WP Ghost Security Threats Log – Monitor Blocked WordPress Attacks
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Monitor every malicious request your WordPress site receives with WP Ghost’s (formerly Hide My WP Ghost) Security Threats Log. See what was targeted, from which IP and country, which firewall rule caught it, and whether WP Ghost blocked it. Respond directly from the log by whitelisting paths, whitelisting rules, or blacklisting IPs. This is a Premium feature.
WP Ghost blocks attacks silently in the background. The Security Threats Log shows you what is being blocked and why. Without this visibility, you are protected but blind. You cannot validate that your firewall is working, identify which countries generate the most hostile traffic, or spot a coordinated attack pattern across multiple IPs.
According to Patchstack’s 2026 report, attackers weaponize newly disclosed vulnerabilities within a median of just 5 hours. Over 51% of all web traffic is automated bots (Imperva). The Security Threats Log gives you real-time proof that these attacks are being stopped at your door.
This tutorial covers the full WP Ghost > Logs > Security Threats panel: activation, what gets logged, reading the report, responding to threats, CSV export, the GEO Threat Map, and GDPR compliance.
What Is the Security Threats Log?
The Security Threats Log records every malicious or suspicious request detected by WP Ghost. It focuses exclusively on external threats, not user activity. Each entry includes the threat type, targeted path, source IP and country, HTTP method, detection rule, timestamp, and block status. The log gives you visibility into hostile traffic that WP Ghost blocks silently in the background.
This is the companion to the User Events Log, which tracks internal dashboard activity from logged-in users. Together, they give you full visibility into both what is attacking you from outside and what is happening inside your site.
Why Monitoring Security Threats Matters
| Without threat logging | With WP Ghost Security Threats Log |
|---|---|
| You cannot verify your firewall is working | Every blocked attack is documented with rule and status |
| Attack patterns are invisible | Coordinated scans and brute force campaigns are visible |
| False positives break functionality silently | You see exactly which rule triggered and can whitelist it |
| No data for country blocking decisions | Country filter shows which regions generate the most attacks |
| No evidence for hosting providers | Export to CSV for compliance reporting and incident response |
The Threats Log validates that your protections are working. When you see “Prevented” status on exploit scans and injection attempts, your firewall and path security configuration are doing their job. When the same IP sends hundreds of requests targeting different plugin paths, that is a scanner. When multiple IPs from the same country probe your login page, that is a coordinated brute force campaign. The log makes these patterns visible so you can respond with IP blacklisting or country blocking.
How to Activate the Security Threats Log
Go to WP Ghost > Logs > Settings. Enable Log Security Threats. Set the Retention period (in days) to control how long logs are stored locally before automatic cleanup. Click Save.
Once enabled, WP Ghost starts recording detected threats automatically. No additional configuration is needed. The firewall, path security, and brute force protection all feed into the Threats Log.
What Gets Logged
The log records malicious or suspicious requests detected by WP Ghost’s protection layers. This includes probing for vulnerable or non-existent PHP files, exploit scanning against plugin, theme, and core file paths, requests targeting hidden or protected paths, malformed or suspicious HTTP requests, and repeated hostile traffic from the same IP. Each entry documents the attempt even when it is fully blocked.
Every log entry captures:
Threat type – the category of attack detected (script injection, SQL injection, path probe, etc.).
Targeted path or URL – the exact URL the attacker was trying to reach.
Source IP address and country – where the attack originated.
HTTP method and protocol – GET, POST, or other methods used in the request.
Detection rule and matched pattern – which specific firewall rule caught the request.
Date and time – when the attack occurred.
Block status – whether the request was blocked (e.g., “Prevented”).
Reading the Threats Report
View detected threats at WP Ghost > Logs > Security Threats.
The report shows all detected threats in chronological order. You can identify attack types and targeted paths, view source IPs and countries, confirm whether threats were blocked, and detect recurring or coordinated attack patterns.
Use the built-in filters to narrow results by threat type, status (Prevented, etc.), country, and time range. Search by keyword, path, or IP address. The country filter lets you isolate threats from a specific region, which is useful for assessing whether to enable country blocking for those countries.
Export to CSV
You can export the Security Threats Log to a CSV file for compliance reporting, sharing threat data with hosting providers or security consultants, or keeping offline records of security events. The export button is located below the log table at WP Ghost > Logs > Security Threats.
If you apply filters before exporting, the CSV file will contain only the filtered entries.
Responding to Threats
Each threat entry includes an action menu with four response options. You can take action directly from the log without navigating to other settings panels.
Threat Details – view the full request: path, source IP, HTTP status, detection rule and matched pattern, user agent, referrer, protocol, and unique request ID. This tells you exactly why the request was flagged.
Whitelist Path – if a legitimate request is being blocked, whitelist that specific URL or endpoint. The path is added to WP Ghost > Firewall > Whitelist.
Whitelist Rule – if a trusted integration triggers a specific detection rule, whitelist that rule. This is useful for custom applications or third-party services that send requests matching firewall patterns.
Blacklist IP – permanently block a malicious IP that repeatedly targets your site. The IP is added to WP Ghost > Firewall > Blacklist.
All whitelist and blacklist entries created from the Threats Log are centrally managed in the Firewall section: whitelisted paths and rules at Firewall > Whitelist, blocked IPs at Firewall > Blacklist.
GEO Threat Map
The WP Ghost Overview dashboard includes an interactive world map that visualizes where your blocked threats originate. The map displays the top 5 threat countries with proportional markers showing attack volume.
Clicking on any country circle on the map opens the Security Threats Log pre-filtered to show attacks from that specific country over the last 7 days. This makes it easy to investigate regional attack patterns and decide whether to enable Country Blocking for specific regions.
The GEO Threat Map is visible on the WP Ghost Overview dashboard and requires the Security Threats Log to be enabled.
GDPR and Data Storage
All threat data is stored locally in the WordPress database table hmwp_logs. Data is collected strictly for security monitoring and incident analysis. The retention period you set in Settings controls automatic cleanup.
For statistical and reporting purposes, WP Ghost sends aggregated, non-personal data to the WP Ghost Dashboard: only the date and total number of detected threats. No IP addresses, URLs, request details, or individual visitor data is transmitted to the cloud.
Troubleshooting
Legitimate Request Shows as a Threat
Open the threat details to see which rule was triggered and which path was blocked. Click Whitelist Path to allow that specific URL, or click Whitelist Rule to allow all requests matching that detection pattern. Both actions add the entry to WP Ghost > Firewall > Whitelist. If the false positive occurs on a page builder form submission or a WooCommerce checkout action, try a lower firewall level (Medium or Minimal) temporarily to confirm the cause.
No Threats Showing in the Log
Verify that Log Security Threats is enabled in WP Ghost > Logs > Settings. Check that the firewall is active at WP Ghost > Firewall. The Threats Log records events from the firewall, path security, and brute force protection. If none of these features are active, no threats will be detected or logged.
Log Table Growing Too Large
Reduce the retention period in WP Ghost > Logs > Settings. Shorter retention means fewer rows in the database. The auto-cleanup runs based on the retention period you set. For high-traffic sites under frequent attack, 7 to 14 days of retention is usually sufficient to identify patterns without database bloat.
Frequently Asked Questions
Is this a Premium feature?
Yes. The Security Threats Log is available in WP Ghost Premium. The free version includes the firewall, brute force protection, and all path-hiding features, but threat logging requires Premium. The free version does show the last 20 threat entries and the GEO Threat Map on the Overview dashboard.
Does logging affect site performance?
Minimally. Threat logging writes to the local database only when a malicious request is detected. Legitimate traffic is not logged. The retention setting automatically cleans up old entries to keep the database size manageable.
What if a legitimate request shows as a threat?
Open the threat details to see the triggered rule. Use Whitelist Path for that URL or Whitelist Rule for the detection pattern. Both are managed centrally at WP Ghost > Firewall > Whitelist.
Is this the same as the User Events Log?
No. The Security Threats Log records external threats from bots and attackers. The User Events Log tracks internal activity like admin logins, plugin changes, and settings modifications. They are complementary: threats show what is attacking you, events show what is happening inside.
Can I use the Threats Log to decide which countries to block?
Yes. Use the country filter to see which countries generate the most attacks. The GEO Threat Map on the Overview dashboard also shows the top 5 threat countries. If a specific country generates persistent attacks and you do not have legitimate visitors from that region, enable Country Blocking in the Firewall Geo Security settings.
Does WP Ghost modify WordPress core files?
No. Threat logging uses WP Ghost’s own database table (hmwp_logs) and WordPress hooks. No core files are modified. Disabling the feature stops logging instantly.
Related Tutorials
Use the Security Threats Log alongside these features:
User Events Log – track internal dashboard activity from logged-in users (the companion to the Threats Log).
Firewall and Geo Security – the firewall rules that generate threat log entries, plus country blocking.
The 8G Firewall Protection – the firewall ruleset that generates most threat detections.
Brute Force Attack Protection – login attacks that feed into the threats log.
Customize All WordPress Paths – path security that generates “hidden path probe” entries in the log.
Website Security Check – run a complete security audit.
