The coverage of the WP Activity Log plugin is very extensive; the plugin can keep a log of hundreds of different user actions and changes on a WordPress website. For every different type of activity it records, the plugin reports the date and time of the change, the event ID, the user and their role, the message, and also the severity level of that event.
This article explains what severity levels are, why they are used, and how they are used.
What are severity levels in the WordPress activity log?
An event ID represents a specific change or action, and each event ID has a severity level associated with it.
The purpose of the severity levels is to show you which events you should check out and take a note of. Severity levels also help you understand the potential impact a user change or action can have on the functionality, security and management of the website. There are five severity levels in the activity log:
|Severity level||Severity level as per RFC 5424||Icon|
The different activity log severity levels
Activity in the WordPress activity log with Critical severity level
Event IDs with Critical severity level are used to keep a log of activity that can have an impact on the security state of your WordPress website and its functionality.
Therefore, whenever there is an activity log event with a Critical severity level, you should take a note of it and confirm if the reported change or activity is legit or not. If it is legit then there is nothing to be alarmed about. However, if the reported activity is not legit, you should check the logs to see what is happening.
Examples of activity in the activity log with Critical severity level
A new user has been created on the website or a user’s role has been changed. This depends on the type of website that you have. If you have a membership website, maybe the fact that a new user has been created on your website is not too important. However, in most websites it is important to know that a new user has been created, and even more important to know when a user’s role (capabilities) has been changed.
A new plugin has been installed on the website. A plugin can change the functionality of a website or allow new functionality as well as introduce new features. Therefore, you should know whenever a new plugin is installed on your website, and what the plugin is, hence why these alerts have a critical severity level.
The activity log has been purged, or data about a user or IP address has been deleted from the logs. This almost goes without saying; if some changes have been deleted from the logs, you should immediately know about it.
Some WordPress settings have been changed. While some WordPress settings do not have a direct impact on a website’s functionality and security, some do. For example, when someone changes the default role that is assigned to new users, you should know about it, since this can have a big impact on the security of your WordPress website.
There are several other event IDs which have the Critical severity level. For a complete list of event IDs refer to the complete list of the activity log event IDs.
Activity in the WordPress activity log with High severity level
Event IDs with High severity level are used to keep a log of events that can have an impact on the functionality of your website, and maybe on its security as well.
Therefore, it is very important to check out activity log events with High severity state and confirm their legitimacy.
Examples of activity in the activity log with High severity level
A user changed own password or the password of another user. Password changes are a good thing, as long as they are legit. It is important to keep an eye on such activity, especially on WordPress users which can make changes to the website, such as users with administrator, editor and author roles.
A plugin or a theme has been activated, deactivated or uninstalled. This type of activity can change existing functionality on your website or introduce new features. A newly activated plugin or theme can also create new technical problems on a website. Hence, it is imperative that you keep an eye on such activity on your WordPress website.
Some WordPress settings that affect the website’s functionality have been changed. This applies to settings changes in for example the site’s permalinks, or which page is the homepage. While these type of settings changes do not have any effect on the security of your website, they do have a massive impact on its functionality and also SEO.
Activity in the WordPress activity log with Medium severity level
You do not need to keep track or know of event IDs with Medium severity because this type of activity does not have any impact on the functionality or security of your website.
However, the plugin keeps a log of such activity because these are the type of events you need when doing forensics, or when troubleshooting a technical issue. These event IDs are also typically used a lot in reports. This means that you can safely ignore these events unless you need them.
Examples of activity in the activity log with Medium severity level
Users’ sessions management. There are quite a few event IDs that fall under this category, such as, failed login attempts, a user terminates another user’s session, or a user’s session has been blocked. As you can see, as such you do not really need to keep yourself informed on session management, however, you might need this data for reports or during forensics.
Post changes that affect the status of the post. There are several types of post changes. Some of them affect the metadata of a post, some the content, and some the post’s status. All activity that affects the status of a post has Medium severity level. For example, when the status of a post is changed or when a post is deleted.
Changes that affect the status of a product. The same as above, if for example you have a WooCommerce store, or you use Gravity Forms, if the status of a product or a form changes, or a new one is created or deleted, the events in the WordPress activity log reporting such activity will have Medium severity level. These type of changes do not affect the security of your website, however, they change the content and what it provides, so even though these changes are nothing critical, you might need to know about them.
Changes in website widgets and menus. Widgets and menus can drastically change the looks and feel of a website, and also its usability. Such examples are when new menus are created, or items are added or changed in a menu.
Activity in the WordPress activity log with Low severity level
The same as with events with Medium severity level, you do not need to keep track or know of event IDs with Low severity. Events with Low severity level are used to keep track of daily activities that take place on your website and in general, this type of activity does not have any impact on the functionality or security of your website.
Events with Low severity level are mostly used when troubleshooting a technical issue, for user accountability, and for reports, meaning that you do not need to check out each one of them.
Examples of activity in the activity log with Low severity level
Users logins and logouts. Whenever a user logs in to your WordPress website, the plugin keeps a log of such activity using event ID 1000, which has a Low severity level. In general, user logins and logouts are not of interest in most cases, since this is something that happens on a daily basis. However, the plugin keeps a log of these actions because such data is typically vital for reports, user accountability and the management of a business.
Minor changes in categories, custom fields and other metadata. WP Activity Log also keeps a log of when for example a category’s parent has changed, or when the value of a custom field has changed. Similar to the above, these type of changes happen on a daily basis on your website and do not pose any security risk on your website, though you will use such data in reports. Hence, why such activity is marked with Low severity level.
Changes in product text, stock status & quantity, and other metadata. If you run a busy e-commerce store with WooCommerce, the products’ metadata is constantly changing. For example, whenever there is an order, the stock quantity of a product is changed. Or you have a team who are maintaining the store, updating the product’s text, entering new products etc. Most of this day to day data that does not affect the functionality of the store, and that’s why it is reported using event IDs with Low severity level.
Activity in the WordPress activity log with Information severity level
As the name of this severity level implies, activity in the activity log with Information severity level is purely reported for information purpose. None of the activity with Information severity level has any effect on the functionality and security of your WordPress website.
In most cases this information is handy for troubleshooting issues, reports, and in some cases, also in forensics.
Examples of activity in the activity log with Information severity level
User requested a password reset. When a user requests a password reset on a WordPress website, it does not mean that the password was actually changed. Therefore, as such nothing changes when this happens, and you do not need to be informed about these sorts of changes. However, the plugin keeps a log of such activity since this information can be crucial in forensics, or when troubleshooting an issue.
Changes in trivial post metadata. Trivial post metadata changes happen quite often on a website, though very often you do not need to know about it. For example, when a user changes the published date of a post, the author adds tags or removes tags from a post etc. It is important to have a record of such changes for user accountability, reports and management, but you do not need to know about it unless you really need it.
The complete list of event IDs in the WordPress activity log
The WP Activity Log uses hundreds of different event IDs to keep a log of user activity in the WordPress activity log. For a complete list of these event IDs and the assigned severity levels, refer to the complete list of event IDs in the WordPress activity log.