The Audit Trail is designed to give you full insight into significant actions taken on your site. It will let you see exactly what has been happening on your site so you can easily look back on events and analyse what happened and what may have gone wrong.


These activities can be seen under the Audit Trail Viewer section of the Shield Security Dashboard. You may also filter logs if you want.


This Audit Trail Glossary helps you to interpret audit trail logs, what they mean, what Shield setting is related to that particular log, and what action we recommend.


For example, you're blocked by the firewall, and your IP is blacklisted. So, you're locked out and you want to know what triggered the firewall and what action you should take to prevent future blocks. In this case, you'll follow these steps:

  1. Use a forceoff method to get back into your site
  2. Log into your site
  3. Go to the IP Lists section and remove your IP from the blacklist
  4. Go to the Audit Trail Viewer and find the firewall block
  5. Use this Glossary to understand this audit trail log better, and take the recommended action.
  6. Remove a "forceoff" file

So, whenever you get locked out (blacklisted) as the result of Shield:

use a forceoff to get back in => remove your IP from the blacklist => review your audit trail logs to find the problem cause => use this Glossary to find the related Shield settings and take action to prevent future blocks => remove a "forceoff" file. 

Audit Trail Glossary

Related settingAudit Trail log
DescriptionRecommended action
License CheckPro License check succeeded.Pro license activated on site.No action required.
Import/ExportOptions imported from site:
https://master-site-name.com
Options imported from the Master site to this Slave site.No action required.
Import/Export - Notify Whitelist  Sent notifications to whitelisted sites for required options import.Notification sent to the Slave site to export options from the Master site.No action required.
Import/Export - Notify Whitelist    

Received notification that options import required.


Current master site: https://master-site-name.com


Slave site received notification to export options from the Master site.No action required.
Security Admin PINFailed authentication using Security Admin PIN.Admin provided an incorrect PIN.
  • Ensure that you're using correct PIN.
  • If you've forgotten it, follow this guide here.
  • Remove your IP from the blacklist (if needed). 
Security Admin PINSuccessful authentication using Security Admin PIN.Admin provided the correct PIN.No action required.
Allow Email OverrideThere was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject
"[Your Site Name] Please Confirm Security Admin Removal".
An email notification with confirmation link for Security Admin removal sent to this user.

  • Check email sent to the email address specified in this log.
  • Click the link provided in this email to confirm the removal of the Security Admin restriction.
PIN will be removed, and Security Admin disabled completely.
Allow Email OverrideThere was an attempt to send an email using the "wp_mail" function.

It was sent to "your-email@site.com" with the subject
"[Your Site Name] Security Admin restrictions have been removed".
An email notification that the Security Admin restriction has been removed.PIN removed. Security Admin disabled completely.

You can set a new PIN (if you want). 
Login Bots

Attempted login failed by user "test-user".


Auto Black List offenses counter was incremented from 0 to 1.

User attempted to login with invalid password.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.
Login Bots

Attempted login with invalid user "test-admin".


Auto Black List offenses counter was incremented from 0 to 1.

User attempted to login with username that doesn't exist.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Login Bots

Attempted login with invalid user "empty username".


Auto Black List offenses counter was incremented from 0 to 1.


User attempted to login without providing username.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Probing Bots 

404 detected at "/ads.txt".


Auto Black List offenses counter was incremented from 0 to 1.

A visitor tried to load a non-existent page.

Offense triggered (x1).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Probing Bots

Link cheese access detected at "/test-wpsf-cheese-8a7b22c/".


404 detected at "/test-wpsf-cheese-8a7b22c/".


Bot detected (it follows a fake 'no-follow' link).


A non-existent page was hit.


Get yourself informed about this visitor.. It's likely a bot.

  • Look for its IP under the Traffic Watch here to get more details.

Probing Bots 
(see also Lockdown)

Access to XML-RPC detected at "/xmlrpc.php".


Auto Black List offenses counter was incremented from 0 to 2.


XML-RPC system disabled.
Access attempt detected.


Offense triggered "0 to 2", because of the Probing Bots setting "Increment Offense Counter" (1st offense)

and WP Lockdown => XML-RPC System disabled (2nd offense).



When you disable XML-RPC system, this may break plugins that use this. 

You may need to enable XML-RPC system in Shield here.



Probing Bots 
Auto Black List offenses counter was incremented from 0 to 1.

Tried to load an invalid WordPress PHP script "profile.php".
Invalid Script Load option set to "Increment Offense Counter".

Offense triggered x1.

User tried to load profile page (profile.php) before they were logged-in.

A non-admin user attempted to load an WP admin page which isn't the normal behavior. It could be a bot.



Use Traffic Log to get more information about this user.

Also, click an email address to analyse this IP to see if it's legit or not, etc.
Bot BehavioursFake Web Crawler detected at "/my-account/".

Auto Black List offenses counter was incremented from 0 to 1.

Fake search engine crawler detected.

Offense triggered (x1).

Get yourself informed about this visitor.. It's likely a bot.

  • Look for its IP under the Traffic Watch here to get more details.

Offense Limit 

Visitor found on the Black List and their connection was killed.


This event repeated 2 times in the last 24hrs.


It takes the time from when the first event happened and is incrementing the number of times.

Visitor exceeded the specified offense limit, and automatically blocked from accessing the site.
Their IP is blacklisted.
  • Review/remove this IP from the block list here, if needed.

If you're locked out (blacklisted), follow these steps

  1. Use a forceoff method to get back in.
  2. Go to the IPs section and remove your IP from the block list.
  3. Review your audit trail to see why you got blocked. Then, change the related Shield setting (if needed)
The 'unblock' file flagIP address '123.45.67.217' removed from blacklist using 'unblock' file flag.Visitor's IP removed from the blacklist via FTP. Check your audit trail logs to find out why this visitor's blacklisted at the first place.
Core File Scanner WP Core Files scan completed and items were discovered.Modified WP core file detected.

Review file in the Scans section => Scan Results.
Unrecognised Files Scanner Unrecognised Files scan completed and items were discovered.Unrecognised file detected.

Review file in the Scans section => Scan Results.
Plugins & Themes Guard ScannerPlugin/Theme Guard scan completed and items were discovered.Modified plugin/theme file detected.Review file in the Scans section => Scan Results.
Malware Scanner Malware scan completed and items were discovered.Malware file detected.Review file in the Scans section => Scan Results.
Vulnerability Scanner Vulnerabilities scan completed and items were discovered.Vulnerable plugin detected.Review plugin in the Scans section => Scan Results.
Abandoned Plugin Scanner Abandoned Plugins scan completed and items were discovered.Abandoned plugin detected.Review plugin in the Scans section => Scan Results.
Core File Scanner 

WP Core Files scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-includes/rss.php"Modified WP core file repaired.No action required.
Unrecognised Files ScannerUnrecognised Files scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-includes/test-unr-scan-1.php"Unrecognised file repaired/deleted.No action required.
Plugins & Themes Guard ScannerPlugin/Theme Guard scan repaired a item found in the scan. Item repaired: "/srv/users/xxxxxxx/public/wp-content/plugins/plugin-name/plugin-name.php"Modified plugin/theme file repaired. No action required.
Vulnerability Scanner Vulnerabilities scan repaired a item found in the scan. Item repaired: "Plugin Name"Update of the vulnerable plugin applied. Plugin file repaired.No action required.
Vulnerability Scanner Vulnerabilities scan could not repair item. Failed repair item: "Plugin Name"Update of the vulnerable plugin couldn't be applied. Plugin not repaired.Review plugin in the Scans section => Scan Results.

Re-install plugin, or update manually from within your WP plugins page, if needed.


Traffic Rate Limiting Visitor exceeded the maximum allowable requests (x) within (x) seconds.
Auto Black List offenses counter was incremented from 0 to 1.

Max number of requests allowed in time limit exceeded.

Visitor triggered Shield’s defenses.

Offense recorded against their IP address (x1).


Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Aggressive Rules

(see also how to whitelist param)

Firewall Trigger: Aggressive Rules.


Page parameter failed firewall check.

The offending parameter was "return" 

with a value of "/wp-admin/admin.php?page=icwp-wpsf-insights&inav=audit".


Firewall Block Response: Visitor connection was killed with wp_die() and a message.


Auto Black List offenses counter was incremented from 0 to 1.


Firewall triggered.

Block response is based on the Firewall => Block Response setting. In this example, it's "Die With Message".

Offense triggered (x1).
Whitelist the offending parameter "return", directly from within this audit trail log, or manually.

Or, disable Aggressive Rules option.

Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option.

Directory Traversal 

(see also how to whitelist param)

Firewall Trigger: Directory Traversal.


Page parameter failed firewall check.

The offending parameter was "test002" 

with a value of "../../../../etc/passwd".


Firewall Block Response: Visitor connection was killed with wp_die() and a message.


Auto Black List offenses counter was incremented from 0 to 1.


Firewall triggered.

Block response is based on the Firewall => Block Response setting. In this example, it's "Die With Message".

Offense triggered (x1).
Whitelist the offending parameter "test002", directly from within this audit trail log, or manually.

Or, disable Directory Traversal option.

Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option.
Field Truncation

(see also how to whitelist param)
Firewall Trigger: Field Truncation.

Page parameter failed firewall check.
The offending parameter was "your-message" with a value of "Hello, I have read that you...xxxxxxxxx".

Firewall Block Response: Visitor was sent 404.

Auto Black List offenses counter was incremented from 0 to 1.

Firewall triggered.

Block response is based on the Firewall => Block Response setting. In this example, it's "Return 404".

Offense triggered (x1).

Field truncation is where someone attempts to post/submit a massive amount of data in a form which can overwhelm the form processing and data(base) storage, but it can also be used in certain scenarios where truncating data that's too large can lead to an exploit. Field Truncation firewall rule prevents this from happening.

Visitor triggered the firewall.

If you need to whitelist the offending parameter "your-message", you can do so directly from within this audit trail log, or manually.

Or, disable Field Truncation option.

Also, not recommended, but if you want to ensure that admins are never affected by the firewall, enable Ignore Administrators option.
Send Email Report 

There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject

"[Your Site Name] Firewall Block Alert".


Successfully sent Firewall Block email alert to: your-email@site.com


A visitor is blocked, the firewall sent an email with the blocking details.Review this firewall block for this visitor provided in this email to get more info. 

Bot Protection



User "test-user" attempted "login" but Bot checkbox was not found.


Attempted login failed by user "test-user".


Auto Black List offenses counter was incremented from 0 to 2.


User tried to login without checking the "I'm a human." checkbox.

Login failed.

Offense triggered (x2).

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

CAPTCHA for login form

CAPTCHA Test Fail


Attempted login failed by user "test-user".


IP blocked after incrementing offenses from 0 to 2.


User tried to login without checking the Captcha checkbox.

Login failed.

User exceeded the specified offense limit (x2), automatically blocked from accessing the site.

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Cooldown Period 

Login/Register request triggered cooldown and was blocked.


Attempted login failed by user "test-user".


Auto Black List offenses counter was incremented from 0 to 2.


User attempted to log into the site during the cooldown period.


Login failed.


Offense triggered (x2)


Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

2FA by email 

There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject 

"Two-Factor Login Verification".


The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.


User "test-user" sent two-factor authentication email to verify identity.



Email with the 2FA verification code sent to the user.Use 2FA verification code for login.

If audit trail is showing that email has been sent but you haven't received it, it's probably getting blocked somewhere.
More Info

We resolve email deliverability issue for 2FA with our SureSend system.
Allow Backup Codes 

User "test-user" verified their identity using Backup Code.


There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject

"[Your Site Name] Notice: Backup Login Code Just Used".

Email notification that user's used login backup code.No action required.
Login ProtectionAttempted user login by "test-user" was successful.User logged in. Review user session, if you want. Go to the Shield Security Dashboard => Users section.

You can also look for their IP in the Traffic Watch viewer here to get more details about this user.
Lock To Location 

Access to an established user session from a different IP address.

Logging out.

A logged-in user's IP address changed. The session is invalidated and user is forced to re-login.If you're getting logged out, maybe you'll need to disable Lock To Location option here.
User Session Management 

Valid user session could not be found.

Logging out.


An active session could not be found. User logged out.Review User Session Management settings. You may need to disable i.e. Max Simultaneous Sessions option.

If that doesn't help, you may need to disable User Management module completely and test. It could be plugin conflict.
User Registration 

Detected user registration with invalid email address (newuser01xxx@a-bc.net).


Email verification test that failed: nondisposable


New WordPress user registered. New username is "newuser01xxx" with email address "newuser01xxx@a-bc.net".


User tried to register with an invalid email address.

Disposable email used.

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

User Registration 

Detected user registration with invalid email address (test12345ccRaaa@net2force.net).


Email verification test that failed: domain_registered


New WordPress user registered. New username is "test12345ccRaaa" with email address "test12345ccRaaa@net2force.net".


User tried to register with an invalid email address.

Domain of this email address isn't registered.
Domain doesn't have an IP:

Get yourself informed about this user.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

User Management

WordPress user deleted. Username was "newuser01xxx" with email address "newuser01xxx@a-bc.net".


User deleted from WP site.No action required.
Password PoliciesBlocked attempted password update that failed policy requirements.A user tried to update or set a new password but it doesn't meet the password policy requirements imposed by security admin.User blocked but not blacklisted yet.
  • Look for their IP under the IPs section here.

Allow Manual User Suspension User ID 33 suspended by admin (site-admin)User suspended by site admin.

Login prevented.

No action required.
Allow Manual User Suspension User ID 33 unsuspended by admin (site admin)User unsuspended by site admin.

Login allowed.
No action required.
Admin Login Notification 

Attempted user login by "site-admin" was successful.


There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject

"[Your Site Name] Notice - Administrator+ Just Logged Into https://your-site-name.com".


The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.




Shield is notifying you of a successful Administrator login to a WP site that you manage.
Review user session, if you want. Go to the Shield Security Dashboard => Users section.
User Login Notification Email 

There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject 

"[Your Site Name] Notice - A login to your WordPress account just occurred".


The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.



Shield is notifying user that a successful login for their account occurred.Review user session, if you want. Go to the Shield Security Dashboard => Users section.
SPAM Bot Protection

Blocked SPAM comment from Bot.


Auto Black List offenses counter was incremented from 0 to 1.


Visitor tried to post a comment without checking the "I'm not a spammer." checkbox.

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable).

Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.



 
Comment Cooldown

Blocked SPAM comment from Bot.


Auto Black List offenses counter was incremented from 0 to 1.


The comment form submit button has a countdown times so that visitors must wait before posting a comment.

Visitor tried to post a comment before comment cooldown period of time has expired.

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable). You'll see something like this:
[* Shield plugin marked this comment as “Pending Moderation”. Reason: Failed Bot Test (cooldown) *]

Get yourself informed about this visitor.
  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

CAPTCHA for comments form

CAPTCHA Test Fail


Blocked SPAM comment that failed reCAPTCHA.


Auto Black List offenses counter was incremented from 0 to 1.


Visitor tried to post a comment without checking the Captcha checkbox.

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable).

Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Human SPAM Filter  



Blocked human SPAM comment containing suspicious content.


Human SPAM filter found "abercrom" in "comment_content"


Auto Black List offenses counter was incremented from 0 to 1.


Visitor tried to post a comment by using a human spam content (word "abercrom").

Offense triggered (x1).
Comment blocked. Review it in the comments page of your WP site (if applicable).

Get yourself informed about this visitor.

  • Use IP Analysis tool under the IPs section here to analyse this IP.
    Remove their IP from the block list (if needed).
  • Look for their IP in the Traffic Watch viewer here to get more details.

Reporting

There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject 

"[Your Site Name] Site Report - Shield".


The "wp_mail" function was called from the file "wp-content/plugins/wp-simple-firewall/src/processors/email.php" on line 136.



Critical alerts about your site security (about recent scans), and non-critical information (stats) sent by email.Critical alerts are mostly related to the recent scans.
Go to the Shield Security Dashboard => Scans section => and review scan results. Or, run the scans, if needed.
Automatic Plugins Updates

There was an attempt to send an email using the "wp_mail" function.


It was sent to "your-email@site.com" with the subject

"[Your Site Name] Some plugins were automatically updated".

The "wp_mail" function was called from the file "wp-admin/includes/class-wp-automatic-updater.php" on line 1187.


Plugins updated automatically.

Note: Audit trail doesn't show when plugins are updated (either automatically or manually). It only shows that notification email about auto-update was sent.
WordPress 5.5 included auto-update notification emails.
Review plugins in your plugins page of your WP site.
Anonymous Rest APIBlocked Anonymous API Access through "wp" namespace.Anonymous Rest API disabled. Access attempt detected and blocked.

When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. 

You may need to enable Anonymous Rest API system in Shield here.


Anonymous Rest API 
Blocked Anonymous API Access through "oembed" namespace.
Anonymous Rest API disabled. Access attempt through oembed detected and blocked.

A namespace is a string between /wp-json/ and the next slash. I.e. for Contact Form 7 it's
’contact-form-7'
(/wp-json/contact-form-7/).

WP oembed recognizes URLs to a number of services to auto format and display them. I.e. Youtube videos or WP posts/pages.
When you insert URL into your page or post, WP sees the URL and it will connect to the external service (such as Youtube) and ask for the relevant HTML code to embed the video into the page or post. It'll display the title, text snippet, comments counter etc.

When you disable the Anonymous Rest API option, this may break plugins that use the REST API for your site visitors. 

You may need to enable Anonymous Rest API system in Shield here.


Disable XML-RPC Access to XML-RPC detected at "/xmlrpc.php".XML-RPC system disabled.
Access attempt detected.

When you disable XML-RPC system, this may break plugins that use this. 

You may need to enable XML-RPC system in Shield here.


PluginsPlugin "plugin-name/index.php" was activated.Plugin activated.Review plugins in your plugins page of your WP site.
PluginsPlugin "plugin-name/index.php" was deactivated.Plugin deactivated.Review plugins in your plugins page of your WP site.
Plugins
Plugin "Plugin Name" was upgraded from version 15.2.1 to version 15.3.
Plugin updated.
No action required.
PagesPost entitled "Test Page 1" was trashed.
Post Type: page
Page trashed.Review this page in your pages of your WP site.
PagesWordPress Post entitled "Test Page 1" was permanently deleted from trash.Page deleted from trash.No action required.
PagesPost entitled "Test Page 2" was published.
Post Type: page
Page published.Review this page in your pages of your WP site.
PagesPost entitled "Test Page 2" was updated.
Post Type: page
Page updated.Review this page in your pages of your WP site.
PostsPost entitled "Test Post 1" was trashed.
Post Type: post
Post trashed.Review this post in your posts page of your WP site.
PostsWordPress Post entitled "Test Post 1" was permanently deleted from trash.Post deleted from trash.No action required.
PostsPost entitled "Test Post 2" was published.
Post Type: post
Post published.Review this post in your posts page of your WP site.
PostsPost entitled "Test Post 2" was updated.
Post Type: post


Post updated.Review this post in your posts page of your WP site.
Permalinks
WordPress Permalinks Structure was updated from "/y%/%monthnum%/%year%/%postname%/tegory%/" to "/%postname%/".
Permalinks updated.
Review permalinks in your permalinks page of your WP site (under Settings).

Note: In case you need further help, you can reach out ShieldPRO support here.