ActivityPilot

Description

ActivityPilot is an activity log and audit-trail plugin for developers, agencies, and security-conscious site owners. Meaningful changes on your site — logins, content edits, plugin and theme operations, role changes, high-impact options, integrations, and more — are stored in a dedicated database table and shown in a modern admin timeline.

Privacy defaults

• External-service features are opt-in.
• Geolocation (ip-api.com) is disabled by default (enable_geo = 0).
• Outbound webhooks (Slack/Discord/Teams/custom URL) are disabled by default until you enable them and provide destination URLs.
• The plugin does not send data to third-party services unless you explicitly enable and configure those features.

Why use this plugin?

• Custom tables — logs live in {prefix}apwpm_activity_logs (not post meta) with indexes for fast queries.
• Modern admin UI — dashboard, timeline, filters, search, pagination, exports, dark mode, and keyboard shortcuts.
• Security-first — capability checks, REST nonces, prepared SQL, output escaping, and optional sudo mode for destructive actions.
• Break detection — spots error spikes and surfaces recent risky changes.
• Extensible — REST API (activitypilot/v1), hooks, custom event registry, and PSR-3 adapter.

Core features

• Activity logging for logins, posts, plugins, themes, users, roles, and important site options
• Timeline view with avatars, severity colors, and structured context
• Filters by user, action, object type, severity, date range, status, assignee, and search
• CSV and JSON exports; daily retention pruning via cron
• Email alerts when break detection finds unusual error activity
• Workflow: acknowledge, resolve, snooze, assign, and comment on events
• Smart insights: bursts, off-hours access, role escalation, and statistical spikes
• Optional rollback for supported change types (sudo-gated)
• Analytics heatmap, hour-of-day chart, and top users
• Scheduled HTML digest reports (daily, weekly, monthly)
• Multisite support with per-site tagging and network overview
• Hash-chain integrity verification (optional)
• File integrity monitoring, IP throttle, PII redaction, GDPR export/erase helpers
• Integrations: WooCommerce, ACF, popular form builders, SEO plugins, page builders
• Optional outbound webhooks (Slack, Discord, Microsoft Teams, generic URL)
• WP-CLI: wp apwpm list|count|verify|prune|purge|export|digest|scan-files

For developers

Log custom events from your code:

APWPM_Logger::log( array( 'action_type' => 'my_event', 'description' => 'Something happened' ) );

Filter hooks include apwpm_skip_log, apwpm_pre_insert_row, and apwpm_register_event_types. The shorter ap_* hook names from earlier builds are still fired for backward compatibility.

External services

This plugin can connect to third-party services only when you enable the related feature and, for webhooks, when you provide URLs.

IP geolocation (optional)

When Enable geolocation is on, the plugin may send the visitor IP address to ip-api.com to resolve country and city. No API key is required. Results are cached in WordPress transients (about 24 hours). See the ip-api privacy policy for their terms.

• Data sent: IP address (in the request URL).
• When: On log insert for events that include an IP, if geo is enabled and not already set.
• Purpose: Display country/city on timeline rows and detect logins from new countries.

Outbound webhooks (optional)

When webhooks are enabled and URLs are saved in settings, the plugin sends HTTP POST requests to your endpoints (for example Slack, Discord, Microsoft Teams, or a custom URL) when qualifying events occur.

• Data sent: Event title, description, severity, site name, and related metadata you configure to receive.
• When: After an event is logged that meets your minimum severity threshold.
• Purpose: Notify external chat or monitoring systems.
• Services/endpoints: Slack, Discord, Microsoft Teams, or any custom HTTPS endpoint that you explicitly configure.
• Terms/privacy (when using those services):
  Slack: https://slack.com/terms-of-service , https://slack.com/privacy-policy
  Discord: https://discord.com/terms , https://discord.com/privacy
  Microsoft Teams (Microsoft): https://www.microsoft.com/servicesagreement , https://privacy.microsoft.com/privacystatement

Webhook delivery is fully optional and disabled by default. No webhook requests are sent until you enable webhooks and provide at least one destination URL.

The plugin does not include bundled third-party API keys. Geolocation and webhooks are optional and disabled by default until configured by a site administrator.