[WPMU DEV Dashboard] Realtime log viewing

1

In the custom plugin I use on my site, I’ve developed an admin panel that displays a Live Traffic panel that shows the access.log in real time. A js script fetches the tail of the access.log and displays a selectable number of lines in the panel.

It uses a REST call to retrieve log entries to show:
Time
IP
Location
Method
Path and referrer stacked on top of each other
Status
Bytes sent-Time it took to process the query
Browser/Bot information

Clicking on an IP in the list does a call to ipinfo.io and displays information about the IP such as org, hostname, city, region, country, and type (residential or datacenter).

On the client side, I have js that when a user interacts with a page, an invisible Cloudflare Turnstile token is minted and sent to the server where it is validated. If Cloudflare validates the token, I mark that ip as most likely human, and show log records of that ip as validated.

If the ip is that of a logged in user, I also show the user’s name in front of the ip.

Something like this could be used in the Hub’s Dashboard in place of the current log panel which is slow and you have to refresh to see the latest entries. I think many WPMUDev users would prefer to see an easy to read Live Traffic feed of the access.log instead of the limited raw static view that currently exists.

I’d be more than happy to share my code if you are interested. Another place to put this would be in the Admin WPMUDev Dashboard so users could see the Live Traffic in their site’s Admin.

  • Daniel Voran
    • Flash Drive

    The green lines are ones that are most likely human. The client browsers were able to mint a Cloudflare invisible Turnstile token, send it to my server which was able to verify the tokens with Cloudflare. It is very unlikely that a bot could do this.

  • Williams Valerio
    • Staff

    Hi Daniel Voran ,

    I hope you’re doing well, and thanks for the feature request

    We have something similar but only for hosted sites and using WP Cli – https://vvpmudev.com/docs/api-plugin-development/hosting-api-docs/#ssh

    With accesslog-view you have a live view of the accesslog including a lot of info like IPs, hostnames, URLs requested, 404s, browsers, and also with a summary:

    [attachments are only viewable by logged-in members]

    We also offer the accesslog-report that generates an HTML with traffic data and multiple filters.

    Is something like that what you would like to see in the Hub? Note that this is only available for Hosted sites.

    Best Regards,
    Williams Valerio

  • Daniel Voran
    • Flash Drive

    No, that seems too basic. Here is what I made for an admin panel in one of my sites hosted at WPMUDev:

    [attachments are only viewable by logged-in members]

    It’s a Live Tracker, updating every 5 seconds, with the latest access.log records. It shows the time, ip, location, method, path (both query path and referrer path below if there is one), status, bytes sent and the time it took to generate the response, and the browser/bot in a simplified format.

    Clicking on the ip queries ipinfo.io and displays information about the ip:

    [attachments are only viewable by logged-in members]

    I also have a client js that when a user scrolls, clicks, touches, or presses a key, mints a Cloudflare invisible Turnstile token, and sends the token to my server with a REST call. My plugin then validates the token with Cloudflare. If the token is valid, it marks that ip as validated (meaning it is most likely a human) and those records from that ip are in green. Browsers that can mint valid Turnstile tokens are most likely humans.

    Users can decide if they want to see static files or not which are defined as these filetypes:
    (jpe?g|webp|png|gif|svg|ico|bmp|tiff?|js|mjs|ftl|css|woff2?|ttf|eot|otf|map|txt|xml|pdf|zip|gz|tar|icc|wasm)

    I find this Live Traffic far more informative and easier to read than raw access log data.

    I’m more than happy to share my php and js code for this if WPMUDev is interested.

  • Daniel Voran
    • Flash Drive

    I put the code in the attached LiveTrafficCode.zip. It’s not a standalone library. The files are extractions of my custom plugin that display Live Traffic in a tab in my admin. So the code needs to be generalized. I also use invisible Cloudflare Turnstiles to mark ips as validated (most likely human) so if that is to be used, each site would need to create invisible Cloudflare Turnstiles and set constants to their site and secret key values.
    I use a lot of invisible Turnstiles on my WooCommerce site to guard all cart mutations. It’s impossible to add/delete/modify anything in my carts without creating a valid Turnstile token.

  • Jasper Alamares
    • Staff

    Hi Daniel Voran ,

    Thank you for providing the files. We have also forwarded this to our team to possibly help with its consideration and discussion. As of the moment, we can’t confirm anything yet and there is no available information with regards to if and when this may be implemented but rest assured this have been coordinated and will be discussed by the team.

    In the meantime, you can stay updated on the latest developments and upcoming features by subscribing to our Roadmaps page here: https://vvpmudev.com/roadmap/

    Best Regards,
    Jasper

  • Daniel Voran
    • Flash Drive

    Sure, I understand. It’s a feature I’ve found very helpful. But in many ways it is very tailored to my specific needs and may not be what others find useful. The features that I find most helpful are:

    1) Getting a good sense of human versus bot traffic. The use of Turnstile tokens gives me confidence that this distinction is pretty accurate.

    2) Being able to click on an ip and get whois info about it

    3) Having the queried path and the referring path on top of each other so I can see where people are coming from and how they are navigating through the site

    4) Seeing the bytes returned and the time it took to process the query. I try to make my site as fast as possible so the process time is meaningful to me.

    5) The abbreviated browser/bot user-agent display. Since browsers no longer return actual details in their user-agents, just seeing what browser/device is being used is easier to read.

    If anyone finds the code helpful, I will be satisfied.

  • Sajjad Rahat
    • Staff

    Hi Daniel Voran ,

    Thank you for sharing your inputs here. We have escalated this to our team, and they will check the codes and scope to see how we can integrate this with our exiting products.

    Also, since this thread is public, other WPMU DEV members can also use the code. Thank you very much, and please keep up the good work.

    Best Regards,
    Sajjad Rahat

  • Daniel Voran
    • Flash Drive

    I’ve expanded the Live Traffic module to show 403/404 queries, PHP Errors, PHP Slow, and the WAF Log in addition to the live traffic captured in access.log.

    [attachments are only viewable by logged-in members]

    [attachments are only viewable by logged-in members]

    The 403/404 queries are from the access.log.1.gz log file. I can see what 403 and 404s happened yesterday and make adjustments to my urls and rewrites if needed.

    [attachments are only viewable by logged-in members]

    The PHP Errors option show the latest PHP Errors in the php_errors.log. I find this helpful when I upload new versions of my plugin and can quickly see if the changes create any PHP errors in production. This came in handy when I recently uploaded a dev version of vendor/autoload.com instead of the production version. I could quickly identify the problem instead of needing to go to WPMUDev-Hub and looking at the php_errors.log there. Being able to see it in WordPress Admin helped a great deal.

    [attachments are only viewable by logged-in members]

    The PHP Slow option shows slow requests from the last 7 days. Usually empty, but helpful at times.

    The WAF Log shows the latest 200 parsed WAF events. This one I find particularly useful as the WAF entries display in an easy to read format. Reading the native WAF log can be difficult. This format shows exactly what WPMUDev WAF caught and the rule that triggered it. I monitor this daily to see if there are any WAF rules that would be worth adding to my custom Cloudflare WAF rules so Cloudflare can block these queries from reaching my WPMUDev server.

    Here is the current source code I am using. Again this code needs to be modified to work on other sites as there is custom code that is tailored to the site. class-dbtn-traffic-rest.php makes several calls to functions not in this code to get the ips, to do GeoIP lookups, and to determine if the ip is human validated or not. I do that with invisible Turnstile tokens. If anyone is interested in how I do that, I’m more than happy to show that code too. I rely on validating Turnstile tokens to determine if the client is a human or not.

    There is a README.md in the package that may be helpful tailoring it to your needs.

    LiveTrafficCode

  • Daniel Voran
    • Flash Drive

    I converted my Live Traffic module into a standalone plugin and tested it on two of my other WPMU Dev websites.

    In the plugin’s settings, you can enter a Cloudflare Turnstile Invisible Site Key and Secret Key. It will confirm those keys when you save them. Then the plugin will mint Turnstile tokens on front end pages in the background when someone interacts with the page. On the server, the ip will then be marked as a human verified ip. Queries from that ip will have a green background. Queries going directly to the domain’s tempurl.host have an orange background.

    The plugin shows up in the Admin side bar as Live Traffic.

    A handy feature for users watching the Live Traffic is checking the Bytes-Time column. It shows how many bytes were sent and the time it took to send them. It is a good way to monitor which pages are being served by cache, time is 0.000, and how long it takes other queries to generate.

    The WAV Log option shows entries in WPMU Dev’s WAF log in an easy to understand format.

    [attachments are only viewable by logged-in members]

    Instead of:

    {“transaction”:{“client_ip”:”149.88.103.93″,”time_stamp”:”Tue Jun 16 18:12:49 2026″,”server_id”:”039e78c5ae9691bd01f22acd188ed67947fed5c6″,”client_port”:37775,”host_ip”:”149.28.213.73″,”host_port”:443,”unique_id”:”178163356962.420883″,”is_interrupted”:true,”request”:{“method”:”GET”,”http_version”:”1.1″,”hostname”:”www.amanandhishoe.com”,”uri”:”/vendor/phpunit/phpunit/phpunit.xsd”,”headers”:{“Host”:”www.amanandhishoe.com”,”User-Agent”:”Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0″,”Accept-Encoding”:”gzip, deflate”,”Accept”:”*/*”,”Connection”:”close”,”Accept-Language”:”en-US,en;q=0.5″,”X-Requested-With”:”XMLHttpRequest”}},”response”:{“http_code”:403},”producer”:{“modsecurity”:”ModSecurity v3.0.15 (Linux)”,”connector”:”ModSecurity-nginx v1.0.4″,”secrules_engine”:”Enabled”,”components”:[“WAF_Apache””]},”messages”:[{“message”:” URL file extension is restricted by policy||www.amanandhishoe.com|F|2″,”details”:{“match”:”Matched “Operator PmFromFile' with parameteruserdata_wl_extensions’ against variable TX:EXTENSION' (Value:.xsd/’ )”,”reference”:”o7,4o8,3v28,11t:urlDecodeUni,t:lowercaseo0,5″,”ruleId”:”210730″,”file”:”/etc/nginx/modsec/waf/10_HTTP_HTTP.conf”,”lineNumber”:”26″,”data”:”.xsd”,”severity”:”2″,”ver”:””,”rev”:”5″,”tags”:[“WAF”,”HTTP”],”maturity”:”0″,”accuracy”:”0″}}]}}

    Live Traffic plugin

  • Luigi Di Benedetto
    • Staff

    Hey Daniel Voran

    Thank you for sharing the updates you’ve made so far, the features you implemented seems really nice and useful, I’ve shared this new information with our developers so they can take some inspiration on that to hopefully add a similar feature to Defender Pro.

    If you have any other improvements and/or feedbacks you’d like to share with us, please don’t hesitate to do so.

    Best regards,
    Luigi.

  • Daniel Voran
    • Flash Drive

    Hi,
    I went ahead and added a view into the wp-cron.log. I have found this useful to discover cron jobs still running for plugins I no longer use, and to see why some cron jobs were not running as expected.
    [attachments are only viewable by logged-in members]
    I also ran the php files through PHPCS to clean them up and confirmed that the plugin passes PHPStan level 8.
    The latest version of the Live Traffic plugin is here:
    https://www.dropbox.com/scl/fi/5kf5l00576jgn12wffpzn/dbtn-live-traffic-2026.06.23.zip?rlkey=jac9r7sldcxl6euj32r9i238z&dl=0

  • Jasper Alamares
    • Staff

    Hi Daniel Voran ,

    Totally appreciate the updates here.

    Though we can’t confirm anything yet with regards to if and when this may be implemented, we are further communicating this to the relevant team to let them know and possibly add value to the discussion as well as its consideration.

    Once more, thank you for sharing ideas on how to possibly improve our plugins more.

    Best Regards,
    Jasper

  • Daniel Voran
    • Flash Drive

    When I started adding these features to my site, my original goal was to duplicate the Live Traffic functionality I had used in Wordfence, because I wanted to remove Wordfence.

    Once I realized I could access access.log, access.log.1.gz through access.log.7.gz, php_errors.log, php_slow.log, waf.log, and wp-cron.log from inside my WordPress plugin, I used ChatGPT and Claude to help build Live Traffic panels inside my WordPress admin.

    Wordfence only shows traffic that reaches WordPress. These logs show everything nginx sees, which provides much more information and is much faster.

    Being able to watch Live Traffic at near real-time speed has been invaluable. So has having easy access to the other logs from inside my WordPress admin.

    Using Turnstile tokens to distinguish likely human requests from likely bot requests is much more authoritative than relying only on heuristics. Being able to quickly check PHP errors after making plugin changes is also extremely helpful. I use the WAF log view to see whether I need to add new blocks to my Cloudflare WAF rules. Finally, being able to view the wp-cron.log is a good way to understand what background actions are running and whether the site is in good health.

    If anyone else finds this helpful, that will make me happy.

  • Daniel Voran
    • Flash Drive

    Here is a revised version of the plugin that is WordPress PHPCS compliant and passes PHPStan level 8 checks.
    One new feature in this version appears when you click an IP address in Live Traffic. A card pops up with details about that IP address.
    [attachments are only viewable by logged-in members]
    The card now includes a “Show IP traffic” button. Click it, and the Live Traffic list will show up to 500 matching records for that IP address from the last 50,000 log lines.
    [attachments are only viewable by logged-in members]
    Here is a DropBox link: dbtn-live-traffic v1.0.5 2026.06.27.zip

  • Daniel Voran
    • Flash Drive

    I added the ability to screen queries by status: 200s, 300s, and 400s. And increased the number of lines that can be viewed up to 2,500.
    [attachments are only viewable by logged-in members]
    So if you select to only see queries with a status in the 400s, you can quickly see the 403 and 404 queries currently hitting your site:
    [attachments are only viewable by logged-in members]
    I’ve found it helpful to watch in real time the 403 and 404 queries hitting a site to know what rules I should add to my Cloudflare WAFs, as well as redirects that I might need.
    The latest code is here: Live Traffic 2026.06.30

  • Jair Jaramillo
    • Staff

    Hello Daniel Voran

    Just to let you know that I have shared your comment, including the information about the work you have done and the code, to our development team.

    We can’t provide an ETA of when a feature like this will be available on our hosting, but be assured that we are informing our development team about your feedback and request.

    Kind regards,
    Jair.