Auditing WordPress administrators

How to Track & Audit the Activity of WordPress Admin Users

It’s not uncommon for many WordPress admins to be solopreneurs. Meaning they start and run their businesses independently.

It’s also not uncommon for a team of users to be working behind the scenes of a WordPress site. So as a site owner, what measures can you take to audit the security of your site when others have access?

Fortunately. It’s possible to track and monitor user and admin activity in WordPress.

What are WordPress Users?

WordPress allows administrators to assign user roles to members of the team. By default, there are five user roles available after installation, unless you’re installing a WordPress Multisite site, in which case there are six user roles.

  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber
  • Super Admin (Multisite role)

Administrator

When you initially install WordPress, you’re assigned the administrator role. This role gives you the power to do whatever you want. You’ll be able to:

  • Add, edit, or delete, any type of content
  • Add and customize plugins and themes
  • Edit WordPress core files
  • Add and delete new user accounts

Since the site administrator has this degree of power, it’s not common for this user role to be assigned to more than one person. However, there are scenarios where it would be necessary. But more on that later.

Editor

The editor’s role gives them access to content. They’re able to create, edit, delete, and ultimately publish pages and or posts.

The editor’s role also allows them to moderate comments and manage both categories and links.

That is the limit of the editor’s role. As the name implies, an editor might be in charge of reviewing the authors’ contents – see below.

Author

The author’s role is limited to creating, editing, deleting, and publishing posts in their own name.

Contributor

The contributor role has even less access than the author role. They’re limited to reading, editing, and deleting their own posts. They can’t publish posts or upload media to include in their posts.

Subscriber

There’s Not much a subscriber can do. They’re limited to reading posts and managing their profiles.

Super Admin

As mentioned above, this role is limited to WordPress Multisite installations.

A multisite allows administrators to create and manage a network of sites from a single WordPress dashboard.
The Super Admin role has access to the entire network and has the power to add, change, and delete individual sites. They also manage the site’s users, themes, and plug-ins.

Auditing & Tracking WordPress Users

Clearly, if your site has grown beyond a single user’s role—your own—keeping track of everything going on with your site could be a daunting task.

This is where WordPress plugins come in. Plugins that provide the means for site admins to create an audit trail of any changes made at any time. And by whom.

Audit Trails and Activity Logs

There are some terms you’ll need to familiarize yourself with.

An activity log, sometimes called an audit log or security log, is a record or trail of every change that takes place on your website. This information is extracted from your WordPress database.

If you’ve ever dug into your database, you’ll know that finding information can be challenging. However, using a plugin that was specifically created to extract this information makes monitoring your site much easier.

Based on information collected from your database, an activity log is a time-stamped record that includes—at least—a unique ID, and it informs you of any changes made by a user and role.

When to Use an Activity Tracker

Does using an activity tracker mean you have no trust in your team? No. It’s not just about trust.

There are several circumstances where having an activity tracker to refer to would benefit you. For example:

Debugging. Sometimes, an update or other change can cause problems. Maybe two plugins that used to be compatible are no longer working nicely with each other. Instead of trying to recall the sequence of events that led to the current situation, having an activity log means you can go back and track your steps.

The ability to troubleshoot in this manner can save you money and time.

Increased security. Activity logs can show failed login attempts, which is especially if your security plugin of choice doesn’t track them. Having the ability to blacklist IP addresses can harden your site’s security.

Monitor content creation. If your site employs author-level users who add posts, your activity log can help you monitor your publishing schedule.

Track malware. If your site’s security has been compromised, and you suspect malware, having the ability to track activity means you’ll be able to find the intrusion. Logs can also help you better understand your site’s vulnerabilities, allowing you to address them.

Tracking the History of Other Admin Users

Sometimes, it may be necessary to provide an admin user role to a developer or someone else who needs high-level access to your site. Regardless of the relationship you have with your developer, you’ll want to be able to track their activity.

This can help ensure accountability.

Activity Log Plugins

There is no one-size-fits-all activity log plug-in, so different plug-ins can address different needs. Here are two current options—from a full-featured security plugin to a targeted, feature-specific plugin.

Sucuri

This is a full-featured WordPress security suite, with pricing that starts at $199.99 per year.

Features:

  • Complete site logging
  • DDoS protection
  • Firewall
  • Malware removal
  • Protection against both internal and external attacks

WP Admin Audit

Audit the activity of your admins with WP Admin Audit

This is a targeted plugin that tracks the activity of a WordPress Admin user. As an example, this would be the perfect plugin for the scenario mentioned above, where an Admin user role is assigned to a developer.

It’s available to try for free and has premium versions starting at €99 per year.

Free version features:

  • Extended event log retention — 30 days
  • Powerful search and filtering
  • Audit administrators and users

Premium versions include (selectively)

WP Admin Audit has a free version available at WordPress.org.
If you’re looking for activity-logging software, why not check it out?