WordPress Security How To

Traffic Logging for WordPress


WP Cerber’s Traffic Inspector not only analyzes and blocks suspicious HTTP requests but also can optionally log them with details, so you can inspect them manually. It uses a carefully designed high-performance logging engine.

The most optimal and recommended logging mode is Smart.

What traffic is logged when Smart logging mode is enabled?

  1. All logged in (authorized) users requests
  2. If a particular activity has been detected and logged to the Activity log.
  3. Requests with non-default, WordPress GET parameters
  4. Form submissions (POST requests)
  5. XML-RPC and REST API requests
  6. Any request that generates an error HTTP code (400 and higher)
  7. Search requests
  8. Requests to a PHP script that doesn’t exist or loads WP environment programmatically.

Note: the plugin doesn’t log standard admin dashboard requests including scheduled tasks (/wp-cron.php) and AJAX requests (/wp-admin/admin-ajax.php).

Is it possible that the logging slows down website performance? In rare circumstances, it’s possible on a free hosting with limited resources if the logging All traffic and Saving requests fields are enabled, Ignore search engine crawlers is disabled.

How to exclude passwords and other sensitive information from logging

The Cerber Security plugin always masks the password field on the default WordPress login form and the following form fields: ‘pwd’, ‘pass’, ‘password’. If you’ve enabled saving form fields to the log (Save request fields is enabled) and you use a plugin that generates a login form like some membership or pop-up login form plugins do, you have to add the name of the password form field(s) to the Mask these form fields field on the Traffic Inspector settings page. To specify multiple fields use comma to separate items. Before saving to the WordPress DB these fields are filled with asterisks symbol and sensitive data are not saved. That prevents user passwords or any other sensitive data from compromising in case of any data leakage.

How to delete all Traffic Inspector log records

To completely delete all Traffic Inspector log records you need to manually clean up just one table in the WordPress DB. That’s easy. Go to the Cerber Security Tools admin page and click the Diagnostic tab. In the Database Info section find the following title: Table: cerber_traffic, rows: xxxx. Click the Delete all rows button next to it. Note: this operation cannot be rolled back.

How to be in compliance with data privacy laws

The features below give you full control of personal data if it was logged by WP Cerber and help your organization to be in compliance with data privacy laws such as GDPR in Europe or CCPA in California.

Exporting personal data
Deleting personal data

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments
There are currently no comments.