WordPress activity logs can be helpful when troubleshooting or trying to identify a hack. In this article, you’ll learn about the seven things you should monitor in your WordPress logs.
Over the years, WordPress has grown more complex. WordPress is used by people in a variety of environments, ranging from small shops to large enterprises. Its flexible nature allows for a lot of customization; although that does inherently produce a lot of new areas to supervise post-production.
More importantly, having logs of all these activities on a website is mandatory for ecommerce shops to be PCI DSS compliant. Feel free to reference this PCI requirements checklist.
Logs are also very helpful when you need to troubleshoot technical issues or ensure user accountability.
So what are these areas to monitor? Well, when it comes to WordPress, these are the core ones we can narrow the field down to:
1 – Website Changes
Integrity checks are important for auditing a WordPress installation and can provide an early warning of a potential website compromise.
If a file or DNS record is modified in any way, you’ll want to receive notification of these changes. When it comes to the website as a whole, this can be a broad brush to account for, but you’re mainly looking to identify things such as:
- Changes to your DNS;
- Security changes such as WAF deactivation;
- Changes in availability has occurred (downtime);
- Email alerts received when the website settings are updated in WordPress;
- Added or deleted sites;
- Added or deleted users from sites.
There are also other settings that can wreck the site, if abused. Changing your site’s permalinks, enable or disable comments, and several more.
2 – Blog Post Changes
Another area to monitor for email alerts is changes in the post status. We understand how difficult it can be to leave a post alone. You realize that you forgot a certain detail, or needed to make a correction, so it’s difficult to keep track of which published content was modified with legitimate intent. Therefore, make sure you’re tracking:
- Post and page creation;
- Post and page publishing;
If published, custom & page post type has been modified. If you still allow edit access to posts that are published, then monitoring this type of activity can really highlight unusual activity so that you can ensure no one goes back and edits it at a later date without your knowing.
We recommend checking out our friends at WP Security Audit Log – which tracks any changes to posts and several major plugins.
3 – WordPress Plugin Changes
There are tens of thousands of plugins that are active in the WordPress community and sometimes there are developers and website owners that don’t know when too many plugins are “too many”.
That lack of inventory restraint can lead to people forgetting there were old plugins setup years ago that still exist within your site. Implementing detection tools to maintain visibility over the activity of these plugins is critical. You should receive email alerts when:
- modifying a file with theme/plugin editor;
- installing a plugin;
- activating a plugin;
- deactivating a plugin;
- updating a plugin;
- deleting a plugin;
- changing any settings to the plugin.
When it comes to plugins, less is more. Storing dormant plugins in your WordPress environment increases the risk of an incident, even if they are disabled and not actively used.
We have hosted a webinar on how to know if you can trust a plugin.
4- WordPress Theme Changes
To some of you, it may sound odd, but there is an ability to house multiple active themes within a WordPress installation. This is especially true when developing a WordPress Multisite instance in which different sites may require different themes. Therefore, keeping checks on these themes is just as critical as plugins. Make sure to receive email alerts when:
- modifying a file with theme/plugin editor;
- installing a theme;
- activating a theme;
- updating a theme;
- deleting a theme.
Tip: If you’re not expecting short-term changes to your themes/plugins anytime soon, a good tip is disabling edit access to your themes & plugins. Add this line of code to your wp-config.php file:
Note: Be careful because this can become a really easy avenue for hackers to exploit if not checked.
5 – WordPress Core Integrity
Any changes to the core WordPress instance should raise a red flag if you didn’t authorize them. This can affect your site as a whole; in particular if you have some customized features that your client made upon request. When should you definitely receive alerts?
- Updates to WordPress versions.
- Alterations to directory permissions.
Alterations to WordPress core can also cause incompatibility with plugins, themes that may rely on a specific version structure.
6 – User Login Activity
Reviewing the user activity and logging them will also help in establishing visibility into potential website impacts. These are the questions you should be asking when it pertains to user activity:
- Who is logging in?
- Are there provisions for new user access?
- Should this user be logging in?
- Were those logins successful? Did they fail?
- Why are they changing that post/page?
- Why are they logging in when they should be sleeping?
- Who installed that plugin?
- Who installed that theme?
- Why does that user have administrative privileges to adjust other permissions?
WordPress allows users to attempt a login unlimited times by default, but this leaves a site vulnerable to brute force attacks. You can add an extra layer of security by limiting the number of login attempts against an account through a plugin, or by using a Web Application Firewall (WAF).
7 – Website Security Changes
If you’re actively utilizing an in-depth website security solution: that’s great. However, if someone were to hijack access to your security configuration, that can spell more problems.
Ask yourself the following questions:
- Who logged in?
- Did the log in succeed or fail?
- Were there changes to any settings?
- Where there any sites impacted by the change?
The settings to review can vary based on what type of the security solution configuration. You may have set up a “detection”-only plugin or a comprehensive WAF that may also include the ability to modify rule sets specific to your application.
To minimize the risk of someone accessing your security plugin, CAPTCHAs can be beneficial at stopping malicious bots from accessing them and your WordPress dashboard all together. The free Sucuri Security plugin helps identify and address many of these questions. It’s also a useful way to centralize WordPress logs.
In this post, we explained the importance of keeping website logs and monitoring the WordPress activity.
Sucuri offers a complete website security platform that includes website monitoring, protection, and response in case of hacks for WordPress websites.