The Wordfence Audit Log is a premium feature that records a history of events on your site to assist in monitoring for unauthorized actions or signs of compromise. Events can include everything from user creation and editing to plugin/theme installation and updates. All data captured for relevant events is saved remotely to Wordfence Central to prevent any tampering that may interfere with post-incident analysis and response.

The “Audit Log” wp-admin page shows a list of recent events, while details of each event are stored off-site on Wordfence Central, similar to the example below:

Events are stored on Wordfence Central for 30 days for sites with a Premium license, 60 days for a Care license, and 90 days for a Response license.

How to use the Audit Log

By default, the Audit log is set to Preview mode for Free and Premium users. Care and Response users will find the Audit log set automatically to record Significant Events. In the Preview mode, both Free and Premium users will be able to view a summary of certain events on the plugin’s Audit Log page. In order to receive the full benefits of the Audit Log, Premium users will need to enable the Audit log.

Setup only takes a few steps:

• Connect your site to Wordfence Central, if it has not already been connected. This can be done from the Audit Log page or the Wordfence Dashboard.
• On the Audit Log page on your site, choose either the “Significant Events” or “All Events” mode
• Click “Save Changes”

Events should begin recording and will appear on Wordfence Central. Some events such as disabling plugins are sent immediately to Central, while others are queued, and may take a few minutes to be sent.

Viewing the Audit Log on Wordfence Central

To view the audit log, you can either click the “View Audit Log” link on the Audit Log page on your site, or log in to Wordfence Central and click the “Audit Log” link for any of your sites, next to the site’s URL.

Audit log events appear like the example above. The first column contains information about the request that triggered the event, such as the request path, IP address, username, and action name. The “Details” button shows any additional parameter names in the request, though some data is redacted for security and privacy reasons.

The “Event” column shows details of the event, such as a user login, changing significant WordPress or Wordfence settings, creating users, modifying a role, updating plugins, deleting a plugin, or uploading an attachment. This section also includes version numbers, user IDs, post IDs, and other data. The “Details” button may show many more details in some cases, including additional plugin information, all capabilities of user roles, and which fields have changed for some types of records.

You can filter events by type or search for events in the upper-right corner of the page. The default time range is 1 hour, but you can choose a longer duration or use a custom date range.

Settings

On the Audit Log page on the Wordfence menu, there are a few buttons and settings, along with a list of the most recent events. If your site is connected to Wordfence Central, you should see a “View Audit Log” button near the top-right corner of the page, which leads directly to the detailed logs for your site on Wordfence Central. Otherwise, you should use the “Connect Site” button to connect your site to Wordfence Central in order to set up the audit log.

Audit Log logging modes

There are four possible modes:

• Disabled: Disables the audit log, including the preview of recent events.
• Preview: Events will not be sent to the log on Wordfence Central. Only a limited list of events will appear in the Recent Event Summary table at the bottom of the page, but details such as IP addresses, users, and post IDs are not saved.
• Significant Events: This includes events related to users, settings, plugins, updates, logins, and more.
• All Events: This includes all “significant events”, plus more content-focused events such as editing or deleting posts, adding attachments, or sending email. These event records do not include the content itself, but rather metadata and which user made the change. Similarly, email content and recipients are not stored, but subject lines and the number of recipients and number of attachments are recorded.

The “Significant Events” option is recommended for most sites, since logging all events may record a large number of events on some sites. Content-related events recorded with the “All Events” option can include custom post types from some plugins, including forum plugins, which may log an event for every new forum post and reply.

Display Audit Log menu option

This option is enabled by default. If you prefer a shorter Wordfence menu, you can disable it. The audit log settings will still be accessible on a tab on the Wordfence Tools menu.

Troubleshooting

• Audit log events may take a few minutes to be processed and appear on a site’s Audit Log page on Wordfence Central. Audit log events can also be delayed if the wp-cron job “wordfence_batchSendAuditEvents” is not run promptly. If your site has wp-cron disabled, we recommend using a linux cron job to visit wp-cron.php or run cron with WP-CLI periodically, ideally between 1 and 5 minutes.
• Events with missing data may not be transferred to Central but will display in the Audit log preview within the plugin. This could occur if a REST API event is sent to your site by a plugin or third-party service with missing data, or if a plugin or theme creates records in unusual ways. If you find any plugins/themes/services that cause this, please contact support.
• Some plugins that add custom roles may not log creation of those roles, if they are not added in a way that they are permanently saved in wp_user_roles in the wp_options table.

Privacy and Security

Some users may have concerns about the privacy and security of their site data captured and transmitted through the Audit Log feature. In order for information to be sent off site, two things have to happen: the Audit Log must be enabled with the mode set to either “Significant Events” or “All Events” and the site has to be connected to Wordfence Central. If either of these are not setup as described, no data can be transmitted outside of your local environment.

By default, the Wordfence Audit Log is set to Preview mode for Free and Premium license holders. In Preview mode, data is stored locally only, and contains minimal information including a timestamp and type of event.

For customers with Care or Response licenses, the Audit Log is enabled by default. Sites with Care or Response licenses should already be connected to Wordfence Central as part of the monitoring and support included for these customers, and therefore any privacy and security concerns should have been addressed at the time of the license installation.

We take data privacy and security very seriously and adhere to ISO 27001:2022 standards, ensuring that our processes, systems, and storage solutions meet rigorous international compliance requirements for certification. Our privacy practices are detailed in our Privacy Policy and Notice at Collection which outlines how we manage and protect customer data in line with applicable regulations, including CCPA, GDPR, EU, UK and other high-compliance frameworks. For customers with specific regulatory needs or concerns, we offer configurable options to tailor data handling and storage processes to better meet regional compliance requirements. If a customer has further concerns about their data processing, then we always recommend that they speak to their legal team because each customers situation is unique and we can not offer legal advice.