Yes. The User Events Log in WP Ghost records every security-relevant action your logged-in users take: logins (successful and failed) with IP and location, content deletions, plugin and theme activations/deactivations/updates, settings changes, and more. Each entry shows who did it, when, and from which IP address. You can filter by user role (monitor all users or only specific roles like Subscribers and Contributors), optionally sync logs to the WP Ghost Cloud Dashboard for 30-day tamper-proof storage, and set up email alerts for critical actions like logins from new IPs or unauthorized settings changes. This is a Premium feature.
What the Events Log Records
The Events Log monitors security-relevant dashboard activity 24/7 for the user roles you select. It does not track everyday frontend browsing (clicking menus, viewing pages, cart actions) because those are not security-relevant, only actions that could impact your site’s security or content integrity.
| Event Category | What Gets Logged |
|---|---|
| Login activity | Successful logins, failed login attempts, IP address of each attempt, country/location, whether the IP is repeatedly targeting your login page |
| Content changes | Post and page deletions (who deleted what), attachment uploads and deletions |
| Plugin activity | Plugin activations, deactivations, deletions, and updates (who triggered each action) |
| Theme activity | Theme switches, updates, and deletions |
| Core file updates | WordPress core updates (who initiated the update) |
| Settings changes | Dashboard settings modifications that could impact security |
| User actions | User creation, role changes, profile edits |
Every log entry captures four data points: who (username and role), what (action type, affected path or item), when (date and time), and where (IP address and country).
Why This Matters
User activity tracking is critical for your hack prevention strategy, particularly when multiple people have dashboard access:
Detect compromised accounts. If an admin account starts making unusual changes (deleting posts, deactivating security plugins, installing unknown themes), the Events Log shows exactly what happened, when, and from which IP. You can trace suspicious activity to a specific session.
Audit freelancers and contractors. When a developer or consultant has temporary dashboard access, the Events Log creates accountability. You know who activated a plugin, who updated a theme, who modified settings, and when each action occurred. Perfect for agency/client relationships.
Track multi-author editorial workflows. On multi-contributor blogs, the log shows which author deleted what, who published which post, who modified which category. Supports editorial accountability without the need for separate audit tools.
Investigate after an incident. If something breaks or content goes missing, the log answers “who changed what, when?” Without it, you are guessing.
How to Activate the Events Log
- Go to WP Ghost > Logs > Settings.
- Switch on Log Users Events to start monitoring.
- Optional but recommended: switch on Enable Cloud Storage for Events Log to sync a copy to the WP Ghost Dashboard for 30 days. Cloud logs survive plugin deactivation or deletion.
- Under Log User Roles, select which roles to monitor. Leave empty (“Nothing Selected”) to track all roles. Select specific roles to track only those (for example, Subscribers and Contributors but not Administrators).
- Click Save. Logging starts immediately.
View the log anytime at WP Ghost > Logs > User Events, or in the WP Ghost Dashboard if cloud storage is enabled. Full walkthrough in the Events Log Report guide.
Local vs Cloud Storage
| Feature | Local Storage | Cloud Storage |
|---|---|---|
| Where logs are stored | WordPress database (custom table) | WP Ghost Cloud (account.hidemywpghost.com) |
| Retention | Configurable in Settings | 30 days, then automatic deletion |
| Survives plugin deletion | No, deleted with plugin uninstall | Yes, preserved in cloud for 30 days |
| Accessible from multiple devices | No, tied to WP admin access | Yes, via WP Ghost Dashboard |
| Survives site compromise | Risk of tampering if attacker gains admin access | Tamper-proof, attacker cannot modify cloud copy |
| Required for email alerts | No | Yes |
| Timezone | Your WordPress timezone | UTC-0 (convert when reviewing) |
The advantage of cloud storage: if your site is compromised and an attacker tries to delete local logs to cover their tracks, the cloud copy preserves the evidence for investigation.
Email Alerts for Critical Events
With cloud storage enabled, you can configure email alerts for critical events from the WP Ghost Dashboard. Predefined alert types include:
Login from a new IP address, unauthorized settings changes, plugin activations, user role modifications, failed login attempts exceeding a threshold, and content deletions. Alerts trigger instantly when the event occurs, sent to the email address you configure. You can create different alerts per site if you manage multiple sites through a single WP Ghost account.
To set up: in the WP Ghost Dashboard, go to Email Alerts > New Alert, select your site and the events you want to be notified about, submit.
Filtering and Searching the Log
The report can be filtered by event type (login, incorrect password, plugin update, post deletion, and more), time interval, or URL (useful if you manage multiple sites through the cloud). You can also search by keyword, username, path, or IP address.
Tip: for best search results, make sure no filter is applied when using the Search function. Filters and search can conflict if used simultaneously.
Frequently Asked Questions
Will I see all edits and settings changes made by users?
Yes. The Events Log records every security-relevant action: logins, content deletions, plugin/theme activations and updates, settings modifications, user actions. Each entry shows who, what, when, and where (IP). The log does not track everyday frontend browsing or actions that do not affect security.
Is this a free feature?
No. The User Events Log requires WP Ghost Premium. The free version includes path security, 7G/8G firewall, 2FA, brute force protection, and 115+ hardening features, but activity logging is Premium only. See the Free vs Premium comparison.
Is this the same as the Security Threats Log?
No, they are complementary. The User Events Log tracks internal activity from your logged-in users (what happens inside your dashboard). The Security Threats Log tracks external threats from bots and attackers (what’s trying to get in). You want both: events show what’s happening inside, threats show what’s attacking you. Together they give full visibility.
Can I monitor only specific user roles?
Yes. Under Log User Roles, select the roles you want to track. You can monitor multiple roles at once, or leave the dropdown empty to track all roles. For example, you might monitor Subscribers and Contributors but not Administrators (or vice versa).
Does this log frontend user activity like page views or cart additions?
No. The Events Log only tracks security-relevant dashboard actions: logins, plugin changes, post deletions, settings modifications, and similar administrative events. Everyday frontend browsing (clicking menus, viewing pages, WooCommerce cart interactions) is not logged because it is not security-relevant. For that kind of tracking, use a dedicated analytics tool.
Does this work with WooCommerce?
Yes. The Events Log tracks WooCommerce admin actions (product changes, order modifications, settings updates, plugin activations) the same way it tracks any WordPress dashboard activity. WP Ghost is fully compatible with WooCommerce.
Is the Events Log GDPR-compliant?
The log records usernames, IP addresses, and user actions, which is personal data under GDPR. If you operate in a GDPR jurisdiction, inform your users that dashboard activity is logged (include this in your privacy policy). Cloud-stored data is retained for 30 days and then automatically deleted. Data is not shared with third parties and is not used for marketing. Full GDPR details in the Events Log Report guide.
Does WP Ghost modify WordPress core files?
No. Event logging uses a dedicated WP Ghost database table and WordPress hooks. No core files, theme files, or plugin files are modified. Disabling the feature stops logging instantly. Cloud logs are sent via API.