The data stored in the WordPress activity log is sensitive and confidential. So should you back it up? Should you archive it and keep it secure?
Many compliance regulations stipulate who can access such data, and how such data should be stored, secured and backed up. This is common practise in the finance and healthcare industries. Typically they also stipulate for how long activity log data should be kept.
Therefore installing WP Security Audit Log to keep a log of user and site changes is just the beginning. As a business you are also responsible for the security and management of the WordPress activity logs (aka audit log or audit trail) on your website(s).
In this article we explain all you need to know about managing and maintaining the WordPress activity log data. We also explain how you can use the tools in WP Security Audit Log to manage and keep your WordPress activity logs secure and backed up.
For how long should you keep the WordPress activity log data?
There are many factors to consider when deciding for how long you should retain your website’s activity log data:
- Does your business has to comply with specific regulatory compliance requirements?
- Do you keep an activity log for security only, or also for user accountability?
If you are keeping a log only because of compliance, the answer is simple; keep the log for as long as the regulations stipulate. For example, if you use WooCommerce on your website, refer to the PCI DSS guide for WordPress ecommerce websites.
However, as a rule of thumb it is recommended to keep the logs for as long as possible. If you are worried about how to store and manage the activity log data, read on for some great tips.
Managing and securing the WordPress audit log data
Once you determine for how long you will retain the WordPress activity log data, configure the activity log retention. Use the other tools in the WP Security Audit Log plugin to configure the archiving and improve security.
The following steps are very important to ensure activity log data is not tampered with and stored securely. They also allow for data to be retrieved anytime without affecting your websites’ performance.
1. Store the activity log in an external database
You can start optimizing your activity log setup by storing the WordPress activity log in an external database. By doing so you you improve the efficiency of storing and reading the activity logs and:
- data does not consume resources allocated to the WordPress database,
- audit log data is segregated from the website data, so it cannot be tampered with should the website gets hacked.
Logs segregation is very important, especially in security. Most regulatory compliance standards require logs to be segregated from website data.
IMPORTANT! Use a dedicated database when configuring the external logs database. Do not use the same database user you use for WordPress. Otherwise, if attackers gain access to your WordPress database via a SQL injection or similar vulnerabilities can also access the audit log data.
2. Archive old activity log data
Depending on the size of your activity log you might need to archive old WordPress activity log data. The WP Security Audit Log plugin has a tool with which you can archive the log data. When you archive old data you can keep millions of records without affecting the main activity log database performance.
It depends on the business requirements, and what you are using the logs for. However, typically we recommend to archive data that is older than one year. This keeps the amount of data stored in the main activity log database at a low level.
3. Back up the WordPress activity log
Should you backup the WordPress activity log?
Definitely! It is important to backup the activity log data. Backup the logs even if they are stored in an external database or on a separate server. Better safe than sorry.
How to back up the WordPress activity log
The plugin saves the plugin settings and activity log in three tables in the database. Configure your online WordPress backup service or plugin to backup these tables as well:
Note that the table name prefix wp might be different on your website.
If you save your activity log in an external database most probably you need to use a different backup solution. WordPress backup services or plugins do not backup tables outside the WordPress database. You can include the tables in your database server backup instead. The same applies if you archive your activity log data.
4. Configure user privileges for activity log access
Not every user should have access to the WordPress activity logs. Only trusted people who need access should be able to see the logs. By default the WP Security Audit Log plugin allows all users with administrator role to see the WordPress activity logs and configure the plugin. However, you can restrict access to only your user, or a handful of users. Refer to configuring plugin and WordPress activity log management privileges for information of how to restrict access. We recommend you restrict access as follows:
- Only one user should be able to change the plugin settings. Ideally this should be the administrator account which is only for website management tasks.
- Trusted users should be allowed to only view the activity logs.
Managing and storing big data / old WordPress activity logs
How can large companies keep years’ worth of data? What if they have millions of events in the activity log every year? Can they keep all the records in the same archive database?
For example finance institutions are obliged by law to keep up to 6 years of log data at least. In such cases we recommend to split the archived activity log data per year. Achieving this is simple with the WP Security Audit Log plugin:
- Configure the plugin to archive one year old activity log data.
- Once you have one year of data stored in the archiving database, stop archiving.
- Delete the database connection.
- Backup the activity log archive database and store the backup in a safe location.
- Enable archiving again and follow this procedure once a year.
Accessing old data
To access the logs from a specific year, all you need to do is:
- install the plugin on a vanilla website,
- restore the archive tables on that website,
- browse and search through the logs.
Taking care of sensitive WordPress activity log data
Like any other admin software solution, your WordPress audit log system requires fine tuning for it to meet your requirements. Therefore once you determine the purpose of the logs and for how long you need to keep them:
- move them to an external database,
- configure archiving,
- back them up.
Only by doing so you can ensure the sensitive WordPress activity log data is always readily available and well protected.