Traffic Watch Viewer is a great tool you can use to review all logs of HTTP requests made to your WordPress site.
How to review your WordPress site traffic
To do this, simply enable Traffic Watch module first and set it on the way you want.
Once you've done that, simply go to the Shield Security Dashboard and select the Traffic tab to get a more informed view on your site traffic.
Traffic Viewer (Traffic section) provides a summary of each request including:
- IP address (and Geo-location)
- WP username (if logged-in)
- request path (including any query parameters)
- the HTTP response code for the request e.g. 200 (a successful request)
- whether the request was offense against the Shield Security plugin
Note: If you click on the particular IP address, an IP Lists section page will open up in the separate tab. Here you'll be able to analyse this IP.
Read more about this here.
You can also filter display of entries in the log table. Just click the "Filter Traffic Log" button from inside the Traffic Viewer and filter log entries by:
- Visitor IP address
- What page/path contains
- Response status code
- Visitor username and if they logged in or not.
Please note that, if you enter visitor username, "Logged-in" filter will be ignored.
- If a visitor's logged in or not
- Whether the request was offense or not
- Whether you want to exclude your current IP from the filtering or not
For example, filter by offense:
Traffic log entries examples
Let's have a look at these 2 log entries:
Apart from the visitor's IP address and other data, we can also see that:
- Visitor has loaded the login page:
- And then, the same visitor tried to login to this site:
- Visitor has failed to login to this site and the request was offense against the Shield (please see here).
- The response status code for this page is 200 (a successful request).
Note: The actual response depends on the request method used. In a POST request, the response contains an entity describing or containing the result of the action.
Status codes are best described in this article here.
These 2 entries seem identical. Why then the Viewer displays them both?
Even if these 2 entries seem identical, they're actually not. The difference is in GET and POST:
- GET: "/travel/services/wp-login.php" - means that the visitor has loaded the login page only (not attempted to login).
- POST: "/travel/services/wp-login.php" - means that the visitor has attempted to login (entered login details).
GET and POST are best explained in the second part of this article here.
These xmlrpc.php entries could be XML-RPC brute force amplification attacks that are successfully blocked by Shield.
XML-RPC is enabled by default in WordPress because it helps connecting your WordPress site with web and mobile apps. However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.
To learn how to block XML-RPC brute force amplification attacks, read this article here.
You can download traffic logs file, if you want:
For more information about the Traffic Watch module, read the release article here.