0 to 1.

Firewall triggered.

Block response is based on the Firewall => Block Response setting. In this example, it's "Return 404".

Offense triggered (x1).

Field truncation is where someone attempts to post/submit a massive amount of data in a form which can overwhelm the form processing and data(base) storage, but it can also be used in certain scenarios where truncating data that's too large can lead to an exploit. Field Truncation firewall rule prevents this from happening.

Visitor triggered the firewall.

If you need to whitelist the offending parameter " your-message", you can do so directly from within this audit trail log, or manually.

Or, disable Field Truncation option.

Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option.
Send Email Report 

There was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject

"[Your Site Name] Firewall Block Alert".

Successfully sent Firewall Block email alert to: your-email@site.com

A visitor is blocked, the firewall sent an email with the blocking details. Review this firewall block for this visitor provided in this email to get more info. 

Bot Protection

User "test-user" attempted "login" but Bot checkbox was not found.

Attempted login failed by user "test-user".

Auto Black List offenses counter was incremented from 0 to 2.

User tried to login without checking the "I'm a human." checkbox.

Login failed.

Offense triggered (x2).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
CAPTCHA for login form

CAPTCHA Test Fail

Attempted login failed by user "test-user".

IP blocked after incrementing offenses from 0 to 2.

User tried to login without checking the Captcha checkbox.

Login failed.

User exceeded the specified offense limit (x2), automatically blocked from accessing the site.

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
Cooldown Period 

Login/Register request triggered cooldown and was blocked.

Attempted login failed by user "test-user".

Auto Black List offenses counter was incremented from 0 to 2.

User attempted to log into the site during the cooldown period.

Login failed.

Offense triggered (x2)

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
2FA by email

There was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject 

"Two-Factor Login Verification".

The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.

User "test-user" sent two-factor authentication email to verify identity.

Email with the 2FA verification code sent to the user. Use 2FA verification code for login.

If audit trail is showing that email has been sent but you haven't received it, it's probably getting blocked somewhere.
More Info

We resolve email deliverability issue for 2FA with our SureSend system.
Allow Backup Codes 

User "test-user" verified their identity using Backup Code.

There was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject

"[Your Site Name] Notice: Backup Login Code Just Used".

Email notification that user's used login backup code. No action required.
Login Protection
Attempted user login by "test-user" was successful. User logged in.  Review user session, if you want. Go to the navigation menu => Users section.

You can also look for their IP in the Traffic Watch viewer here to get more details about this user.
Lock To Location 

Access to an established user session from a different IP address.

Logging out.

A logged-in user's IP address changed. The session is invalidated and user is forced to re-login. If you're getting logged out, maybe you'll need to disable Lock To Location option here.
User Session Management 

Valid user session could not be found.

Logging out.

An active session could not be found. User logged out. Review User Session Management settings. You may need to disable i.e. Max Simultaneous Sessions option.

If that doesn't help, you may need to disable User Management module completely and test. It could be plugin conflict.
User Registration 

Detected user registration with invalid email address (newuser01xxx@a-bc.net).

Email verification test that failed: nondisposable

New WordPress user registered. New username is "newuser01xxx" with email address "newuser01xxx@a-bc.net".

User tried to register with an invalid email address.

Disposable email used.

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP. Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
User Registration 

Detected user registration with invalid email address (test12345ccRaaa@net2force.net).

Email verification test that failed: domain_registered

New WordPress user registered. New username is "test12345ccRaaa" with email address "test12345ccRaaa@net2force.net".

User tried to register with an invalid email address.

Domain of this email address isn't registered.
Domain doesn't have an IP:

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP. Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
User Management

WordPress user deleted. Username was "newuser01xxx" with email address "newuser01xxx@a-bc.net".

User deleted from WP site. No action required.
Password Policies
Blocked attempted password update that failed policy requirements. A user tried to update or set a new password but it doesn't meet the password policy requirements imposed by security admin. User blocked but not blacklisted yet.
  • Look for their IP under the IPs section here.
Allow Manual User Suspension 
User ID 33 suspended by admin (site-admin) User suspended by site admin.

Login prevented.

No action required.
Allow Manual User Suspension 
User ID 33 unsuspended by admin (site admin) User unsuspended by site admin.

Login allowed.
No action required.
Admin Login Notification 

Attempted user login by "site-admin" was successful.

There was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject

"[Your Site Name] Notice - Administrator+ Just Logged Into https://your-site-name.com".

The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.


Shield is notifying you of a successful Administrator login to a WP site that you manage.
Review user session, if you want. Go to the navigation menu => Users section.
User Login Notification Email 

There was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject 

"[Your Site Name] Notice - A login to your WordPress account just occurred".

The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.

Shield is notifying user that a successful login for their account occurred. Review user session, if you want. Go to the navigation menu => Users section.
SPAM Bot Protection

Blocked SPAM comment from Bot.

Auto Black List offenses counter was incremented from 0 to 1.

Visitor tried to post a comment without checking the "I'm not a spammer." checkbox.

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable).

Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP. Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.




 

Comment Cooldown

Blocked SPAM comment from Bot.

Auto Black List offenses counter was incremented from 0 to 1.

The comment form submit button has a countdown times so that visitors must wait before posting a comment.

Visitor tried to post a comment before comment cooldown period of time has expired.

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable). You'll see something like this:
[* Shield plugin marked this comment as “Pending Moderation”. Reason: Failed Bot Test ( cooldown) *]

Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP. Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
CAPTCHA for comments form

CAPTCHA Test Fail

Blocked SPAM comment that failed CAPTCHA.

Auto Black List offenses counter was incremented from 0 to 1.

Visitor tried to post a comment without checking the Captcha checkbox.

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable).

Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Human SPAM Filter  

Blocked human SPAM comment containing suspicious content.

Human SPAM filter found " abercrom" in "comment_content"

Auto Black List offenses counter was incremented from 0 to 1.

Visitor tried to post a comment by using a human spam content (word "abercrom").

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable).
Get yourself informed about this visitor.
  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
Reporting

There was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject 

"[Your Site Name] Site Report - Shield".

The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.

Critical alerts about your site security (about recent scans), and non-critical information (stats) sent by email. Critical alerts are mostly related to the recent scans.
Go to the navigation menu => Scans section => and review scan results. Or, run the scans, if needed.
Automatic Plugins Updates

There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject

"[Your Site Name] Some plugins were automatically updated".

The "wp_mail" function was called from the file "wp-admin/includes/class-wp-automatic-updater.php" on line 1187.

Plugins updated automatically.

Note: Audit trail doesn't show when plugins are updated (either automatically or manually). It only shows that notification email about auto-update was sent.
WordPress 5.5 included auto-update notification emails.
Review plugins in your plugins page of your WP site.
Anonymous Rest API
Blocked Anonymous API Access through "wp" namespace. Anonymous Rest API disabled. Access attempt detected and blocked.

When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. 

You may need to enable Anonymous Rest API system in Shield here.

Anonymous Rest API 
Blocked Anonymous API Access through "oembed" namespace.
Anonymous Rest API disabled. Access attempt through oembed detected and blocked.

A namespace is a string between /wp-json/ and the next slash. I.e. for Contact Form 7 it's
’contact-form-7'
(/wp-json/contact-form-7/).

WP oembed recognizes URLs to a number of services to auto format and display them. I.e. Youtube videos or WP posts/pages.
When you insert URL into your page or post, WP sees the URL and it will connect to the external service (such as Youtube) and ask for the relevant HTML code to embed the video into the page or post. It'll display the title, text snippet, comments counter etc.

When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. 

You may need to enable Anonymous Rest API system in Shield here.

Disable XML-RPC 
Access to XML-RPC detected at "/xmlrpc.php". XML-RPC system disabled.
Access attempt detected.

When you disable XML-RPC system, this may break plugins that use this. 

You may need to enable XML-RPC system in Shield here.

Plugins Plugin "plugin-name/index.php" was activated. Plugin activated. Review plugins in your plugins page of your WP site.
Plugins Plugin "plugin-name/index.php" was deactivated. Plugin deactivated. Review plugins in your plugins page of your WP site.
Plugins
Plugin "Plugin Name" was upgraded from version 15.2.1 to version 15.3.
Plugin updated.
No action required.
Pages Post entitled "Test Page 1" was trashed.
Post Type: page
Page trashed. Review this page in your pages of your WP site.
Pages WordPress Post entitled "Test Page 1" was permanently deleted from trash. Page deleted from trash. No action required.
Pages Post entitled "Test Page 2" was published.
Post Type: page
Page published. Review this page in your pages of your WP site.
Pages Post entitled "Test Page 2" was updated.
Post Type: page
Page updated. Review this page in your pages of your WP site.
Posts Post entitled "Test Post 1" was trashed.
Post Type: post
Post trashed. Review this post in your posts page of your WP site.
Posts WordPress Post entitled "Test Post 1" was permanently deleted from trash. Post deleted from trash. No action required.
Posts Post entitled "Test Post 2" was published.
Post Type: post
Post published. Review this post in your posts page of your WP site.
Posts Post entitled "Test Post 2" was updated.
Post Type: post


Post updated. Review this post in your posts page of your WP site.
Permalinks
WordPress Permalinks Structure was updated from "/y%/%monthnum%/%year%/%postname%/tegory%/" to "/%postname%/".
Permalinks updated.
Review permalinks in your permalinks page of your WP site (under Settings).

Note: In case you need further help, you can reach out ShieldPRO support here.