Every blocked WordPress REST API request is recorded with the endpoint, IP address, user agent, and UTC timestamp. Review access logs in the admin dashboard, filter by IP or endpoint, and export to CSV for compliance reporting, security audits, or offline analysis.

What It Does

When a request hits a blocked REST API endpoint, Endpoint Manager logs the event automatically. The Security Logs screen presents these entries in a sortable table with columns for the blocked route, requesting IP address, user agent string, and server-side UTC timestamp.

Click any IP address to filter the log to that source and see every request from a single origin. Click any endpoint to filter by route. When you need the data outside WordPress, export the current view — filtered or unfiltered — to a CSV file with a single click.

Key Capabilities

• Automatic logging of every blocked REST API request
• Log entries include endpoint, IP address, user agent, and UTC timestamp
• Click-to-filter by IP address for per-source investigation
• Click-to-filter by endpoint for per-route analysis
• One-click CSV export of full or filtered log data
• Server-side UTC timestamps for timezone-consistent records
• Automatic 30-day log cleanup via WP-Cron to prevent database bloat
• Manual clear with confirmation dialog
• Compatible with Excel, Google Sheets, and any CSV-capable application

How to Use It

Navigate to Endpoints > Security Logs in your WordPress admin. The log table loads automatically with the most recent entries. Click any IP address to filter by that source, or click any endpoint to filter by route. Click Export CSV to download the current view — the export respects any active filters, so you can export only the data you need.

Use the API Security Insights panel on the main Endpoints screen for a high-level overview, then drill into Security Logs when you need the full request-level detail.

Why It Matters

Blocking REST API endpoints without visibility into who is hitting them leaves you guessing. Security logs give you the evidence to identify automated scanners, credential-testing bots, and unexpected integrations that break when a route is disabled.

For agencies, freelancers, and businesses operating under compliance frameworks, CSV export turns your in-app security logs into a portable, shareable format. Use it to satisfy audit requirements, document security incidents for client reports, or maintain a permanent record outside WordPress.

Frequently Asked Questions

Are requests to enabled endpoints logged?

No. Only requests that hit a blocked endpoint are recorded. This keeps the log focused on security-relevant events and minimizes database storage.

How long are logs retained?

Logs are automatically cleaned up after 30 days via WP-Cron. You can also clear all logs manually at any time using the Clear Logs button with a confirmation dialog.

Can I export only a filtered subset of logs?

Yes. Apply any combination of IP and endpoint filters, then click Export CSV. The export includes only the entries that match your current filters.

Does logging affect site performance?

Logging adds a single lightweight database write per blocked request. The 30-day automatic cleanup prevents the log table from growing indefinitely. For most sites the performance impact is negligible.