WordPress for iOS 10.6 Adds A Detailed Site Activity Log

In the past few months, the WordPress mobile application for iOS has quietly received a steady round of improvements. Version 10.5 increased its compatibility with Gutenberg. Earlier this year, Gutenberg and the iOS app didn’t get along particularly well.

About a month ago in 10.4, an activity log was added that allows users to see a detailed list of activities on their sites. In 10.6, the most recent version, the activity log is now available for free WordPress.com sites and those connected with Jetpack.

Detailed activity log in the WordPress for iOS mobile application
WordPress for iOS Activity Log

As you can see in the screenshot above, comment activity, post and page activity, and generally all site activity shows up in the log.

Selecting an activity displays detailed information such as who performed the action, their role, IP address, and other information depending on the activity. The log displays the last 20 activities performed on the site.

It’s unclear exactly what data the activity log monitors, where or if it’s saved, how it’s generated, and how users can turn it off. Browsing around the mobile app, I was unable to find a way to disable the activity log.

The WordPress Mobile Team is Quiet But Busy

If it weren’t for the change logs on the iTunes Store, it would be difficult for users to know what’s going on with the app. The project’s GitHub page is buzzing with activity, but more public facing means of communication are not.

The WordPress for iOS app Twitter account has been dormant since May. The WordPress Mobile apps blog hasn’t published a new post since 2016 and some of the posts that highlight new features are on the official WordPress.com blog.

Sure, not every release requires a full-featured post, but the activity log is a feature that I think warrants one. An explanation of why it was created, how it works, and how users not interested in it can disable it.

The WordPress for iOS app is open source and available for free from the Apple iTunes App Store. You can also find links to the Android and Desktop apps on the WordPress.com Apps site.

*Update*

After this article was published, I was given a link to a support document on the Jetpack website that explains the activity log feature in more detail. The document links to a list of activities along with their retention periods which vary based on the plan attached to the user’s WordPress.com account.

Only the most recent 1,000 events are displayed in the log. As noted at the end of the article, once the retention period ends for activity data, it’s moved to long-term storage where it is retained indefinitely. Data held in long-term storage is removed from the activity log.

According to the document, there is no way to deactivate this feature.

8 Comments


  1. Is this really GDPR compliant?
    I really have my doubts on that!!!

    Are IP addresses saved?
    What data exactly is saved?
    Where exactly is data stored in the long term? – Country, City, Data Center – address?

    If such feature is not opt-in it cannot be used. If the feature cannot be disabled at all – as per this article here – then the whole cannot be used for sites and users under GDPR.

    In my opinion the whole suite of Akismet, Jetpack and other Automattic/WordPress.com is not GDPR compliant.

    Report


    1. All websites record all activity made to them. That’s literally the default setting. Every hit you ever make to any site anywhere is recorded in a file called “activity.log”. It includes the request details, the IP, and generally enough info to track down problems.

      Now, these files are usually purged on some basis. 2 weeks rolling is pretty normal. But that’s the standard practice, period. Regardless of the law, anywhere, *all* websites do that. It’s practically a requirement of running a website, because problems occur, and logs are needed to track them down and fix them.

      Report


      1. @otto, this is like saying “everybody steals” therefor stealing should just be lawful.

        If you can not purge on request, or didn’t get consent you are in violation of GDPR. Now good luck with purging something that is on you iphone.

        Report


  2. Not only is it GDPR compliant, but utilities and plugins like this can help site administrators to meet the expected standard for taking reasonable technical and human security measures against data breaches and security concerns. In the event of a system event or a regulatory query, documented evidence that you monitor what is happening on your own systems will greatly support your case. Think of data breaches like the Carphone Warehouse hack – 10 million people’s data on a laughably duct-taped WP install – where the UK’s data protection regulator ruled that not knowing who was using the site, when, and at what level of access, was no excuse for an internal breach which became external.

    I see a lot of conflation of back-end system security, which does not require consent, with customer-facing data collection and behavioral monitoring, which does. People seem to think those two things are one and the same. They are not. Don’t throw out the baby with the bathwater.

    With this app, in any case, it merely shows you the information you would be seeing in a desktop WP dashboard anyway. The IP address of a commenter, while personal data, is an essential aspect of security monitoring – one need only think of the previous story on this site to see scenarios where that is necessary such as trolling, harassment, and sock puppeting. In this week’s core privacy group office hours, we discussed how long IP addresses of commenters should be retained in the database for technical and security purposes before being obfuscated. Anyone interested in this question, or other core privacy issues, is welcome to contribute.

    Report


    1. Wow, thank you Heather. This puts things in a different light.

      Two questions:
      1. For this to be really GDPR compliant users need to be informed of the processing, right?

      2. Under what GDPR-base would the preventing of trolling, harassment, and sock puppeting fall? The same as security?

      Report


    2. @Heather, what you say, which should be obvious to anyone that is not ten years old is that the world is not black and white and things like GDPR need time to mature to identify and maybe even reduce the gray areas.

      For me at this stage it is more in the state of mind than concrete actions. Do you gather personal information that you do not actually need just because it easy (as @otto hinted above) or do you ask yourself first if the information is actually useful in other ways than tracking users, and only then thinking about the legal aspects.

      Comments is great example of where wordpress collects information because it is easy and no more. Right now the name can be spoofed, the email can be spoofed and even the IP address can be spoofed, or if you behind things like cloudflare it is useless info. So why do you collect that IP address information in the first place? so if some bad guy will do some bad things you will be able to track him down? if he is not dumb it is unlikely to happen, and meanwhile you have the personal information of bystanders just ready to be picked by anyone who can get to it.

      Report


  3. On 1, use the Privacy Notice tool.
    On 2, GDPR does not define what adequate technical and security measures mean, or how you meet them – you do.

    Report

Comments are closed.