BeziWorld Activity Log
| 开发者 | beziworld |
|---|---|
| 更新时间 | 2026年6月15日 15:58 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
BeziWorld Activity Log records what users do on your WordPress site: who logged in, who failed to log in, who changed a role, who edited their profile, who created or edited content, and more. The focus is user activity, and the goal is to make the capabilities competing plugins reserve for paid upgrades available for free.
Designed for performance. Events are stored in a dedicated, indexed custom table (never in wp_posts), written in batches to keep request overhead low, while security-relevant events are persisted immediately. Retention pruning keeps the table lean automatically.
Designed for trust. Each event is signed with a per-site HMAC and sealed into a hash-chained sequence of checkpoints, making after-the-fact tampering — including row insertion or deletion — detectable. Because an attacker with full server access could recompute local signatures, the latest checkpoint signature can be anchored off-host (emailed or sent to a webhook) so the integrity proof leaves the machine.
Designed for privacy. IP logging is optional and can be anonymised at capture time. The plugin never phones home and never loads code from external servers.
Highlights
- Authentication and account activity: logins, logouts, failed logins (rate-limited to prevent log flooding), registration, role changes, profile and user-metadata changes, password resets, application passwords, user deletion.
- Content activity: posts, pages and custom post types created, updated (with a field-level diff), status changes, trashing, restoring and permanent deletion; comments, media and taxonomy terms.
- Clean, readable event viewer with severity badges, expandable detail rows, sorting, filtering and full-text search.
- Granular configuration: enable or disable whole event groups or individual events.
- Exclusion rules by IP/CIDR, user login, user ID, role and request path.
- Plugin/theme and settings changes, navigation menus, and the GDPR personal-data request lifecycle.
- Optional integrations: WooCommerce (orders, status changes, stock) and Yoast SEO (metadata and settings).
- Real-time notifications — Slack, Discord, Telegram, email and generic webhook — by urgency or chosen event codes, delivered immediately or as an hourly digest. Free.
- Optional login geolocation (via a provider you wire) with an automatic alert on a login from a new country.
- Scheduled HTML summary reports emailed to the administrator (daily or weekly).
- Statistics screen with daily-volume chart and category, user and event breakdowns.
- Active session management: see who is logged in and terminate sessions. Free.
- Tamper-evident integrity: per-row HMAC plus a hash-chained checkpoint sequence with optional off-host anchoring (email/webhook), verifiable with WP-CLI (
wp bzal verify-integrity). - Real-time notifications also fire on a chosen set of event codes, regardless of urgency.
- Configurable severity per event code, driving notifications and the security badge.
- Optional anomaly detection: flags a rapid bulk-delete burst by one user and off-hours admin logins as high-severity alerts.
- Admin-bar quick view: the latest events and a 24-hour security badge on every screen.
- "Users online" view: who currently holds a session, with their most recent action, time and IP.
- CSV and JSON export of the filtered log, with spreadsheet-formula-injection protection.
- Read access via the REST API (offset and cursor pagination, plus an integrity-anchor endpoint) and optionally GraphQL, gated by capability.
- Granular configuration: enable/disable whole event groups or individual events; exclusion rules by IP/CIDR, user, role and path.
- Configurable retention with on-demand cleanup; UTC storage with display in your chosen timezone.
- Fully translatable, with bundled Polish, German and Czech translations.
安装:
- Upload the
beziworld-activity-logfolder to/wp-content/plugins/. - Activate the plugin through the Plugins screen in WordPress.
- Open Activity Log in the admin menu to review events, and Activity Log → Settings to configure retention, events and exclusions.
屏幕截图:
常见问题:
Where are events stored?
In dedicated custom database tables created on activation, not in the WordPress posts table, so your content queries are never affected.
Will it slow down my site?
Non-critical events are buffered and written in a single batched query on shutdown; security events are written immediately. Indexed columns keep the viewer responsive even on large logs.
Does the plugin detect changes made directly in the database?
No. Like every hook-based activity logger, it records actions that flow through WordPress. Direct SQL modifications bypass WordPress hooks and cannot be observed.
Does it send my data anywhere?
No. There is no tracking or telemetry, and the plugin never loads code from external servers. The only outbound requests are the optional integrations described under "External services" below — every one is off by default and is sent only to an endpoint you configure yourself.
Does it provide WP-CLI commands?
Yes:
wp bzal verify-integrity— verify the per-row signatures and the checkpoint chain, reporting any detected tampering.wp bzal checkpoint— seal a new integrity checkpoint immediately.wp bzal purge— apply the retention policy now.wp bzal stats— print the number of recorded events for the current site.
Can developers extend it?
Yes. The plugin exposes hooks for integration:
do_action( 'bzal_event_logged', array $columns )— fires after each event is stored; receives the event's column map, for forwarding to your own systems.apply_filters( 'bzal_geolocate_country', string $country, string $ip )— return an ISO country code for an IP to power optional login geolocation (no provider is bundled).apply_filters( 'bzal_user_meta_denied', bool $denied, string $meta_key )— return true to keep a specific user-meta key out of the log.do_action( 'bzal_plugin_booted' )— fires once the plugin has finished booting, for registering your own extensions.
更新日志:
0.5.1
- Hardening: settings inputs are now unslashed and sanitised at the point of access rather than across helper boundaries, satisfying Plugin Check static analysis.
- Removed the redundant
load_plugin_textdomain()call; bundled Polish, German and Czech translations load through WordPress just-in-time loading (theText DomainandDomain Pathheaders are declared).
- Content, comment, media, taxonomy, menu, plugin/theme, settings, GDPR-request and user-metadata sensors.
- WooCommerce and Yoast SEO integrations (loaded only when active).
- Real-time notifications: Slack, Discord, Telegram, email, generic webhook — by urgency or per chosen event codes; immediate or hourly digest.
- Optional login geolocation with a login-from-new-country alert.
- Scheduled HTML summary reports; statistics screen with charts; admin-bar quick view with a security badge.
- Active session management; CSV/JSON export with formula-injection protection.
- Hash-chained integrity checkpoints with optional off-host anchoring and
wp bzal verify-integrity; per-site partitioned on multisite networks. - REST (offset + cursor pagination + integrity-anchor endpoint) and optional GraphQL read access; advanced filters; dashboard widget; same-request event correlation.
- Per-site partitioned integrity chain on multisite; optional full-text indexing of the event-data payload.
- Configurable per-event severity and optional behavioural anomaly detection (bulk-delete burst, off-hours admin login).
- Fast full-text search (MySQL FULLTEXT) across event object, user and message columns, with a LIKE fallback and an optional mode that also indexes the event-data payload.
- Initial release: custom-table storage, per-row HMAC integrity, authentication/account sensor, event viewer, configurable retention with on-demand cleanup, event toggles and exclusion rules.