WP Ghost monitors hacking attempts through the Security Threats Log, which records every malicious request detected by the firewall, path security, and brute force protection. For each threat you see the type of attack, the targeted path, the source IP address and country, the HTTP method, the detection rule that caught it, the timestamp, and whether the attempt was blocked. You can filter by threat type, country, status, or time range, and respond directly from the log by whitelisting false positives or blacklisting repeat attackers. The Security Threats Log is a Premium feature and is separate from the Events Log, which tracks internal admin activity.
Two Logs, Two Different Jobs
WP Ghost has two separate logging systems, and it helps to keep them straight:
| Log | What It Tracks | Who Triggered It |
|---|---|---|
| Security Threats Log | Hacking attempts, exploit scans, brute force attacks, blocked requests | External attackers and bots |
| Events Log | Admin activity, logins, plugin changes, post edits | Your own logged-in users |
When the question is “how extensive is hacking attempt monitoring”, the answer is the Security Threats Log. It is the feature that captures everything a malicious bot or attacker does against your site.
What the Security Threats Log Captures
The Security Threats Log records every hostile request detected by WP Ghost’s protection layers. This includes exploit scans against plugins, themes, and core files, PHP file probing, requests targeting hidden or protected paths, malformed HTTP requests, SQL injection and XSS attempts, directory traversal, brute force login attempts, and repeated attacks from the same IP. The log captures the attempt even when it is fully blocked, so you can see exactly what bots tried to do and what got stopped.
Each Threat Entry Includes
Threat type (exploit scan, injection attempt, brute force, path probe, and more), targeted path or URL, source IP address, source country (with flag), HTTP method and protocol, detection rule that caught it and the matched pattern, user agent and referrer, unique request ID for cross-referencing, date and time, and block status (Prevented, Detected).
How to Activate Threat Monitoring
Step 1. Enable Logging
Go to WP Ghost > Logs > Settings and switch on Log Security Threats. Set the retention period in days, this controls how long threat entries stay in your database before automatic cleanup.
Step 2. Review the Threats Report
Open WP Ghost > Logs > Security Threats to see every detected threat in chronological order. Use the filters to narrow results by threat type, country, status, or time range. Search by keyword, path, or IP address.
Step 3. Respond to Threats Directly
Every threat entry has an action menu with four response options:
Threat Details, view the full request context (path, source IP, HTTP status, detection rule, matched pattern, user agent, referrer, protocol, request ID). This tells you exactly why the request was flagged.
Whitelist Path, if a legitimate request is being blocked (false positive), whitelist that specific URL or endpoint. The path is added to Firewall > Whitelist.
Whitelist Rule, if a trusted integration triggers a specific firewall rule, whitelist that rule globally. Useful for custom applications or third-party services that happen to match firewall patterns.
Blacklist IP, permanently block an IP that repeatedly targets your site. The IP is added to Firewall > Blacklist.
Email Alerts for Critical Events
For real-time response, WP Ghost Premium includes email alerts configured from the WP Ghost Dashboard at Email Alerts > New Alert. Available alert types include:
An IP was blocked by brute force protection, a user exceeded 5 failed login attempts, a user logged in from different IP addresses (possible account compromise), a plugin was deleted from the site, or a post was deleted from the site. Alerts send immediately when the event triggers. Each alert can be configured per connected site in your WP Ghost Dashboard.
Email alerts rely on cloud storage for the Events Log, so enable that at WP Ghost > Logs > Settings before setting up alerts.
Why Threat Monitoring Matters
Three concrete benefits:
Validate that WP Ghost is working. When you see “Prevented” status on dozens of exploit scans and injection attempts each day, your firewall and path security are confirmed to be doing their job. It also tells you that those 115+ free features and 150+ premium features are pulling their weight.
Spot attack patterns. When the same IP sends hundreds of requests probing different plugin paths, that is a scanner, blacklist it. When multiple IPs from the same country target wp-login.php, that is a coordinated brute force campaign, consider enabling Geo Security country blocking for that country.
Resolve false positives fast. If a legitimate user or integration triggers a firewall rule, the log shows exactly which rule fired and what path was hit. One click whitelists the path or the rule, no guessing required.
Free vs Premium Log Coverage
| Feature | Free | Premium |
|---|---|---|
| Security Threats Log (last 20 entries) | Yes | Yes |
| Security Threats Log with full history | No | Yes |
| User Events Log | No | Yes |
| Filter by threat type, country, status, time | No | Yes |
| Full-text search in logs | No | Yes |
| Export logs to CSV / Excel | No | Yes |
| Cloud storage for logs (30 days) | No | Yes |
| Real-time email alerts | No | Yes |
Frequently Asked Questions
Does the free version monitor hacking attempts at all?
Partially. The free version of WP Ghost shows the last 20 Security Threats in the Overview dashboard so you can see what is hitting your site. Full history, filtering, searching, and email alerts require Premium.
Does the log slow down my site?
Minimally. Threat logging only writes to the database when a malicious request is detected, legitimate traffic is not logged. The retention setting automatically cleans up old entries to keep the database size manageable.
Where is the threat data stored?
All threat data is stored locally in the WordPress database table hmwp_logs. For statistical reporting, WP Ghost sends aggregated, non-personal data (only the date and total number of detected threats) to the WP Ghost Dashboard. No IP addresses, URLs, request details, or individual visitor data is transmitted to the cloud.
How do I handle a false positive?
Open the threat details to see which rule was triggered and which path was blocked. Use Whitelist Path to allow that specific URL, or Whitelist Rule to allow all requests matching that detection pattern. The whitelist is managed centrally at WP Ghost > Firewall > Whitelist.
Is the Security Threats Log the same as the User Events Log?
No. The Security Threats Log records external threats (malicious requests from bots and attackers). The User Events Log tracks internal activity (admin logins, plugin changes, settings modifications). They are complementary, threats show what is attacking you, events show what is happening inside. See the Events Log storage FAQ for how the two logs differ in storage and retention.
Can I export the threat log?
Yes, in Premium. Export the Security Threats Log to CSV from WP Ghost > Logs > Security Threats. This is useful for audits, compliance reports, or analyzing attack patterns in external tools.
Does WP Ghost modify WordPress core files?
No. Threat logging uses WP Ghost’s own database table (hmwp_logs) and WordPress hooks. No WordPress core files are modified. Disabling the feature stops logging instantly, and uninstalling WP Ghost removes the log table cleanly.