The Missing Component in Your WordPress Security Strategy – Audit Logs
WordPress websites have become a popular malicious hacker target. We have all seen it in the news – thousands of WordPress websites get hacked overnight. In fact even though WordPress is really easy to use and powers around 20% of the internet sites, many businesses refuse to use it because they think it is insecure.
What Makes WordPress Insecure?
As such the WordPress core is very secure. As a matter of fact a default WordPress install is relatively secure and over the years we have seen only a handful of WordPress core vulnerabilities reported. Though since it is very easy to use, it allowed many non tech savvy people and businesses to host and manage their own websites and blogs, and this is where the problem lies.
Inexperienced people and businesses are able to build a WordPress blog or site, because it is indeed very easy to use but do not have the knowhow to maintain a WordPress website or blog, or any other website for that matter. Unfortunately there are many of such unmaintained WordPress installations which typically end up being target for malicious attacks, because they are an easy target.
Here is how it typically works; IT Joe is new to WordPress but can easily install WordPress and some plugins. Therefore he installs a good number of plugins, half of which are not needed read that they are must have plugins. A designer is hired to build a theme and once all is ready the new shiny website is launched. Guess what? Within a few days the website is hacked. How come? If a default WordPress install is secure, what went wrong in such scenario?
WordPress Security Gone Wrong
Since WordPress is free and easy to use, so should be securing it many would think, or better, expect. Many are being misled by the community itself because we do try to promote WordPress security as being something easy to achieve, though unfortunately it is not. Search the internet for WordPress Security and you will be swamped by thousands of How to Secure Your WordPress articles. Drill down through the results and you will notice that none of them recommend the same solutions, hence will confuse you.
Even though none of the articles are the same they all give the false impression that all you have to do is install a plugin or two from a selection of hundred, switch on or off some settings, and if you are a PHP guru do some coding magic and WordPress is secure. In all fairness this is a good start, but it is not enough. Security is not just a one-time project or procedure.
WordPress security and any other type of security should be thought for and included in all your procedures, applications and business operations. Security should evolve as your websites and all other applications evolve. There is a big difference between securing a WordPress installation and keeping it secure for two, five or ten years.
Monitor WordPress and Keep It Secure
There is one common shortcoming when it comes to WordPress security tutorials; they do explain how to secure your WordPress but do not explain what you should do to keep it secure for years to come. At this stage you might be thinking that it is easy to keep WordPress secure, subscribe to an online WordPress security and malware scanner. Online scanners are of no use when it comes to keeping WordPress secure. They alert you once your WordPress has been hacked, and do come in very handy in identifying the infection but at this stage your WordPress is already hacked and the damage has already been done.
Don’t get me wrong on this one, I am not saying do not use online scanners since they do come in handy, hence they should form part of your WordPress security strategy as well. Keep in mind that even if you host your WordPress at Fort Knox there are always chances that your website might be hacked. It happened to the big ones such as Google, Facebook, Amazon and E-bay, who have the top security people in the world, so it could happen to you as well.
But you need to look into something that can help you avoid having your WordPress hacked in the first place. One of the best security measures you can take to ensure the security of your WordPress is to monitor everything that is happening on it. In a normal network or web farm every operating system, device and network service, such as the web server itself has logging functionality, which is typically enabled.
So why not monitor WordPress as well? For example if you have a WordPress multisite installation, with tens of websites and hundreds of users, how do you ensure that all the users are playing by the rules, or that there is no one tampering around your WordPress websites and blogs?
Audit Logs and Log Files are a Goldmine
Log files and audit logs play a vital role in the security of a website, server, network service and any other type of device or software. They are not just there to consume hard disk space. Unfortunately I have seen too many experts setting up scheduled task, or cron jobs on their clients’ servers to automatically delete log files so they do not run out of hard disk space. Log files management at its best!
Log files and audit logs help security professionals and systems administrators monitor and upkeep their systems, software and websites. They also help them prevent an attack, and in the case of an attack identify the exploited security hole so they can close it down. Log files also come in handy when you need to find the wrong doing of the hacker so it could be repaired or restored in the shortest time possible.
Use WordPress Security Audit Logs to Prevent an Attack
There are many different ways how a hacker can hack into WordPress and execute a malicious attack or inject malware. From my experience I can come up with at least 101 different WordPress hack attacks. Though for the sake of explaining how WordPress audit logs help in case of hack attacks, we only need a short list of the most typical WordPress hack attack scenarios, which are listed below:
1. Hacker launches a brute force attack until the credentials of a WordPress account are guessed.
2. Hacker exploits a known vulnerability in an old version of WordPress, plugin or theme that you are running.
3. Hacker exploits zero-day vulnerability in WordPress, plugin or theme that you are running.
4. Hacker exploits a known vulnerability in a disabled plugin or theme you have disabled on your WordPress.
Depending on the privileges the hacker manages to gain after exploiting the vulnerability, or through a hacked WordPress user account, the attacker can:
- Modify a plugin or theme file to install a backdoor or trojan
- Modify the content of a blog post or page to inject malware
- Modify, or create a new widget with malware
- Reset the hacked user’s password to take control of the whole website
- Create a new user account to operate unnoticed
- Modify a theme’s file to inject malware
- And much more…
If you use a WordPress monitoring and logging plugin you can easily identify such type of attacks, or even prevent some of them from happening. For example if someone launched a brute force attack against your WordPress, an audit log plugin will keep a log of the activity to alert the administrator that a specific IP address, or a number of IP addresses are attacking the WordPress login page.
WordPress monitoring plugins will also alert you if a user’s password, email or role has changed, or if a new user has been created. Therefore if a malicious hacker manages to gain access to an administrative account and create a new user to operate unnoticed, you can identify such behaviour and take all the necessary steps to contain the malicious WordPress hack attack before any further damage is done.
Use WordPress Security Audit Logs to Close Security Holes
Security logs come in handy even once your WordPress website has been hacked, for example if malware has been injected on your WordPress or you have been alerted by your online WordPress security scanner.
At this stage you would typically try to remove the infection or hire a professional to remove it for you. Alternatively you would restore the most recent backup and you are up and running again within a few minutes, if your recent backup is recent enough. Keep in mind that backups are an important asset of your security strategy as well, so always do frequent backups. Restoring backups also saves you all the hassle of having to manually remove the infection.
Though removing the infection or restoring a backup is not enough because you still did not close the weakest link, i.e. the security hole the attacker exploited. In fact the probability of having your website hacked again is very high. As a matter of fact most WordPress sites that have been hacked once will keep on getting hacked again and again.
Therefore how do you ensure that your WordPress does not get hacked again? By closing down the security hole the attacker exploited. The good news are that if you have been running a WordPress security audit log plugin you can trace back all of the hacker’s activity and identify from where he or she managed to gain access to your WordPress, thus allowing you to close down any weak entry points on your WordPress.
WordPress Audit Log Plugins – What are your Options?
There are a number of WordPress audit log and monitoring plugins available on the WordPress repository, some of which are mentioned below.
WP Security Audit Log
As the name implies, this plugin was built with security in mind. Hence it is the most comprehensive WordPress audit log plugin in terms of monitoring the security of your WordPress. In fact WP Security Audit Log does not only monitor user activity but also monitors plugins, widgets, themes, WordPress settings, upgrades and much more.
WP Security Audit Log also has granular reporting. For example if a WordPress user’s password was changed, it reports that the password for that specific user account has changed and does not only report that the user’s profile was modified. WP Security Audit Log also has the easiest to read logs, thus making it a users’ favourite.
Note: WP Security Audit Log is developed by yours truly and of course I wholeheartedly recommend it. Having said that, every WordPress owner has his or her different requirements, so below are two other WordPress monitoring and logging plugins which I also like and have a different set of features.
Audit Trail mostly focuses on monitoring WordPress users activity such as logins, file, comments, posts and pages management etc. It also monitors theme switching and user page visits. Even though it does keep a log of all these actions, it only reports the action but not the details. For example if something changes in a user’s profile it reports that such profile was changed but does not include details on what changed.
The audit trail can be exported to a CVS file for easy distribution. Unfortunately this plugin hasn’t been updated in quite some time though many people are still using it.
Simple History reports more than just user activity. It also reports plugins activation and deactivation, failed user logins, widgets and BBPress activity. The monitoring of BBPress forum plugin is quite a unique feature and is a must have for anyone running BBPress forum. Another good feature Simple History has is that the audit log is available via an RSS feed, which can be accessed via a unique URL.
The RSS feed allows WordPress administrators to access the audit log from anywhere without the need to login to the WordPress dashboard. Similar to Audit Trail, Simple History does not report the details of specific actions, thus making it quite hard to track back specific actions.
Monitor WordPress and Keep It Secure
As we have seen by monitoring all of the activity on WordPress you can prevent an attack from happening, and if an attack happens you can track back the malicious activity to close down any security holes your WordPress has and remove any infection.
As a WordPress owner and administrator there are several other benefits you will enjoy when monitoring WordPress. Apart from keeping your WordPress secure, it will also help you keep an eye on your users’ activity, thus ensuring productivity remains at its best.
Therefore if you take all the necessary steps to harden the security of your WordPress and monitor it, you do not only ensure your WordPress is secure, but you keep it secure for years to come and ensure that all of your users are doing the job.
About The Author: Robert Abela
Robert Abela is a WordPress security professional and the creator of WP Security Audit Log, a WordPress security monitoring and auditing plugin. He is also the founder of WP White Security, a company that develops WordPress security plugins and provides WordPress security services and consultancy.