As a security company, we deal with a lot of compromised websites. Unfortunately, in most cases, we have limited access to customer logs, which is one of the reasons why we don’t offer forensic analysis.
Sucuri offers website monitoring, protection, and clean up, but sometimes we go that extra mile and investigate how websites become compromised in the first place. This usually happens when websites become reinfected after a cleanup.
The reinfection itself can be caused by something as simple as a compromised admin user. By resetting the password for all admin users would be a simple fix for this issue.
However, most of the infected websites we clean have no logs to tell us exactly what happened that led to the website compromise.
The Importance of Website Audit Logs (Activity Logs)
We recommend having a plugin to log activities on your blog or website. An activity log plugin can:
- be an early alert system to let you know if something has gone wrong;
- work as a tool to help you keep a close eye on what is happening on your website;
- help you investigate the attack vector after.
Having audit logs on a website is mandatory for e-commerce websites to be PCI DSS compliant. Logs are also very helpful when you need to troubleshoot technical issues or ensure user accountability.
Many hosting providers keep web server logs. However, only a few of them keep extensive logs and are able to provide them to their customers on short notice.
Also, the Apache logs are not very user-friendly, especially if you are not familiar with the structure and what each section of the log entry means. In fact, these logs can be quite intimidating.
Nevertheless, the web server logs do not show what exactly happened. There is visibility on the HTTP GET and POST requests. These are the requests made by visitors to download a web page (GET) or submit content to the server (POST). These logs allow you to have an idea of what was visited on the website, but you cannot tell which action each user performed. That is why audit log plugins are very useful when investigating an infection or reinfection.
It is much easier to trace back to what happens if a WordPress site has auditing plugins installed.
Some changes that auditing plugins can show are:
- website changes;
- blog post changes;
- plugin changes;
- theme changes;
- core files changes;
- successful logins.
Audit logs can also serve as an Intrusion Detection System (IDS). For example, when using a WordPress activity log plugin, you can set up alerts if there is unusual activity, like a login that happened outside your office hours or a login from an unusual IP address.
WordPress Audit Logs Plugins
A log plugin activated on your website can help you identify the cause of a website compromise. We have our own free WordPress auditing plugin that was built to complement a website security posture. Some of the Sucuri WordPress plugin features include:
- security activity auditing;
- file integrity monitoring;
- remote malware scanning;
- blacklist monitoring;
- effective security hardening;
- post-hack security actions;
- security notifications;
- website firewall (premium).
There are quite a few WordPress audit log plugins available on the WordPress plugin repository.
Like with any other software, which plugin you choose depends on your requirements. Here are some personal suggestions:
- The Simple Login Log plugin is great to keep a log of logins.
- Simple History or Stream are plugins that keep a log of more changes that logged in users do on a website.
- The WP Activity Log has a great number of resources and offers more visibility on the logs. The Audit Log Viewer is very comprehensive since it keeps a log of when users try to reach a page that does not exist on a website (404 error). It also shows when there are file changes on the WordPress site. It stores the WordPress audit logs in an external database, configures email notifications for when there are changes to the WordPress users, as well as more granular changes, like a user deleting a file from the uploads directory. The comprehensive activity logs are free, however advanced features, like configurable email notifications and reports, are only available in the WP Activity Log.
Another Tool in Your Website Security Toolbox
All these features help to monitor websites better. If something happens, you can check the logs to see if there was a compromise from using a stolen password or perhaps a more complex attack that would require a review of the Apache logs.
Audit logs also give you visibility over any changes made. If a website compromise occurred, you can revert those changes if needed. This is another useful way to use an audit plugin. And if you know your website has been compromised but do not know where to start, contact us and we will be happy to clean your website for you.