Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Hardening Wordpress Security By Monitoring Malicious User Activities


WordPress has become the most popular content management system; it drives more than 20% of the websites on the internet. Such popularity has also made WordPress a very popular hacker target, and as a matter of fact one can find ample of information about WordPress security. But although there is a lot of information about WordPress security, the WordPress security community is missing out something very important; WordPress monitoring and logging!

Why Logging and Monitoring is Important

Operating systems, network hardware and software have got log everything that is happening in a lo file or some sort of auditing database. For example Windows has the Event Viewer and Linux / Unix operating systems use syslog.

From time to time administrators analyse logs to ensure that everything is working properly and that everyone is playing by the rules, i.e. not trying to tamper the system. In fact Analysing logs helps administrators identify any suspicious behaviour, hence preventing malicious attacks.

Even in case of an attack, logs come in handy. For example if a website or server is hacked, administrators analyse the logs to track back the attack and identify the security hole the malicious hacker exploited to hack the website or server. Once the security hole has been identified administrators can work with the development team or vendor to close down the security hole to ensure that it cannot be exploited again in the future.

Management also find logs very handy because it allows them to track and monitory user activity and productivity. Monitoring of system and user activity is a must to ensure both user productivity and the security of the system.

Monitor WordPress Sites Activity

Like with any other system, keeping an audit log of the activity WordPress sites and blogs, especially WordPress multisite installations is a must if you want to ensure the security of WordPress, and also user productivity.

WP Security Audit Log

WP Security Audit Log is a free WordPress monitoring plugin that tracks all activity on WordPress and WordPress multisite websites thus enabling administrators and WordPress owners keep track of all that is happening on their WordPress to identify any suspicious behaviour and prevent malicious hack attacks.

WP Security Audit Log logs an alert each time a user logs in or out and creates, modifies or deletes existing content such as blog posts, pages and custom post types. What makes WP Security Audit Log better than other monitoring and auditing plugin are its comprehensive WordPress alerts. For example if some content is changed it does not simply issue a generic “content has been modified” alert, but specifically reports what has changed. For example it raises a different alert if a URL or category has changed, if the blog status or visibility has changed, if the author, date, page template or parent has changed and much more.

Apart from content activity it also monitors the WordPress installation and system. Below is a list of some of the activity that WP Security Audit Log monitors:

  • User profile changes; such as email, role and password changes
  • Widgets changes; for example an alert is generated if new widget is created, existing widgets are moved, modified or deleted
  • Plugin changes; an alert is generated if a new plugin is installed or if an existing one has been updated or uninstalled
  • Themes monitoring; new theme is installed or activated
  • WordPress system changes; WP Security Audit Log also monitors WordPress updates, permalinks changes, administrator notification email change, default user role etc
  • Source code changes; an alert is raised if plugin or theme files is modified

Administrators can use the Audit Log Viewer, shown in the below screenshot to view all the WordPress security alerts generated by the plugin while monitoring WordPress.
















Detailed WordPress Alerts

As per the below screenshot each WordPress alert generated by the plugin includes information about the actual change being reported, the user’s WordPress username, avatar and role, the source IP, the date and time.





It is also possible to enable the Data Inspector from the plugin’s settings to get more details about the reported alert, such as the file triggering the alert, the user’s User Agent string etc.











From the plugin settings administrators can also enable PHP alerts, so the plugin reports any PHP errors and warnings therefore enabling administrators to also keep track of any PHP problems, typically created when a WordPress website is hacked.

It is also possible to disable any of the alerts, if for example you do not want to be alerted each time a user logs in or out, as seen in the below screenshot.














Delegation of WordPress Security Monitoring

By default only administrators can view the alerts, switch on or off alerts, modify alerts pruning etc. Though it is also possible to allow specific users or roles to view the alerts or modify any of the plugin settings as seen from the below screenshot.










WordPress Administrators Should Use WP Security Audit Log

It is impossible to track user activity and productivity, and to ensure the security of your WordPress unless you have WP Security Audit Log; therefore such plugin come in very handy especially if you have hundreds of users on your WordPress, or if you have multiple websites and a large number of users on a WordPress multisite installation.

Download WP Security Audit Log from the Official WordPress plugin repository and visit the official WP Security audit Log plugin page for more information about the plugin.

© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.