BeziWorld Activity Log

Description

BeziWorld Activity Log records what users do on your WordPress site: who logged in, who failed to log in, who changed a role, who edited their profile, who created or edited content, and more. The focus is user activity, and the goal is to make the capabilities competing plugins reserve for paid upgrades available for free.

Designed for performance. Events are stored in a dedicated, indexed custom table (never in wp_posts), written in batches to keep request overhead low, while security-relevant events are persisted immediately. Retention pruning keeps the table lean automatically.

Designed for trust. Each event is signed with a per-site HMAC and sealed into a hash-chained sequence of checkpoints, making after-the-fact tampering — including row insertion or deletion — detectable. Because an attacker with full server access could recompute local signatures, the latest checkpoint signature can be anchored off-host (emailed or sent to a webhook) so the integrity proof leaves the machine.

Designed for privacy. IP logging is optional and can be anonymised at capture time. The plugin never phones home and never loads code from external servers.

Highlights

• Authentication and account activity: logins, logouts, failed logins (rate-limited to prevent log flooding), registration, role changes, profile and user-metadata changes, password resets, application passwords, user deletion.
• Content activity: posts, pages and custom post types created, updated (with a field-level diff), status changes, trashing, restoring and permanent deletion; comments, media and taxonomy terms.
• Clean, readable event viewer with severity badges, expandable detail rows, sorting, filtering and full-text search.
• Granular configuration: enable or disable whole event groups or individual events.
• Exclusion rules by IP/CIDR, user login, user ID, role and request path.
• Plugin/theme and settings changes, navigation menus, and the GDPR personal-data request lifecycle.
• Optional integrations: WooCommerce (orders, status changes, stock) and Yoast SEO (metadata and settings).
• Real-time notifications — Slack, Discord, Telegram, email and generic webhook — by urgency or chosen event codes, delivered immediately or as an hourly digest. Free.
• Optional login geolocation (via a provider you wire) with an automatic alert on a login from a new country.
• Scheduled HTML summary reports emailed to the administrator (daily or weekly).
• Statistics screen with daily-volume chart and category, user and event breakdowns.
• Active session management: see who is logged in and terminate sessions. Free.
• Tamper-evident integrity: per-row HMAC plus a hash-chained checkpoint sequence with optional off-host anchoring (email/webhook), verifiable with WP-CLI (wp bzal verify-integrity).
• Real-time notifications also fire on a chosen set of event codes, regardless of urgency.
• Configurable severity per event code, driving notifications and the security badge.
• Optional anomaly detection: flags a rapid bulk-delete burst by one user and off-hours admin logins as high-severity alerts.
• Admin-bar quick view: the latest events and a 24-hour security badge on every screen.
• “Users online” view: who currently holds a session, with their most recent action, time and IP.
• CSV and JSON export of the filtered log, with spreadsheet-formula-injection protection.
• Read access via the REST API (offset and cursor pagination, plus an integrity-anchor endpoint) and optionally GraphQL, gated by capability.
• Granular configuration: enable/disable whole event groups or individual events; exclusion rules by IP/CIDR, user, role and path.
• Configurable retention with on-demand cleanup; UTC storage with display in your chosen timezone.
• Fully translatable, with bundled Polish, German and Czech translations.

External services

This plugin works fully offline. It does not connect to any external service on its own. The following optional integrations are disabled by default and only ever contact a destination that you enter in the settings; each transmits a short summary of a logged event (such as the event description, the acting user’s login, the time, and — when IP logging is enabled — the IP address) at the moment the event occurs or, in digest mode, once per hour.

• Slack — when you enter a Slack Incoming Webhook URL, matching events are POSTed to that webhook. See the Slack Terms of Service (https://slack.com/terms-of-service) and Privacy Policy (https://slack.com/trust/privacy/privacy-policy).
• Discord — when you enter a Discord webhook URL, matching events are POSTed to that webhook. See the Discord Terms (https://discord.com/terms) and Privacy Policy (https://discord.com/privacy).
• Telegram — when you enter a Telegram bot token and chat ID, matching events are sent through the Telegram Bot API at api.telegram.org. See the Telegram Terms (https://telegram.org/tos) and Privacy Policy (https://telegram.org/privacy).
• Generic webhook — when you enter a custom webhook URL (for notifications or for off-host integrity anchoring), the corresponding payload is POSTed to that URL. The destination is yours; review its provider’s terms and privacy policy.
• Login geolocation — disabled unless you both enable it and wire a provider through the bzal_geolocate_country filter. The plugin bundles no geolocation provider and makes no geolocation request by itself; any lookup is performed by the provider you supply, under that provider’s terms.

Summary reports and notification emails are delivered through your site’s own WordPress mail system to the recipients you configure; they are not sent to any third party by this plugin.