Skip to content

wp_theme_switched

Severity: Info Signal: wp.state_changepayload.type = theme_switched

What this signal means

The active WordPress theme was changed.

What surprise this prevents

An unauthorized theme change — either by an attacker with admin access or a plugin acting outside its scope — altering the site's appearance or injecting code without notice.

Why it matters

Theme switches immediately affect the appearance and behaviour of the entire site. An unexpected theme change could indicate unauthorized admin access or an automated process gone wrong.

Investigate

View entity alerts in Logystera →

Check:

  • payload.name — what theme is now active?
  • payload.version — which version?
  • labels.actor — who made the change? Was there a logged-in admin?

If the change was made by you or your team, no action needed.

What to check for unexpected changes

  1. Go to Appearance → Themes and confirm the active theme is what you expect.
  2. Check admin accounts — who had access around the time of the change?
  3. Look for related plugin state changes in Logystera around the same timestamp — some plugins switch themes programmatically.

When to safely ignore

If you or a team member made the change deliberately, no action is required. Correlate the actor in the payload with your known admin accounts to confirm.

Signal reference

{
  "event_type": "wp.state_change",
  "payload": {
    "type": "theme_switched",
    "name": "Twenty Twenty-Four",
    "version": "1.2"
  }
}