Tracking user activity

This is in regards to logged-in users on the documentation site (and I would recommend too). As we add more users that can manage content, we should add activity tracking to see what happens and who does what. We need that audit trail.

So far, Stream should be compatible with CP since they list the minimum version as 4.5. I’ve used it and it seems to be a solid plugin.

Why? Genuine question from a privacy advocate.

I think this is more on the admin side of things, just tracking what changes have been made and by who especially now we are getting more people access.

I think we had something in the past, but I can’t recall what plugin it was.

I strongly disapprove any form of tracking.

It is an invasion of privacy, and bottom line, has never brought any real benefit to any website I know, other than seeing “nice, they click on this link but not that”.

Personally I follow a strict zero tracking policy and also wrote a few posts about the matter and how to still get the data needed, without spying on Users.
With good old fashioned listening to users, and performing some quick google queries, we can leverage data that Google (or other trackers) do not even see.
For example, many users now choose to deploy anti-tracking settings in browsers or phones, which basically then results in skewed tracking reports because you’d only receive data from those people being OK with tracking.

It also means you need to add cookie consents, and other stuff related to GDPR (which in other words means, you provide content only to those who are willing to share their information)

I think tracking is only useful if someone engages in PPC or similar marketing strategies - as an open source, advocating security and I hope also privacy, I suggest to not deploy any trackers, even I would go a step further and not use any fonts, or else sources that hiddenly collect data (like Adobe or CloudFlare or any form of CDN service).

I might be a bit restricted in my opinion of what privacy in the web is, I think privacy means that nothing is collected apart of the server logs.

Tracking for editors is also not really helping us to determine actual user preferences. Editors can and are tracked by server logs already, and the only purpose of that is safety and edit-backlogs - and we are well covered in that. Apart of WP also creating a backlog of edits, as far I know, when you edit a post.

What exactly would be the profit/benefit in having an audit trail of users/editors?


This is not that type of tracking. No cookies, no JavaScript tracking, etc. If you look at the plugin I mentioned, it tracks built-in core actions such as post status changes, plugin actions, option changes, theme actions, etc.

This is a good security practice and keeps track of all the changes on websites with multiple users to see who’s done what, especially when something happens.

Several times, thanks to a activity tracking plugin, I was able to see which user installed a malicious plugin and made changes on the website when a user account was breached.

On a site with a dozen authors, we were able to see who accidentally deleted a post and didn’t want to own up to it.

Again, this isn’t behavior tracking we do for advertising/marketing purposes. This is activity logging for security and auditing.

As we add more users to each site to manage content, keep track of everything users do while interacting with the websites can become valuable if something happens.

Here’s a good article I’ve read not too long ago about activity tracking on the Gravity Forms blog.


I think the confusion here stems from @viktor’s use of the word “tracking,” which carries with it all the negative connotations that @anon95694377 and @smileBeda have noted. I think what @viktor is really talking about is generally known as “logging,” and I agree that it is good practice to log everything that happens to files, plugins, themes, core etc both for security purposes and for troubleshooting.

I haven’t used Stream for years, not since it broke trust with its users, even though I and many others pointed out that it was about to embark on a wholesale breach of EU data protection laws. They walked that back after a year, but only after a blog post in which they said “Who knew?” Well, I don’t normally say “I told you so” but, in this case, “I told you so, but you wouldn’t listen!” So I’m really not a fan.

I use either Simple History or, for the most detailed logging around, WP Activity Log (in which I believe our own @williampatton is involved).


Thanks Tim. Simple History requires WP 5.2, that’s why I didn’t mention it. I do like using it. WP Activity Log is also good, definitely a good option to consider.

1 Like

What’s wrong with server logs for this purpose?
I’ve never used such plugin but maybe they show much more data than a log does, thus … then we’d need one of the directors to allow us uploading such plugin and activating it.

But we can definitely tell from a server log who uploaded a malicious plugin, as it tracks each “activity” protocol there is.

Server logs log requests, not core actions performed by WordPress users. For example, the server log will have a POST request to the profile edit page. Activity logging will show you what action was performed (password change) and what user performed that action.



And yes probably that makes sense

We need the plugin we plan to use and then we need @James and @wadestriebel to agree on this. Then we can upload, activate and monitor.


We had a plugin in the past, I just don’t remember the name of it now. But I do think it is something we will likely want so I am all good for installing a plugin to do that, we will want James to vet it prior but otherwise I don’t see any issues.


I also had good results with the free version of WP Activity Log, noted above. It’s backward-compatible to WP 4.4, so, it should continue working with ClassicPress for quite some time to come.

1 Like

The term I would use for this is “audit log”. Anyway I agree this is a good idea, and I think Stream is a fine choice here.

XWP is a generally well-respected development team that produces high-quality code, even if they made some questionable decisions in the past with this plugin. Also, the plugin is fully open-source and developed on GitHub, which is a big advantage.

No matter what plugin is used, it’s always important to stay on top of updates and review their code changes, and if there are further issues with Stream’s direction then we can fork it because it’s completely free and open-source.


This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.