Practical WordPress Security with WP Security Audit Log

January 17, 2017

One WordPress security best practice is to keep a record of every change that happens on your WordPress in an audit trail. All well and good; getting started is very easy. Simply install the WP Security Audit Log plugin and you are all set.

Though a WordPress audit trail alone won’t cut it, not unless you stare at it 24/7. You need the right tools with which you can be alerted of suspicious behavior being recorded in the log, or before a potential attack happens. You need to be able to search through the audit trail when doing forensic work.  

And this is exactly what this article is about; how to use the WordPress audit trail effectively. This is not a typical plugin review which highlights all the features of the WP Security Audit Log plugin. Instead I am going to explain what you can do to take advantage of the WordPress audit trail and improve the security of your WordPress websites and blogs.

Why WP Security Audit Log?

When you are looking for such a critical solution for your WordPress, you need something that is reliable and that has already proven itself. Hence why we chose WP Security Audit Log, because as highlighted below:

  1. It is the most widely installed WordPress audit trail plugin.
  2. It has a positive user rating of 4.7 out of 5, with 88 five star ratings.
  3. It has all the add-ons you need to build a solid audit trail solution.
  4. It is a mature plugin backed by professional support.

Without any further ado, let’s see what you can do with WP Security Audit Log to improve the security and monitoring of your WordPress websites and blogs.

1. Be Alerted of Suspicious Activity on Your WordPress

The earlier you are alerted about a possible malicious attack the better. Early notifications allow you to take evasive actions and thwart attacks, and limit possible damage. When you use WP Security Audit Log plugin and the Email Notifications add-on you can be alerted of suspicious activity at an early stage. Below are some examples.

Detecting Requests to Non-Existing Pages (404 Errors)

When an attacker uses an automated scanner to scan your website, the scan activity generates a lot of 404 errors. These errors are recorded by the plugin. It uses Alert ID 6007 to record such errors as seen in the below screenshot.

alert_6007_404_errors

Therefore you can create a trigger that alerts you via email when someone requests non existing pages, as shown in the below screenshot.

email_alert_404_errors

Detecting Failed Logins on Your WordPress Website

Brute force attacks generate a lot of failed logins, and these are also recorded by WP Security Audit Log. Should you worry about failed logins? I wouldn’t worry much but I’d keep an eye on the attack in case the attackers guess a username.

For example in the screenshot below we can see that the plugin uses Alert ID 1003 to record failed logins for non-existing usernames. This means that attackers are using random combinations of usernames and passwords. The plugin uses Alert ID 1002 for failed logins with existing WordPress usernames, which are caused when attackers guess the username and only need to guess the password.

failed_logins_wordpress_audit_trail

In such case keep an eye on the activity of that particular username, or just to be on the safe side, change its password to a stronger one. You can also create an email notification rule to be alerted via email when there are failed logins for WordPress usernames, as shown in the below screenshot.

failed_logins_email_alert_user

You can also create an email notification rule for a specific username. For example if you notice that attackers guessed the username rubyrobin as per the above screenshot, you can create an email notification rule that alerts you ONLY when there are failed logins for that username, as shown in the below screenshot.

failed_logins_email_alert_user

2. Ease WordPress Troubleshooting

You run a WordPress agency and one of your customers’ website just stopped working. Sounds familiar, doesn’t it? Your customer just installed a plugin, changed a widget or simply changed the content of a blog post but they will never tell you it was them and you have to find out. Most probably they are not even aware that they did the change.

A WordPress audit trail is your savior in such scenarios. You can use it to track back all the changes that your customers do on their website. You can even use the Search Add-on to do free-text based searches in the WordPress audit trail, and use the built-in filters to fine tune your searches.

3. Adhere to Strict Compliance Requirements

Online businesses need to adhere with today’s strict regulatory compliance rules. It all depends on the line of business, and which rules your business have to comply with, but when it comes to security, typically business owners are required to keep an accurate log of what is happening on their business WordPress website. In some cases they are also required to keep the WordPress audit log on a different database or server.

WP Security Audit Log has the External DB add-on that allows you to store the WordPress audit trail in a different database, which could also be on a remote server. You can also use it to mirror the WordPress audit trail to external solutions, such as a central syslog server or Papertrail. With the External DB add-on you are not just ensuring your website adheres to the compliance rules, but you are also boosting the security and performance of your WordPress website.

4. Catch Malicious Hackers Red Handed

There is no bullet-proof security solution, and even when you religiously follow the four principles of WordPress security, the unfortunate can still happen. In case someone hacks a WordPress, what do they typically do? They either hijack a WordPress user, or even worse, they can manually create a WordPress user directly in the database should they be able to exploit a SQL Injection.

You can use the Email Notifications add-on to be alerted should as such happen. For example you can configure an email notification trigger that alerts you whenever someone logs in during the odd hours of the day, or from an unusual IP address. You can also be alerted via email the first time a newly created user logs in. Therefore if the attackers create a user directly in the WordPress database, you are alerted via email as soon as they use it to login.

5. Do the Forensic Work to Find & Close WordPress Security Holes

If your WordPress website is hacked, you cannot just restore a backup. If you do, it will be hacked again within just a few hours or days. In fact Google started blocking websites which are frequently re-infected for thirty days. When you restore a WordPress backup you are just removing the infection, but you are not closing the security hold the attackers exploited.

If you keep a record of changes that happen on your WordPress in an audit log you can easily track back the attackers’ activity, thus finding and closing the security hole they have exploited to hack into your WordPress website.

6. Create WordPress Users Activity Reports

The benefits of keeping a WordPress security audit trail are not just security related. For example you can use the Report add-on to generate any type of WordPress report. You can generate a WordPress user activity report to track the progress of a specific user. You can also create a report to see which pages or posts a user, or a group of users have been accessing.

The Reports add-on have a wide variety of filters allowing you to generate any type of report, including management reports.

7. See Who Is Logged In To Your WordPress

When I ask a WordPress website owner if they know who is logged in to their website, they stare blankly at me. WordPress does not have any built-in tools that allow you to see who is logged in. With WP Security Audit and its add-on Users Sessions Management you can see who is logged in to your WordPress and from where they are logged in, as seen in the below screenshot.

wordpress_logged_users

This add-on also allows you to block multiple sessions for the same username, or if you want to allow them, be notified about multiple sessions via email. This means that should an attacker guess the password of a WordPress user, he still cannot login and you will be alerted via email about the attack.

Keep a Watchful Eye on Your WordPress with an Audit Trail

The benefits of keeping a record of changes that happen on your WordPress in an audit trail are multifold, and the above are just a few examples. Boost the security of your WordPress, keep an eye on everything that is happening, generate reports, adhere to regulatory compliance rules, keep track of user productivity, ease troubleshooting and much more with the WP Security Audit Log plugin and its add-ons. And in case the unfortunate happens, you can also catch hackers red handed. After all, being secure is not just about hardening, but also about actively monitoring.

 

Written by Robert Abela of WP White Security.

Practical WordPress Security with WP Security Audit Log was last modified: by