wp_plugin_state_change

Severity: Info Signal: wp.state_change — plugin activated or deactivated

What this signal means

A WordPress plugin was activated or deactivated. This is an informational alert — it creates an audit trail of plugin lifecycle changes on your site.

What surprise this prevents

An unauthorized plugin activation going unnoticed — malicious code running on your site without any audit trail to trace it back to.

Why it matters

Plugin changes are the most common cause of site regressions. Having a timestamped record lets you quickly correlate other alerts (PHP errors, slow pages, security events) with plugin changes. It also helps catch unauthorized plugin activity.

Investigate

View entity alerts in Logystera →

Check:

payload.name — which plugin was changed?
payload.version — what version was activated?
payload.type — plugin_activated or plugin_deactivated?
labels.actor — who made the change?

What to check

This alert itself does not require action unless you did not expect the change. If you see a plugin being activated that you don't recognize:

Go to Plugins → Installed Plugins and check the plugin in question.
Check when it was installed — if it was installed recently without your knowledge, it could indicate unauthorized admin access.
Deactivate and investigate any plugin you don't recognize.

If the change was expected (you or a team member made it), no action needed.

When to safely ignore

If you made the change and the actor in the payload matches your session, no action is required. This is an informational alert designed to create an audit trail, not to indicate a problem.

Signal reference

{
  "event_type": "wp.state_change",
  "payload": {
    "type": "plugin_activated",
    "name": "akismet/akismet.php",
    "version": "5.3.1"
  }
}