Monitoring login activity is a basic but often neglected part of WordPress security. User Login Log provides the data. Here is what to look for and what to do when you see something suspicious.
What a Login Log Shows You
A login log captures: username, IP address, browser/device, and login timestamp for every successful login. This lets you identify patterns like logins from unexpected countries, logins at unusual times, or logins from multiple IPs for the same user account in a short window.
Suspicious Patterns to Watch For
- Login from an unrecognised country — If your team is all in the US and a login shows from an Eastern European or Asian IP, investigate. It may be a VPN, but it warrants a check.
- Multiple IPs for the same user in a short time — If a user logs in from London and then New York within an hour, something is wrong. Either the account is shared or it has been compromised.
- Logins at 3am — Unusual login times for accounts that should not be active overnight are worth investigating, particularly for admin accounts.
- User accounts you do not recognise — A user in the log that you have no record of creating may indicate a compromised registration process or an account created by an attacker.
Setting Up Failed Login Monitoring
User Login Log records successful logins only. Failed attempts — the most common attack vector — require a separate tool. Limit Login Attempts Reloaded or Wordfence log failed attempts and can block IP addresses after a threshold of failures. Enable this logging and review the failed attempt report regularly. A burst of failed attempts followed by a successful login from the same IP is a strong indicator of a compromised account.
Responding to a Suspected Compromise
If you see a suspicious successful login:
- Immediately reset the affected user’s password from the Users screen.
- Go to Users, then the profile, and use the Log Out Everywhere Else button under the Sessions section to terminate all active sessions for that user.
- Review what the user accessed during the suspicious session — check post edits, plugin changes, and file modifications using an activity log plugin like WP Activity Log.
- If you suspect a broader compromise, run a malware scan with MalCare, Wordfence, or Sucuri.
- Change all admin passwords as a precaution.
Forcing Users to Use Two-Factor Authentication
Two-factor authentication makes compromised passwords much less useful to attackers. Plugins like WP 2FA let you require 2FA for specific user roles — typically all admin and editor roles. Even if a password is stolen, the attacker cannot log in without also controlling the user’s phone or authenticator app.
Login Log Retention
Keep login logs for at least 90 days. Shorter retention means you may not have data available when investigating an incident that started weeks ago. If your login log plugin allows setting retention period, configure it. If not, periodically export the log to CSV for archival before clearing old records.
For complete WordPress security monitoring including login logging, activity auditing, and intrusion response planning, a WordPress security developer can set up a comprehensive monitoring stack.