search

proudcity / wp-proudcity

The ProudCity WordPress platform
https://proudcity.com
Other
21 stars 9 forks source link

Add user action logging #2464

Open curtismchale opened 5 months ago

curtismchale commented 5 months ago

Source CM

Is your feature request related to a problem? Please describe. We need to look at logging the actions of all signed in users. When I last looked into this options that stored information in the WP database could cause site slowdowns. Some logging options store everything on external servers, but we need to make sure that we address any privacy concerns about that a we want to keep data in the US.

See internal notes: https://github.com/proudcity/developers/blob/main/Github%20Issue%20Notes/2464%20-%20User%20Action%20Logging.md

curtismchale commented 5 months ago

@kevindherman @lukefretwell

After investigating the option for creating logs in WP I think that WP Activity Log is our best option. Out of the box it allows us tracking of users like many of the other plugins I looked at, but it will also let us push logs to Slack (paid version) or even better to a custom logging server or file that would be external to the site databases. In the event of a breech this should help preserve the logs from anyone. It also has an API so that we could write other custom items to the log.

Some of the features, like Slack or logfiles, are paid. The cost on their site is $499/25 sites which is just under $20/site. For more than 25 sites they say to get in touch. I have reached out for pricing.

You can see my full notes at the link in the initial comment.

kevindherman commented 5 months ago

thank you @curtismchale. Keep us posted on the enterprise pricing.

curtismchale commented 5 months ago

@kevindherman @lukefretwell

100 site business plan costs $699/year 100 site Enterprise plan costs $759/year

The only difference between Business and Enterprise is priority support.

They're launching new pricing in a few weeks that makes it $100 cheaper but offered us a coupon to take advantage of that pricing now. They don't have a specific date for that price decrease so we'd need to get in touch about the coupon if we want to make the move early.

There is a 30-day money back guarantee if we want to try it out and see first.

Another feature that is interesting is their user session management. That would let us restrict logged in users to a single session, stopping account sharing for users logged in at the same time. I've asked them if they have the ability to terminate any sessions from outside the US as well. This would stop any type of cookie hijacking if a malicious actor gets access to user cookies that contain a logged in session to a site. I already have it on my list to geo-restrict Auth0 to US only and then put an exception in for my IP address.

kevindherman commented 5 months ago

@curtismchale would any of this be covered in an upgraded Auth0 package?

cc @lukefretwell

curtismchale commented 5 months ago

@kevindherman the user session management may be covered by Auth0 but none of the logging of actions made by users on sites would be covered by Auth0.

curtismchale commented 4 months ago

@kevindherman @lukefretwell this can go into the backlog until/if you make a decision to add logging of users.