WordPress Security How To
Posted By Gregory

Traffic Logging for WordPress


WP Cerber’s Traffic Inspector not only analyzes and blocks suspicious HTTP requests but also can optionally log them with request details, enabling you to inspect them manually. It uses a thoroughly designed high-performance logging engine. All logged requests are displayed on the Live Traffic page.

The logging settings are located on the Traffic Inspector settings page.

The most optimal and recommended logging mode is Smart.

What requests are logged when the Smart logging mode is enabled?

  1. All logged in (authorized) users requests
  2. If a particular activity has been detected and logged to the Activity log.
  3. Requests with non-default, WordPress GET parameters
  4. Form submissions (POST requests)
  5. XML-RPC and REST API requests
  6. Any request that generates an error HTTP code (400 and higher)
  7. Search requests
  8. Requests to a PHP script that doesn’t exist or loads the WP environment programmatically.

Note: the plugin doesn’t log standard admin dashboard requests including scheduled tasks (/wp-cron.php) and AJAX requests (/wp-admin/admin-ajax.php).

Is it possible that the logging slows down website performance? In rare circumstances, it’s possible on a free hosting with limited resources if the logging All traffic and Saving requests fields are enabled, Ignore search engine crawlers is disabled.

How to exclude passwords and other sensitive information from being logged

The Cerber Security plugin always masks the password field on the default WordPress login form and the following form fields: ‘pwd’, ‘pass’, ‘password’.

If you’ve enabled saving form fields to the log (Save request fields is enabled) and you use a plugin that generates a login form like some membership or pop-up login form plugins do, you should add the name of the password form field to the Mask these form fields field. Otherwise, passwords will be saved to the website database in unencrypted form. To specify multiple form fields, use commas to separate items.

Before saving to the WordPress DB all specified fields are filled with asterisks symbol ( masked) and so sensitive data are not saved. That prevents user passwords or any other sensitive data from compromising in case of any data leakage.

How to delete all log records

To completely delete all Traffic Inspector log records, you need to manually clean up just one table in the WordPress DB. That’s easy. Go to the Cerber Security Tools admin page and click the Diagnostic tab. In the Database Info section find the following title: Table: cerber_traffic, rows: xxxx. Click the Delete all rows button next to it. Note: this operation cannot be rolled back.

How to be in compliance with data privacy laws

The features below give you full control of personal data if it was logged by WP Cerber and help your organization to be in compliance with data privacy laws such as GDPR in Europe or CCPA in California.

Exporting personal data
Deleting personal data

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments
There are currently no comments.