Activity Log Pro – User Activity Log, Audit Log & Security Monitor
Activity Log Pro is a complete WordPress activity log, user activity log, and audit log plugin for user tracking and accountability. Track user logins, content changes, plugin and theme updates, settings changes, and other important site activity – and see who did what, when, and where from one clean activity dashboard. Activity Log Pro gives you a complete audit trail of everything happening on your WordPress site. See who logged in, what content changed, exactly when it happened, which plugins were updated and any suspicious activity – all in one place. Perfect for businesses, e-commerce stores, agencies, WordPress maintenance services, and multi-user sites that need full visibility into user and system changes. Agencies and freelancers managing multiple sites can use Log Channels (Premium) to centralise logs from every client site into a single logging platform like Datadog or Better Stack. Whether you’re troubleshooting issues, staying compliant, or monitoring for security threats, Activity Log Pro is your WordPress activity tracker and activity monitoring tool to keep your site secure and transparent. “This is a super slick plugin guys. Very simple to use, very clean interface. Super excited about it.” – Ryan @ InfluenceWP.com “Perfect! Robust and exemplary neat plugin! All the info that you need is in a clear overview.” – @mixha Why Use a WordPress Activity Log? Understand every action on your site, reduce security risks, and simplify compliance. Security & Compliance: Stay compliant with GDPR, HIPAA, and other regulations while detecting failed logins, role changes, and suspicious behavior. Troubleshooting & Debugging: See exactly what changed before something broke – track plugin updates, theme edits, and content changes. User Accountability & Audit Trails: Know exactly who did what, when, and from which IP address for complete transparency and legal compliance. Performance & Site Health: Monitor plugin installations, theme changes and modifications that impact your site’s speed and stability. Enhanced Backup Strategy: Create detailed change logs that complement your backups – know exactly what to restore and when changes occurred. WordPress Security Monitoring: Track failed logins, suspicious activities, user role changes, and potential security threats in real-time. Key Features of This WordPress Activity Log Plugin 🚀 Complete Core Activity Tracking User login/logout activities with IP tracking Failed login attempt monitoring for security Login Flood Guard (optional) — caps consecutive failed-login log entries during brute-force bursts; configurable threshold (20/50/100/200), on/off toggle, and an inline notice on the Activity Logs screen when suppression is active Post, page, and custom post type changes (create, update, delete) Media library activities (upload, edit, delete) Plugin installations, activations, deactivations, and updates Theme switches, installations, and customizer changes WordPress core updates Widget modifications and placement changes Menu creation, updates, and deletions User registration, profile updates, and role changes Comment activities (approved, spam, trash, delete) Settings and options changes Category and tag management 🔌 Advanced Plugin Integrations WooCommerce Activity Log: Complete e-commerce activity monitoring — track order modifications, product changes, inventory updates, customer data edits, payment gateway settings, and coupon usage for full store audit trails (Premium) Yoast SEO Activity Log: Monitor all SEO changes including meta descriptions, title tags, search engines follow links, Advanced Meta Robots, Breadcrumbs Title updates, focus keyword changes, and readability optimizations to maintain SEO integrity (Premium) Free Professional Features Real-time activity monitoring dashboard Advanced filtering and search capabilities Detailed activity metadata and context IP address tracking for security analysis User role-based activity permissions Customizable data retention policies Export capabilities (CSV, JSON, HTML and TXT formats) Clean, responsive admin interface Database optimization for performance 💎 Premium Features Upgrade to Activity Log Pro Premium for advanced security and privacy controls: Advanced IP Privacy Controls – GDPR-compliant IP anonymization and masking options IP Location Mapping – Geographical insights for visitor analysis and security monitoring Security Alerts – Security Alerts helps you detect important WordPress activity in real time with instant email notifications for security events, content changes, and core/plugin updates. Configure smart alert cooldowns, choose multiple recipients, and reduce noise while still catching high-risk behavior fast. Log Channels – Centralise activity logs from all your WordPress sites into one platform. Stream every log entry in real time to Grafana Loki, Better Stack, Slack, Papertrail, Loggly, Datadog, Syslog/SIEM targets, or your own custom webhook endpoint. Every event is automatically tagged with the site name and URL — so you can filter across all your sites inside your existing logging platform. Delivered asynchronously in background jobs with zero impact on page load times. Ideal for agencies, WordPress maintenance services, and freelancers managing multiple client sites. Enhanced Security Features – Real-time logs and suspicious activity logs (via Live Monitor) JSON Feed Export – SIEM integration with secure token-based access WooCommerce Logger – Comprehensive e-commerce tracking (orders, products, customers) Yoast SEO Logger – Complete SEO audit trails for meta data and schema changes Priority Support – Direct access to expert support with faster response times 👉 Compare Free vs Premium Features → | 👉 Try out the Demo → 🏢 Centralised Logging for Agencies & WordPress Maintenance Services Managing multiple WordPress sites? Log Channels (Premium) lets you stream activity logs from every client site into a single external logging platform — so you can monitor all your sites in one place, without logging into each WordPress admin individually. How it works: Install Activity Log Pro on each WordPress site, configure a Log Channel pointing to your preferred logging platform, and every activity log entry is forwarded in real time. Each event is automatically tagged with the site name and site URL, so you can filter, search, and alert by site inside your chosen platform. Supported platforms — bring your own logging stack: Better Stack — Stream logs to your Better Stack Logs source; filter by site in the Telemetry dashboard Datadog — Forward logs to your Datadog account; filter by site_name or site_url in Logs Search Loggly — Centralise logs in Loggly; tag and query by site across your entire client portfolio Papertrail — Route logs via HTTPS token or classic Syslog to your Papertrail destinations Slack — Push activity events to a Slack channel for real-time awareness across all sites Custom Webhook / Syslog / SIEM — Connect to any endpoint or enterprise SIEM platform Why agencies and maintenance services choose Log Channels: One dashboard, all sites — view and search logs from every client site in your existing logging platform No vendor lock-in — choose the platform you already use; no new SaaS subscription required Tamper-proof audit trail — if a site is compromised and an attacker clears the on-site logs, your external copy is already safely stored and completely out of reach Zero performance impact — log delivery runs asynchronously in background jobs; visitors and admins never wait for external services to respond Multiple simultaneous channels — send logs to Datadog for archiving and Slack for real-time alerts at the same time Per-channel test button — verify each connection is working before you rely on it View full Log Channels details: 👉 activitylog.pro/features → ⚡ Performance & Database Custom database table – Activity Log Pro uses its own dedicated table, keeping your posts and meta tables clean and queries fast. Low-overhead logging – Events are captured in real time using optimised queries designed to have minimal impact on site performance. Configurable retention – Set log retention from 7 to 365 days to keep your database lean and manageable. Automatic cleanup – Scheduled purges run automatically based on your retention settings, with no manual intervention required. 🧹 Clean Uninstall Full data removal – Uninstalling the plugin removes all log data, custom tables, plugin options, and scheduled tasks. No leftover clutter – Your database is restored to its original state with nothing left behind, so you can test the plugin with confidence. 🛡️ Security & Privacy Activity Log Pro takes your privacy and security seriously: IP Address Anonymization by Default – All IP addresses are automatically anonymized (e.g., 192.168.1.xxx) for privacy protection WordPress Standard Security – Database security practices (prepared statements, input sanitization) Configurable Data Retention – Meet your privacy requirements with customizable retention periods Administrator-Only Access – All plugin features require administrator privileges for security 📊 Perfect For Business Websites & Corporate Sites: Maintain GDPR compliance, PCI DSS standards, and audit trail requirements for regulatory inspections and security protocols. WooCommerce & E-commerce Stores: Track order modifications, product changes, inventory adjustments, customer data access, and payment processing for fraud prevention and compliance. Multi-user WordPress Sites: Monitor team member activities, role changes, content approvals, and administrative access for complete user accountability. WordPress Development & Staging Sites: Track plugin installations, removal, theme modifications. Digital Agencies, WordPress Maintenance Services & Freelancers: Centralise activity logs across all your client sites into a single logging platform like Datadog, Better Stack, or Loggly. Each log entry is tagged with the site name and URL, giving you a unified, searchable audit trail across your entire portfolio — without logging into each site individually. Use Log Channels (Premium) to stream logs from all your client sites to your existing stack. No new SaaS dashboard required — bring your own logging platform and stay in control of your data. Membership Sites & Private Communities: Track member activities, subscription changes, content access, and community moderation actions. Educational Institutions & Learning Management: Monitor student submissions, instructor activities, course content changes, and user enrollment modifications. News & Publishing Websites: Monitor editorial workflows, content publication schedules, author activities, and SEO optimization changes. 🔧 Easy Setup & Configuration Get started in minutes: 1. Install and activate the plugin – it works out of the box with default settings 2. Configure which activities to track (optional) 3. Set your data retention preferences (optional) 4. Start monitoring immediately (There are various other Settings for you to explore) No complex setup required — this WordPress activity log works right away with sensible defaults while offering extensive customization options for advanced users. 💡 Use Cases This user activity log helps you answer the questions that matter most: Troubleshooting: “What changed right before the site broke?” Security Monitoring: “Who attempted to login with admin credentials?” Content Management: “When was this post last modified and by whom?” Compliance: “Show me all user activities for the past 6 months” Performance: “What plugins were recently activated that might be slowing the site?” Multi-Site Management: “Which of my client sites had a plugin deactivated, a user role changed, or a new admin added today?” System Requirements WordPress 6.3 or higher PHP 7.4 or higher MySQL 5.6 or higher (or MariaDB 10.0+) Minimum 64MB PHP memory limit (128MB recommended) Database Information Creates custom table: {prefix}actlogpro_activity_log_pro_all_logs Estimated storage: ~1KB per logged event Automatic cleanup: Based on retention settings (7-365 days) Uses WordPress database prefix: Follows WordPress naming conventions Privacy Policy Activity Log Pro logs user activities on your WordPress site. This may include: User login/logout times and IP addresses (anonymized by default) Content creation, modification, and deletion activities Plugin and theme changes Administrative actions Data Storage: Activity logs are stored locally in your WordPress database by default. No log data is sent to external services unless you explicitly enable a Log Channel (Premium), which can forward copies of logs to services like Datadog, Grafana Loki, Better Stack, and others. IP Address Privacy: IP addresses are automatically anonymized by default (e.g., 192.168.1.xxx) for privacy protection. Full IP addresses are only stored if explicitly enabled by administrators in the premium version. Third-Party Services: The plugin uses ipinfo.io for optional IP geolocation lookups when administrators manually request location information, and LemonSqueezy for payment processing when users choose to purchase premium features and for newsletter subscriptions when users voluntarily sign up. The ipinfo.io service is only used when explicitly requested and data is cached locally. LemonSqueezy is only used when users voluntarily initiate premium purchases, subscription management, or newsletter signups. Data Retention: You can configure data retention periods to meet your privacy requirements. You can configure a secure JSON feed, with access via a secure authentication token, available in Premium → activitylog.pro/pricing Support For support, documentation, and feature requests, please visit: Plugin Website → activitylog.pro Get Support → activitylog.pro/support Plugin Docs → activitylog.pro/docs Following on Twitter/X → x.com/ActivityLog Third-Party Services This plugin uses the following third-party services: IP Geolocation Service (ipinfo.io) – Purpose: Provides geographical location data for IP addresses to enhance security monitoring – Data Sent: IP addresses are sent to ipinfo.io for location lookup when administrators manually request IP location information – When Used: Only when administrators manually request IP location information via the admin interface – Privacy Policy: https://ipinfo.io/privacy-policy – Terms of Service: https://ipinfo.io/terms-of-service – Data Storage: Location data is cached locally for 24 hours to minimize API calls – User Control: This feature is optional and only available to administrators who explicitly request IP location data Payment Processing Service (LemonSqueezy) – Purpose: Handles secure payment processing, license validation, and subscription management for premium features – Data Sent: When users choose to purchase premium plans, payment information (credit card details, billing address), email address, and license details are processed by LemonSqueezy – When Used: Only when users voluntarily initiate premium plan purchases, license activation, or subscription management – Privacy Policy: https://www.lemonsqueezy.com/privacy – Terms of Service: https://www.lemonsqueezy.com/terms – Data Storage: Payment and license data is managed entirely by LemonSqueezy – no payment information is stored on your WordPress site – User Control: Users have complete control over whether to purchase premium features and can manage their subscriptions through LemonSqueezy’s customer portal Newsletter Subscription Service (LemonSqueezy) – Purpose: Allows users to voluntarily subscribe to product updates and educational content newsletters – Data Sent: Name and email address only when users explicitly choose to subscribe to the newsletter – When Used: Only when users voluntarily fill out and submit the newsletter subscription form in the plugin settings – Privacy Policy: https://www.lemonsqueezy.com/privacy – Terms of Service: https://www.lemonsqueezy.com/terms – Data Storage: Newsletter subscription data is managed by LemonSqueezy – no subscription information is stored on your WordPress site – User Control: Users have complete control over newsletter subscription and can unsubscribe at any time via email links or LemonSqueezy’s customer portal
Top keywords
- activity36×1.57%
- log34×1.48%
- site27×1.18%
- wordpress27×1.18%
- data25×1.09%
- changes24×1.05%
- logs22×0.96%
- security21×0.92%
- ip19×0.83%
- user19×0.83%
- activity log18×0.79%
- premium17×0.74%
Login Armor
Twelve security modules. One lightweight plugin. Zero compromise. Login Armor is a complete WordPress security stack built for agencies, freelancers and pros who deliver audit-ready sites. No premium tier, no bundled marketing dashboard, no telemetry. Every module runs locally, ships with safe defaults, and stays out of your way. Stop juggling Wordfence’s bloat, Solid Security’s upsells, and Limit Login Attempts’ gaps — Login Armor delivers twelve independent modules in about one megabyte. New in 2.4.0 Request Firewall — an optional, 8G-inspired PHP filter that blocks malicious requests (SQL injection, code execution, traversal, XSS, disallowed HTTP methods) before WordPress finishes loading, on Apache, Nginx and LiteSpeed alike. Off by default, it starts in monitor mode and never filters logged-in administrators; every block is logged, aggregated to one incident per IP per hour. Guided onboarding — a first-run wizard offers a one-click “safe baseline” that turns on the no-risk essentials, so a beginner is protected in seconds. The same “Apply safe baseline” button stays available any time. Why Login Armor No upsells, ever. No “premium” tier, no greyed-out “Pro” buttons. Every feature is GPL. No external services to sign up for. No API keys, no remote dashboards, no telemetry. The only outbound calls are opt-in: Have I Been Pwned (breach/password checks), Slack/Discord/webhook (notifications), the keyless ipwho.is API (geolocation), and your own WordPress 7 AI connector. Built to be invisible. Sub-megabyte ZIP, lazy-loaded modules, indexed queries — under 2 ms on a normal login flow. Multisite-aware, PHP 8.1-native, production-grade defaults. Network-activate a fleet, configure per-site, manage from a complete WP-CLI suite; zero-config gets you 80 percent of the protection. Twelve independent modules Hide Login — Replace wp-login.php with a custom slug; the old URL returns a 404, and a branded pre-activation modal lets you pick or generate the slug and emails it to you so you can’t lock yourself out. Compatible with multisite, reverse proxies and password-recovery flows. Brute Force Protection — Cascading lockouts escalating to a 24-hour ban, with subnet blocking and trusted X-Forwarded-For; lostpassword, register, XML-RPC and the REST users endpoint are all gated when an IP is locked, and every lockout surfaces as an incident. Hardening — Fifteen one-click toggles across surface reduction, credential hardening, request filtering and account monitoring: disable XML-RPC/pingbacks, the file editor, version exposure, application passwords and author enumeration; block reserved usernames (Unicode-confusable detection); add a login honeypot; get alerted on new administrators. Two-Factor Authentication — TOTP, one-time codes by email and printable backup codes, with trusted devices for thirty days, per-role enforcement, a configurable grace period and an email recovery flow when the authenticator is lost. Detection and Incidents — A real-time engine groups raw events into six attack patterns, each with a drill-down (timeline, source IPs, target users, severity, UA fingerprint) and one-click actions (reset password, block subnet, mark resolved). Activity Log — A compliance-ready, tamper-evident (hash-chained) audit trail of admin actions across seven logger domains, with filtering, CSV export, configurable retention and optional signed webhook forwarding to a SIEM. Login Page Security Headers — Content-Security-Policy, X-Frame-Options, Permissions-Policy, Referrer-Policy and X-Content-Type-Options on wp-login.php and the lockout page, in two presets with an optional CSP report-uri; baseline headers can optionally extend site-wide. Breach Check — Detect logins using a breached password via privacy-preserving k-anonymity against Have I Been Pwned (only a 5-character SHA-1 prefix leaves the server); optional XposedOrNot email lookup, fail-soft so an outage never blocks login. Password Policy — Enforce strong, unique passwords at registration, profile update and reset: minimum length and character classes, forbid the username inside the password, optionally reject breached passwords, with optional non-locking expiration nudges. Session Management — Idle-timeout logout measured on real page loads, a maximum session lifetime regardless of “remember me”, an optional single-active-device restriction, and a one-click “sign out all other devices”. IP Geolocation — Show the attacker’s country on the Incidents and Events tabs; lazy, cached thirty days, capped per page load, private ranges never sent. Keyless ipwho.is by default, swappable for an offline database via a filter. Request Firewall — An optional, 8G-inspired PHP filter that blocks malicious query strings, paths, HTTP methods and (opt-in) user-agents/referrers before WordPress loads, on Apache/Nginx/LiteSpeed alike; off by default, starts in monitor mode, never filters admins, skips REST/cron/WP-CLI, with an IP/path allowlist (CIDR). Not scored. AI Security Briefing (optional) Built on the WordPress 7 native AI Client, one click turns your last thirty days of activity into a plain-language verdict, an IP picture and a short list of prioritised actions; “Explain with AI” does the same on a single incident. Minimised mode (anonymised signals) is the default and deep mode is an explicit opt-in. No API key is stored — it uses your own WordPress AI connector, so provider and cost stay yours. It always leads with a deterministic facts snapshot that works with or without AI. Plus Guided onboarding — a first-run wizard with a one-click safe baseline (Simple) or manual setup (Advanced); the “Apply safe baseline” button stays available, and upgrading sites never see the wizard. Security score — a weighted 0-100 read of your posture with a one-click “next best action”; observability features (geolocation, notifications, the AI assistant) are deliberately not scored. Conflict detection — warns when another login-security plugin (Wordfence, Solid Security, Sucuri, All-In-One Security, SecuPress and more) or a cache plugin (with Hide Login on) could clash. Notifications — email, Slack, Discord or webhook with SSRF-safe URL validation, severity threshold and rate limiting. WP-CLI suite and a dashboard widget (14-day sparkline, six headline metrics). GPL forever. PHP 8.1+. WordPress 6.8+. Zero dependencies. Douze modules de sécurité. Une seule extension légère. Zéro compromis. Login Armor est une stack complète de sécurité WordPress conçue pour les agences, les freelances et les pros qui livrent des sites prêts à passer un audit. Pas de version premium, pas de tableau de bord marketing intégré, pas de télémétrie. Chaque module tourne en local, embarque des réglages par défaut sécurisés, et reste discret. Fini de jongler entre la lourdeur de Wordfence, les fenêtres d’upsell de Solid Security et les angles morts de Limit Login Attempts — Login Armor regroupe douze modules indépendants en environ un méga-octet. Nouveau en 2.4.0 Pare-feu de requêtes : un filtre PHP optionnel, inspiré du pare-feu 8G, qui bloque les requêtes malveillantes (injection SQL, exécution de code, traversée de répertoires, XSS, méthodes HTTP non autorisées) avant même que WordPress ait fini de charger, aussi bien sur Apache que Nginx ou LiteSpeed. Désactivé par défaut, il démarre en mode surveillance et ne filtre jamais les administrateurs connectés ; chaque blocage est journalisé, agrégé en un incident par IP et par heure. Assistant de configuration : à la première activation, un assistant propose une « base sûre » en un clic qui active les essentiels sans risque — un débutant est protégé en quelques secondes. Le même bouton « Appliquer la base sûre » reste disponible à tout moment. Pourquoi Login Armor Aucun upsell, jamais. Pas de niveau « premium », pas de boutons « Pro » grisés. Tout est en GPL. Aucun service externe à activer. Pas de clé API, pas de tableau distant, pas de télémétrie. Les seuls appels sortants sont opt-in : Have I Been Pwned (fuites/mots de passe), Slack/Discord/webhook (notifications), l’API sans clé ipwho.is (géolocalisation) et votre propre connecteur IA WordPress 7. Conçu pour être invisible. ZIP de moins d’un méga, modules chargés à la demande, requêtes indexées — sous 2 ms sur un flux de connexion normal. Compatible multisite, natif PHP 8.1, réglages prêts pour la production. Activation réseau d’une flotte, configuration par site, pilotage via une suite WP-CLI complète ; sans configuration, vous avez déjà 80 % de la protection. Douze modules indépendants Masquer la connexion : remplace wp-login.php par une URL personnalisée (l’ancienne renvoie une 404) ; une modale de pré-activation choisit ou génère le slug et vous l’envoie par e-mail pour éviter tout verrouillage. Compatible multisite, reverse proxies et récupération de mot de passe. Protection contre la force brute : verrouillages en cascade montant à un bannissement de 24 h, blocage de sous-réseaux et support X-Forwarded-For ; lostpassword, register, XML-RPC et l’endpoint REST users sont bloqués pour une IP verrouillée, et chaque verrouillage devient un incident. Renforcement : quinze bascules en un clic (réduction de surface, identifiants, filtrage des requêtes, surveillance des comptes) — désactiver XML-RPC/pingbacks, l’éditeur de fichiers, l’exposition de version, les mots de passe applicatifs et l’énumération d’auteurs ; bloquer les identifiants réservés (homoglyphes Unicode) ; ajouter un pot de miel ; être alerté à la création d’un administrateur. Authentification à deux facteurs : TOTP, codes à usage unique par e-mail et codes de secours imprimables, avec appareils de confiance 30 jours, application par rôle, période de grâce configurable et récupération par e-mail en cas de perte. Détection et incidents : un moteur en temps réel regroupe les événements en six patterns d’attaque, chacun avec une vue détaillée (chronologie, IP sources, comptes cibles, sévérité, empreinte UA) et des actions en un clic. Journal d’activité : piste d’audit conforme et inviolable (chaîne de hachage) des actions admin sur sept domaines, avec filtrage, export CSV, rétention configurable et transfert webhook signé optionnel vers un SIEM. En-têtes de sécurité : CSP, X-Frame-Options, Permissions-Policy, Referrer-Policy et X-Content-Type-Options sur wp-login.php et la page de verrouillage, en deux préréglages avec CSP report-uri optionnel ; les en-têtes de base peuvent s’étendre à tout le site. Détection de fuites : repère les connexions avec un mot de passe fuité via k-anonymat sur Have I Been Pwned (seul un préfixe SHA-1 de 5 caractères sort) ; vérification e-mail XposedOrNot optionnelle, fail-soft. Politique de mot de passe : impose des mots de passe forts à l’inscription, au profil et à la réinitialisation (longueur, classes de caractères, interdiction de l’identifiant, rejet optionnel des mots de passe fuités), avec expiration optionnelle qui ne verrouille jamais personne dehors. Gestion des sessions : déconnexion sur inactivité mesurée sur les vrais chargements, durée de vie maximale indépendante de « se souvenir de moi », limitation optionnelle à un seul appareil actif, et « déconnecter tous les autres appareils » en un clic. Géolocalisation IP : affiche le pays des IP attaquantes dans Incidents et Événements ; recherches paresseuses, cache 30 jours, plafonnées par page, plages privées jamais envoyées. ipwho.is sans clé par défaut, base hors ligne possible via un filtre. Pare-feu de requêtes : filtre PHP optionnel inspiré du 8G qui bloque chaînes de requête, chemins, méthodes HTTP et (en option) user-agents/referrers malveillants avant le chargement de WordPress, sur Apache/Nginx/LiteSpeed ; désactivé par défaut, démarre en mode surveillance, ne filtre jamais les admins, ignore REST/cron/WP-CLI, allowlist IP/chemins (CIDR). Non noté. Briefing de sécurité IA (optionnel) Bâti sur le client IA natif de WordPress 7, un clic transforme vos trente derniers jours d’activité en un verdict en langage clair, un panorama des IP et une courte liste d’actions prioritaires ; « Expliquer avec l’IA » fait de même sur un incident. Le mode minimisé (signaux anonymisés) est par défaut, le mode approfondi est un opt-in explicite. Aucune clé API stockée : il utilise votre propre connecteur IA WordPress, le coût et le fournisseur restent les vôtres. Il s’ouvre toujours sur un instantané de faits déterministes, utile avec ou sans IA. En plus Assistant de configuration : un assistant à la première activation propose une base sûre en un clic (Simple) ou une voie manuelle (Avancée) ; le bouton « Appliquer la base sûre » reste disponible, et les sites en mise à jour ne le voient jamais. Score de sécurité : lecture pondérée 0-100 de votre posture avec une action prioritaire en un clic ; les fonctions d’observabilité (géolocalisation, notifications, assistant IA) ne sont pas notées. Détection de conflits : alerte quand une autre extension de sécurité axée connexion (Wordfence, Solid Security, Sucuri, All-In-One Security, SecuPress et d’autres) ou un plugin de cache (avec Hide Login actif) peut entrer en conflit. Notifications : e-mail, Slack, Discord ou webhook, avec validation d’URL anti-SSRF, seuil de sévérité et rate limiting. Suite WP-CLI et widget Tableau de bord (sparkline 14 jours, six métriques clés). Conçu par Login Armor est conçu et maintenu par Fabrice Ducarme de WPFormation, expert WordPress français obsédé par les sites propres, rapides et prêts pour l’audit. On l’utilise sur chaque site qu’on livre. Présentation et fonctionnement de Login Armor Guides de sécurité WordPress sur WPFormation Veille des vulnérabilités WordPress : l’outil de veille sécurité de WPFormation GPL pour toujours. PHP 8.1+. WordPress 6.8+. Zéro dépendance. External Services AI Security Briefing (optional) The AI Security Briefing and the “Explain with AI” incident analysis are powered by the WordPress 7 native AI Client (wp_ai_client_prompt()). When the administrator clicks the analysis button, LoginArmor asks WordPress to send a prompt to the AI connector that the administrator configured in their own WordPress (for example OpenAI, Anthropic or Google, depending on the connector). LoginArmor itself stores no API key and contacts no endpoint directly: the request, the provider and the cost are owned by the site’s own AI connector. Data sent: a text prompt describing the security situation. In minimised mode (the default), only anonymised, non-identifying signals are included (counts, categories, severities, role buckets) – no IP address and no username in clear. In deep mode (an explicit, off-by-default opt-in), the prompt additionally includes real IP addresses and event details so the analysis can name specific sources. No data is ever sent unless the administrator clicks the analysis button. This feature is inactive unless WordPress 7 (or the AI Building Blocks feature plugin) is present with a configured, approved AI connector. The applicable terms and privacy policy are those of the AI provider the administrator chose for their connector; please refer to that provider’s documentation. Webhook Notifications (optional) When explicitly enabled and configured by the administrator in LoginArmor > Settings > Notifications, the plugin sends incident data to third-party services via webhooks. Data sent: incident type, severity level, IP address, target username, event count, and site URL. No data is sent unless the administrator actively enables and configures a notification channel. Slack – Terms of Service | Privacy Policy Discord – Terms of Service | Privacy Policy Custom Webhook URL – User-configured endpoint (administrator’s responsibility) Gravatar (Automattic) The Activity Log tab uses WordPress core’s get_avatar() function to display user avatars. WordPress may send a hashed email address to Gravatar servers to retrieve avatar images. This is controlled by Settings > Discussion > Avatars. Gravatar – Automattic Terms of Service | Privacy Policy Breach Check – Have I Been Pwned (optional) When the administrator explicitly enables the Breach Check module (LoginArmor > Settings > Breach …