Podcast Episode

411 – Track Changes in Your WordPress Site


Is there a plugin for that?

With more than 50,000 plugins in the WordPress repository, it’s hard to find the perfect one. Each week, I will highlight an interesting plugin form the repository.

For more great plugins, download my 50 Most Useful Plugins eBook.

WP Inspect is a plugin visually annotates pages with the actions & filters (hooks) invoked during the request life cycle.

Track Changes in Your WordPress Site

One of the best plugins in the WordPress space to track changes for your WordPress site is called WP Security Audit Log

Here are the things you should be tracking on your website:

  • Changes to content.
  • New and removed users.
  • Failed login attempts.
  • Changes to themes or plugins.
  • WordPress core and settings changes.
  • User profile tweaks.
  • Changes to websites and users on multisite setups.

Thank You!

Thank you to those who use my affiliate links. As you know I make a small commission when someone uses my link and I want to say thank you to the following people. For all my recommended resources, go to my Resources Page

Full Transcript

Business Transcription is provided by GMR Transcription.

On today’s episode, we are going to talk about how we can track our changes and what happens on our WordPress website without us being there right here on Your Website Engineer Podcast, Episode No. 411.

Hello and welcome to another episode of Your Website Engineer Podcast. My name is Dustin Hartzler. I’m excited to be here with you. Just like I am every single week, I’m delighted to find topics in the WordPress space to talk about and share the WordPress news so you don’t have to go scouring the web and trying to figure out what’s the latest and greatest with what’s happening in the WordPress community. Let’s kick it off with a discussion about 2019. The theme has been released and this was posted about seven hours ago and I’m recording this on Tuesday. And basically, it talks about how we’re skipping 2018. There’s gonna be no 2018 release. But when WordPress 5.0 comes out in just a few weeks, they’re going to release a 2019. So, it is built with Gutenberg in mind.

It allows you to easily add different blocks and to have a fully customized version. And there’s a link in the show notes so you can see some screenshots. Again, it is a very beautiful theme and, as always, when these new themes come out, it’s like, “Wow, this would be really good to change YourWebsiteEngineer.com to the latest version of whatever.” Of course, I won’t do it, but it is one of those themes that looks really nice and I think would look really, really well on many websites. And so if you’re interested in seeing what that looks like, it looks like they’re just barely getting started and so they’ve got just a little over a month until WordPress 5.0 is going to be released. So, they’re doing their best to try to figure out if they can get this thing built and all ready to go in a month’s time.

So, I’ll keep you updated with updates as things happen over the next four weeks or so and let you know if 2019 will be included in WordPress 5.0. I keep wanting to say Gutenberg 5.0, but it’s WordPress 5.0. The other thing that comes in the way of news this week is Jetpack 6.6 and 6.6.1. Basically, that has been titled or codenamed, Better Site Verification Tools. It allows you to and it makes it a lot easier to verify your site with Google. It’s simpler to add your site to Google search console right from the Jetpack dashboard and you could receive tips and notifications from Google to boost your site’s visibility on search engines. It also has some beta features that are built-in – some ways to speed up your website even more – and so it’s a beta process, but you can sign up for that if you install the latest version of Jetpack.

The .1 release came out just a few days later and fixed a few outstanding bugs and so that is what’s new with Jetpack 6.6. The other thing in the news that I want to share with you is that SeedProd has joined Awesome Motive and that is the WP beginner’s family of products. So, SeedProd is the most popular coming soon in maintenance plugin. It has about 800,000 active installs right now on WordPress sites and the SeedProd free plugin allows you to quickly create a basic coming soon page or maintenance mode for your website. There’s a pro version as well and it has more than 50 premade templates and 500,000 plus free stock photos built right in.

So, this is something that is a really nice and easy way to get started with a coming soon page or maybe you’re doing a little bit of maintenance and you can put that maintenance page up. Also, the thing I want to mention is if you do go with the pro version – there is a SeedProd pro – and it comes with prescriber management, an email marketing integration, with Constant Contact, MailChimp, AWeber and more than 1,000 different apps on Zapier. And so what this means is if you want to go pro, you can and you can set up on the landing page you can say, “Coming soon” and enter your email address for more information. So, that is all about SeedProd.

If you need more information, there’s an article on WPBeginner.com about the news and you can find a link for that in the show notes for Episode No. 411. All right. Moving onto the “Is there a plugin for that?” section, this is one that I found on OmniFocus that I sent there a long time ago and it’s finally bubbling it’s way to the top and making it into the “Is there a plugin for that?” section. This one is called WP Inspect and WP Inspect is a visual plugin that annotates pages with actions and filters and hooks invoked during the part of the lifecycle of the page. And so it’s really cool. So, you could go in an activate this plugin and then – as your page loads – you’ll be able to see that it calls “get sidebar” or “get footer” or “template part translation page” or whatever.

You can see all of these filters right inside of your dashboard and you can inspect it and you can see exactly how it works and it just helps you kind of understand how a WordPress page and post and all of these different pages that are pulling up on a website on your WordPress site and how they’re being built by all of the code in the backend in theme templates. So, I thought this was really cool. This used to be called hookr.io. It was a service that allowed you to look at the hooks for WordPress and you can find out where all of them are and what they did and it had good examples for everything. So, this is one that’s out there if you’re interested in learning about how WordPress works and how you can use hooks and actions and filters to modify and change things within a theme.

I recommend WP Inspect and you can find it, as always, on the WordPress repository. All right. Today, we’re gonna talk a little bit about the WordPress activity log and this isn’t something that’s built into WordPress, but it’s something that could be and it could be a really good feature, but we’re gonna talk about a plugin that you can do this. But we want to talk about when your WordPress site is very small – when you’re first getting started out – it’s easy to keep tabs on everything. Maybe you’re the only person that’s using it and you know you’re in charge of everything. So, you’re the one updating plugins or you’re updating core WordPress. You’re going in and you’re making tweaks to widgets and you’re adding posts and pages.

You don’t really need an activity monitor if you’re the only person because you can remember what you changed last. Sometimes though – as your site grows – it continues to get big maybe there’s more complexity, maybe you’re adding more plugins like a membership plugin and now you’ve got WooCommerce and so you’re running e-commerce platform as well and you’ve got multiple contributors. Maybe you’ve got people that are selling. You got product vendors and so you have other people selling items through your WooCommerce store. Whatever the case may be, however complex your site is, it is vital to know what’s happening on your site at all times. You can do this by easily tracking user activity so that you can see what changes are made to content or profiles or failed logins and more.

And you can continue – when you have information like this – you can quickly track down the source of any problems and you can maintain some really tight security. Today, we’re just gonna briefly talk about why you’d want to track your WordPress site’s activity and then we’ll figure out what types of activity is most important to keep an eye on. So, let’s go ahead and dive right in. An activity log helps you keep tabs on the important changes on your site. If your website has a single user, there should be no surprises unless your site’s been hacked – which will come later about in the show – we’ll talk a little bit about that. Every change and update will be made by you. But once those sites – like I said – was getting larger, when more people can register for your site. They can sign up for subscriber accounts or they purchase things or you have a team of writers or developers or editors.

With so many people accessing your site, it can create a lot of confusion and a lot of uncertainty on what happened or maybe something is broken and you’re not 100% sure what action or what thing has caused that thing to break. So, what I want to recommend is a plugin called WP Security Audit Log and it is found on the WordPress repository. It is one of those plugins that has more than 70,000 active installs and so it works really well with WordPress. It works well with just a standard installation of WordPress, also with WordPress Multisite, so you can use that as well. It does have a premium plan. I’ll talk a little bit about that.

The premium plan has some features that you can’t quite do with the free plan but, of course, the free plugin from the repository has a bunch of things that it can keep track of. It can keep track of and give you a summary of things that are changed on a post or page or custom post type such as status, content, title, URLD, and custom field message. You can see what tags or categories have been changed. You can see widgets and menus that have changed. You see user changes, user profile changes, user activity such as login/logout, field logins. You can see WordPress Core in setting changes such as installed updates, perm links, default rolls, URLs and other side-wide changes.

You can see when plugins or themes have been changed, if WordPress databases have been changing, if any changes have been to WooCommerce stores or products, Yoast SEO, advanced custom fields, main WP, and some other popular WordPress plugins. You can also see if WordPress site file changes – like new files – have been added or deleted from themes or plugins and you can see all of this with the free version. So, I think the free version has a lot of information and a lot of necessity to just add in and run on every WordPress site. These changes are tracked by date and time and it says the user and the role of the user that did it and the source IP from where the changes happened. And so those are all of the things built-in to the plugin.

Now, if you wanted to upgrade to the premium version – and there’s a couple different price points. The price points for a single site is – let’s see – it is $89.00 per year to start with single site and then there’s a $99.00 and a $149.00. Again, there’s a link in the show notes so you can see exactly how much this costs, but when you have the premium version, you can see who’s logged in at that time, see what everyone is doing in real time. You can logoff any user with just a click. You can generate HTML and CSV reports. You can export the activity log into CSV. You can get instantly notified via email of important changes. You can search activity log. You can use built-in filters. You can do a ton of stuff with the premium version. And so those are some things just that the plugin can do.

Now, let’s talk about what we need to do. So, we can install this plugin and we start configuring the plugin. It’s going to ask us some basic things you know whether we want to have the geek settings or the basic settings. Basic is just if you want basic login data and the geek is if you want all the data the plugin has to offer. So, you could choose one of those as you’re logging in. And then you select how long you want to keep the information. WP Security Audit Log saves all this data into your WordPress database so you can keep it for six months and then anything older than six months will be deleted. You can keep it for 12 months and anything older than 12 months, of course, will be deleted or you can keep all data. You can change this later on.

Like I said, it is stored in the WordPress database and so it’s done in an efficient manner, but you should never store more data than you think you’ll need. Probably six months is fine you know unless you’re not actively using your website and you might login once every six months. It may be good to keep it for 12 months. Otherwise, it’s probably good to just keep it for six months. The next step is to configure additional access, if needed. By default, only administrators will be able to access the WordPress activity log. That’s probably a good thing just let the admins from the site be able to see the data and see what’s happening. And then on the next screen, it will exclude objects like user names or roles or IP addresses from being logged.

So, if you are a single admin on the WordPress site and only want to see changes that authors and editors make, you can do that, or perhaps you want to make sure that you want to monitor logins and account registrations or you want to exclude you from the data. You don’t want to see your activity and what you’ve done or whatever. You have that ability to exclude and then that’s it. Those are the five steps to set up the plugin. They have kind of a welcome wizard or a walk-through wizard to give you the ability to set all of these features up. It’s very much like the Woo onboarding wizard that comes with WooCommerce and once those things are all set up. Now, the seven things that you need to keep track of are the following. Let’s go ahead and dive right in.

There are seven of them that I’ve listed. You want to track changes to your content. So, the content is probably the most essential part – or the heart – of your WordPress website. Your website’s made up of one or more pages. It’s got all kinds of posts. It’s updated regularly with new or revised content and you want to make sure that you aren’t losing this information or things are changed without you knowing or whatnot. So, quality and accuracy is all of the content is key to provide value for your visitors and it enhances your authority and makes sure that your audience trusts you and what you have to say. This means keeping a close eye on your content is very critical.

You want to make sure that the new and existing changes to content reflect well on you, your company, or the success of your website. So, if you want to track all content-related changes, it includes the creation of new posts or pages or other custom post types, the alteration of an existing page or post titles, dates, URLs, custom fields, and other variables. It checks for modified content within existing content – whether something has been added, edited or removed. It does status changes, such as a post that’s been published or returned to draft form. It also can monitor what’s happening with SEO. So, if a URL changes with a popular post, you don’t know about.

This could be disastrous because people would be going to the wrong URL and so while WordPress has built-in redirects that does its best to redirect, if you see that a website URL has been updated, then you can change the redirection to set up a 301 redirect to make sure that if someone types in the old web address or the old permalink, it will go to the new place. And so that happens. All this kind of stuff happens regularly and it’s just nice to know and see exactly what’s happening on your website. So, that’s the first one, changes to content. The second one is when new and removed users happen. And so this is very good if you have a membership site or some sort of subscription site or some sort of site where folks are logging into your website and so you want to make sure that you have a good control over your site’s user base.

Even if you enable open registrations, you want to know that they’re actual people logging in and not spam content, spam users trying to get in. So, tracking both of these activities – whether they’re new or removed – this will just give you an idea of what’s going on on your website. Another thing we need to be tracking is the failed login attempts on your site. So, everybody that needs access or has access to your site needs to login first and you want to make sure that folks are logging in correctly and if you enable this to monitor the failed login attempts, then what happens is you’ll get notifications when somebody has logged in or tried to login multiple times.

If it’s somebody that you know – it’s a content creator on your website – you can ask them, “Hey, did you have a problem logging into your site the last couple days?” If they say no, then maybe there’s somebody hacking or trying to get into your site because of that or trying to brute force their way into the site. So, every site will occasionally have failed logins, of course, because people forget user names and passwords and whatnot. So, you can look at these based on IP addresses so you can see if the same failed attempts are coming from the same IP address or maybe some people have moved and they’ve moved from locations or whatnot. You can track all of the failed logins through the activity log and you can see what’s happening. You could reach out to those customers or users and help them regain access to your site. That’s item No. 3.

Item No. 4 to track is changes to themes or plugins. This one’s pretty simple. It basically lets you know if somebody’s changed the theme from maybe one theme to another or they’ve changed plugins or they’ve deactivated plugins or changed a plugin status. And so it’s pretty simple, but if you have multiple administrators on your site, then this would be a good thing to start tracking. That way, you know exactly what’s happened or if somebody has toggled on or off a plugin. That is the changes to themes or plugins. You also want to monitor what’s happening with WordPress Core and settings and you can do this as well. This is another option or another section that you can monitor within this tool. It basically, again, is going with those admin only privileges and these are something that only admins can do on your site, but you want to make sure and you can see who clicked that update button.

Who updated WordPress Core to the latest version? It’s very clear and it’s very concise and it tells you exactly who did that. It tells you when it did it and if you start seeing failed orders or maybe some of your pages aren’t loading after that point, then you know that it was that Core update that caused an issue on your site. It’s nice to have, it’s nice to see, and it’s nice to be able to have that information – especially if you have multiple admins on your site. Another thing you can track is user profile tweaks and so we talked a little bit about new and deleted users, but everyone with a user account on your site can make some basic changes to their profile. They can change items like email address or passwords or the way their name displays and user roles. You know maybe they have changed their user roles from they were a subscriber and now they purchased something. Now they’re a customer or whatever.

You can see all of these in the activity log or the audit log viewer as well. The last one that I want to talk about is changes to websites and users on multisite setups. So, if you’re running a multisite, it’s gonna be very similar. You want to make sure that if you’re running a multisite site that you are monitoring these things that are a little bit different. So, if they’ve added or deleted a site, as a super admin, you’re the only one that can create and remove sites. No one else should be able to do that, but if you have multiple super admins on a multisite network, then that could be a problem. You also want to check to see who’s adding or deleting users from sites and you want to see if anybody’s made changes to network settings.

So, on a multisite setup, you get access to a special screen that has network-specific options and these can do things that can break a website or break a multitude of websites very, very easily. And so those are the things that you can do on a multisite. Again, there’s tons more options to talk about and if you wanted to just set it on that geeky option and get all of the data about everything, you can go in and just kind of peruse and see what’s helpful and what’s not. You know it may not be helpful to see who’s logged in or who’s logged out of your website and then you can turn those features on and off. The really cool thing is like I think what’s really great is it is a free plugin and with 70,000 active installs it’s a development team that is on top of it and they are creating some really cool things that you can do and really cool things that you can audit with your website. I’d recommend just checking it out.

This is a good website. If there’s more than one user on a website, then this should be done. I’m even thinking about installing the WP Security Audit Log plugin on a site like the blog my wife runs and because – even though she’s the main person – there’s some things that may break and she may or may not say, “Oh, well, I did this, this, and this and that caused it to break.” So, having an activity log would be really great so I can see exactly what happened beforehand and then try to revert and go back. So, probably anytime that you don’t want to spend a bunch of time trying to troubleshoot or ask people questions about, “What happened?’ or “How do I get back there?” if you’re running a client site, this would be perfect for these type of applications. You just turn it on and then let it run and it goes ahead and it just tracks and every simple change or anything that has been changed on a website, it’s gonna track it and you can see it later.

So, those were what I wanted to share about and we wanted to talk about changes of content, monitor who’s changing content, who’s adding new or removing users, any failed login attempts, changes to themes or plugins, changes to WordPress Core or settings, user profile tweaks, and changes to websites that have multiple users or multisite setups. That’s what I wanted to share with you today. I’ve got a whole list of other items that I want to talk about this month and we’ll continue talking about WordPress in the months to come as we lead up to WordPress 5.0 and the launch of Gutenberg. So, until then, take care and we’ll talk to you again next week. Bye, bye.