The Vital Role Of Logs In WordPress Security

The Vital Role Of Logs In WordPress Security

57 Comments

This is the third article in a 3 part series on the use of activity logs in WordPress.
Read the first article here.
Read the second article here.

This is the last part of the three article series about how activity logs can help WordPress site administrators. In the first article we have seen how, with a WordPress activity log, you can improve user accountability and tick some compliance check boxes on your WordPress site.

In the second article of this series we looked into the different types of logs WordPress site administrators and developers have at their disposal to help help them ease the troubleshooting of technical problems.

In this third and last article we will see how activity logs can help WordPress site administrators like you to:

  • Improve the security of your WordPress site
  • Track down the source and damage in a post-hack scenario (forensics)

To highlight how important logs are in WordPress security, I’d like to use a quote from the PCI DSS compliance document:

“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.”

Which Logs To Use And When?

The most important logs for detecting and preventing attacks, and to do forensic work on WordPress sites are:

Detecting & Preventing WordPress Hack Attacks With Logs

In an ideal world, site administrators have time to review the logs. This is most probably one of the most underrated site admin activities, and unfortunately many, including yours truly, are too busy to do it.

When you analyze the logs you can notice suspicious behaviour which could be a sign of an attack. You can also learn how attackers are trying to break into your WordPress site. Here are some examples of what to look out for in the logs.

The WordPress Audit Trail

WordPress Audit Trail

Failed login attempts: You should not alarm yourself if you notice a few failed login attempts every day. That is normal. However, if you notice hundreds or thousands of failed login attempts using random usernames, that means that someone launched an automated brute force attack against your site.

If you notice that a particular user has a high number of failed login attempts check with the owner of that username, because it could also be a sign of a targeted hack attack.

Requests to non-existing pages: Similar to failed login attempts, the few daily occurrences of website visitors requesting non-existing pages is nothing to be alarmed about. However if you see a lot of such requests to directories such as /wp-content/plugins/* or the uploads directory then it is something to worry about.

Abnormal user activity: As a website owner you get used to your users’ working patterns. You know roughly when they login, from where they login and what they typically do when logged in to your WordPress site. This knowledge allows you to spot a user login or a content/site setup change during odd hours, or from an unusual IP range. When this happens, double check with the actual user if the activity is legitimate.

Web Server Log Files

In the web server access and error log file you can see what type of scans attackers are launching against your website and what type of vulnerabilities they are trying to exploit.

The above is just an abstract from our site’s access logs. The first two requests are generated from the SiteLock spider, which means that someone is using Sitelock to scan our website. In the other two lines we can see that someone is trying to find the login page. Actually there are hundreds of requests from each of the above IP addresses in the logs, which means they are automated scans.

In some cases you might spot attackers that are trying to exploit a known vulnerabilities in a WordPress plugin that you might not be even running. Check the example below:

The above are abstracts from an access log file of a web server. We can see that someone is automatically scanning the web server, trying to exploit the notorious Revolution Slider vulnerability that was discovered years ago. You might notice such patterns in your logs even if you do not have the plugin installed. And that is expected, because most of these attacks are automated mass scans, i.e. non targeted WordPress attacks.

The Need To Setup A WordPress Intrusion System

Most probably you barely have time to generate enough content for your business’ WordPress site, let alone review the logs. The good news is that you can automate part of this process with a WordPress Intrusion Detection System. If you use the WP Security Audit Log plugin you can configure a number of email notifications so that, when there is suspicious activity, you are alerted instantly, enabling you to take the necessary evasive action.

What Can You Do Once You Spot Suspicious Behaviour?

It depends on the nature of the case, but here are a few things you can do:

  • Double check with the user if it was legitimate behaviour.
  • Block the IP range at website level, or ask the hosting provider to block it at their firewall level.
  • If you notice that someone was able to access some files they shouldn’t have accessed, or some section of the website they shouldn’t have access to, update the permissions at quickly as you can.

The above is just a high level idea of what you can do. As such it is very difficult to tell what remedial actions you can take to evade an attack because it always depend on the situation. Nevertheless, it is imperative to always double check things before changing the setup to ensure you do not block legitimate changes.

The Role of Logs in WordPress Forensics

In a post-WordPress-hack scenario you have to trace back the malicious users’ activity to find out what flaw they exploited and what damage they have done on your website. Sounds easy, right? It is not.

The purpose of analyzing the logs in a post-hack attack is primarily to find out how the users gained access to your website and close that security hole. Not doing this could result in your site being hacked again.

So how did it happen? Did they exploit a vulnerability in an outdated plugin, or did they guess a user’s weak password?

In forensics there are no blueprints that tell you what you need to do to trace back activity. Every case is unique. That is why it is a very tricky and difficult job. You should use all of the logs available to try and figure out how the malicious attackers gained access and what they did once they gained access. Use the:

  • WordPress activity logs to see what the attackers did once they gained access. Maybe you can also find out how they managed to get in, especially if they guessed a weak password.
  • Web server logs, including the error log to try to find out if they exploited a known issue in WordPress, a plugin or a theme. This might be possible if you are running out-dated software.
  • SFTP log files to see if they guessed a users’ FTP password.

If you have a dedicated/virtual server and are running other network services it could also be that the attackers gained access through another service, or a known issue in the operating system. In that case you have to dig deeper and analyse the syslog (system logs) and all the other available log files.

You Know Your Website and Setup, so You Know Best

Security professionals can give you a lot of tips on what to keep an eye on and what to lookout for when analyzing the logs. This will help you learn about possible attacks or do post-hack forensic work. However, you are the one who knows your WordPress site, how it’s set up, and the web server hosting setup the best.

It is vital that you learn as much as you can about your users’ behaviour and your setup, so you can easily spot and prevent any possible attacks, ease troubleshooting, and improve user accountability on your WordPress site.

Logs for WordPress Security

WP Mayor trusts in WP Security Audit Log for activity logs on our WordPress sites.

Get the Plugin

Disclosure: Some of the links used above are affiliate links, meaning that, at no extra cost to you, we may earn a commission if you click through and make a purchase.

About Robert Abela

Robert is the CEO and founder of WP White Security, a niche WordPress security plugin development company based in the Netherlands, Europe. Their flagship product is WP Security Audit Log, the most comprehensive and widely used activity log plugin for WordPress sites and multisite networks.

Related Articles

Let's block ads! (Why?)


SHARE

Unknown

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment

57 comments:

  1. jospheneSeptember 23, 2019 at 4:40 AM

    This blog is really great. The information here will surely be of some help to me. Thanks!. clean wordpress site

    ReplyDelete
  2. Top SEOMay 3, 2020 at 10:25 PM

    Wow i can say that this is another great article as expected of this blog.Bookmarked this site.. security service

    ReplyDelete
  3. Top SEOMay 4, 2020 at 2:53 AM

    I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. security guard school

    ReplyDelete
  4. HarryMay 7, 2020 at 2:14 AM

    Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. t shirts in Portugl

    ReplyDelete
  5. UnknownMay 13, 2020 at 11:08 AM

    Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work! top in ear headphones

    ReplyDelete
  6. HarryMay 13, 2020 at 12:52 PM

    This is exactly the information I'm looking for, I couldn't have asked for a simpler read with great tips like this... Thanks! best eliquid brand in uk

    ReplyDelete
  7. Robert HudsonMay 14, 2020 at 3:10 PM

    We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work red led light therapy before and after pictures

    ReplyDelete
  8. mAHAMay 15, 2020 at 8:45 AM

    This article gives the light in which we can observe the reality. This is very nice one and gives indepth information. Thanks for this nice article. spirulina juice

    ReplyDelete
  9. mAHAMay 23, 2020 at 1:20 PM

    This is a fantastic website , thanks for sharing. milk cosmetics

    ReplyDelete
  10. UnknownMay 23, 2020 at 2:41 PM

    Thank you for helping people get the information they need. Great stuff as usual. Keep up the great work!!! Bets

    ReplyDelete
  11. FairyJune 2, 2020 at 10:07 PM

    I read a article under the same title some time ago, but this articles quality is much, much better. How you do this.. custom aftermarket wheels

    ReplyDelete
  12. FairyJune 2, 2020 at 11:38 PM

    I will be interested in more similar topics. i see you got really very useful topics , i will be always checking your blog thanks עו"ד ביטוח לאומי

    ReplyDelete
  13. jospheneSeptember 15, 2020 at 10:31 AM

    Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. custom writings

    ReplyDelete
  14. HarrySeptember 25, 2020 at 9:42 AM

    Excellent work done by you once again here. This is just the reason why I’ve always liked your work. You have amazing writing skills and you display them in every article. Keep it going! Click here where to buy xanax online

    ReplyDelete
  15. HarrySeptember 25, 2020 at 10:00 AM

    I think it could be more general if you get a football sports activity url shortner

    ReplyDelete
  16. mAHADecember 31, 2020 at 8:27 AM

    I’ve been searching for some decent stuff on the subject and haven't had any luck up until this point, You just got a new biggest fan!.. bottoms and leggings

    ReplyDelete
  17. UnknownJanuary 7, 2021 at 2:43 AM

    It was good experience to read about dangerous punctuation. Informative for everyone looking on the subject. Treasure at tampines condo

    ReplyDelete
  18. HarryJanuary 24, 2021 at 5:48 AM

    Always so interesting to visit your site.What a great info, thank you for sharing. this will help me so much in my learning computer repair

    ReplyDelete
  19. HarryJanuary 26, 2021 at 9:52 AM

    Very awesome!!! When I seek for this I found this website at the top of all blogs in search engine. Web Design Shoreline

    ReplyDelete
  20. CharlesdayJanuary 28, 2021 at 9:41 AM

    Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog. Ceremonial Cacao

    ReplyDelete
  21. PotterJanuary 29, 2021 at 11:37 AM

    I see the greatest contents on your blog and I extremely love reading them. Home Cleaning

    ReplyDelete
  22. HarryJanuary 31, 2021 at 8:51 AM

    I would like to say that this blog really convinced me to do it! Thanks, very good post. baby names

    ReplyDelete
  23. HarryFebruary 1, 2021 at 3:10 AM

    This is really a nice and informative, containing all information and also has a great impact on the new technology. Thanks for sharing it, podsystem

    ReplyDelete
  24. Robert HudsonFebruary 12, 2021 at 9:53 AM

    Cool stuff you have and you keep overhaul every one of us general election 2022 Bahamas

    ReplyDelete
  25. Robert HudsonMarch 15, 2021 at 11:31 PM

    i am for the first time here. I found this board and I in finding It truly helpful & it helped me out a lot. I hope to present something back and help others such as you helped me. Custom pop up cards

    ReplyDelete
  26. FairyMarch 17, 2021 at 3:08 AM

    I'm happy to see the considerable subtle element here!. spettacoli per bambini

    ReplyDelete
  27. FairyApril 12, 2021 at 1:16 AM

    Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing. toys for black children

    ReplyDelete
  28. FairyApril 22, 2021 at 2:12 AM

    We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work items to relax my self

    ReplyDelete
  29. FairyApril 22, 2021 at 2:26 AM

    A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one Erklärungsvideo

    ReplyDelete
  30. UnknownApril 29, 2021 at 1:24 PM

    I have to search sites with relevant information on given topic and provide them to teacher our opinion and the article. best car shipping companies

    ReplyDelete
  31. UnknownApril 29, 2021 at 1:29 PM

    I have bookmarked your website because this site contains valuable information in it. I am really happy with articles quality and presentation. Thanks a lot for keeping great stuff. I am very much thankful for this site. the secrets book series

    ReplyDelete
  32. FairySeptember 28, 2021 at 2:32 AM

    Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing. Läkarintyg

    ReplyDelete
  33. FairySeptember 28, 2021 at 2:36 AM

    Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work! singapore best baby clothing

    ReplyDelete
  34. HarryNovember 6, 2021 at 1:20 PM

    wow... what a great blog, this writter who wrote this article it's realy a great blogger, this article so inspiring me to be a better person go2college

    ReplyDelete
  35. FairyDecember 13, 2021 at 3:13 AM

    this is really nice to read..informative post is very good to read..thanks a lot! liquor home delivery near me

    ReplyDelete
  36. HarryDecember 14, 2021 at 11:44 PM

    Super site! I am Loving it!! Will return once more, Im taking your food likewise, Thanks. home builders in mississippi

    ReplyDelete
  37. HarryDecember 14, 2021 at 11:56 PM

    Admiring the time and effort you put into your blog and detailed information you offer!.. law firms in oxford

    ReplyDelete
  38. HarryDecember 16, 2021 at 10:41 PM

    It proved to be Very helpful to me and I am sure to all the commentators here! Affordable Local SEO

    ReplyDelete
  39. Robert HudsonDecember 17, 2021 at 3:45 AM

    It's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. electronic textbooks

    ReplyDelete
  40. FairyDecember 19, 2021 at 8:57 PM

    I have been searching to find a comfort or effective procedure to complete this process and I think this is the most suitable way to do it effectively. digital marketing near me

    ReplyDelete
  41. Robert HudsonJanuary 17, 2022 at 12:55 AM

    Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. FPV Drohnen Pilot

    ReplyDelete
  42. HarryJanuary 23, 2022 at 11:04 PM

    With so many books and articles coming up to give gateway to make-money-online field and confusing reader even more on the actual way of earning money, website development company

    ReplyDelete
  43. FairyJanuary 25, 2022 at 1:25 AM

    If you don"t mind proceed with this extraordinary work and I anticipate a greater amount of your magnificent blog entries Liquor Store Mississippi

    ReplyDelete
  44. Robert HudsonJanuary 25, 2022 at 9:36 AM

    I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts. bottom

    ReplyDelete
  45. FairyFebruary 1, 2022 at 9:37 PM

    This is an awesome motivating article.I am practically satisfied with your great work.You put truly extremely supportive data. Keep it up. Continue blogging. Hoping to perusing your next post Tito's Distilled

    ReplyDelete
  46. UnknownFebruary 2, 2022 at 1:05 AM

    Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. medical malpractice attorney

    ReplyDelete
  47. FairyFebruary 4, 2022 at 12:40 AM

    I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details. Commercial Roofers

    ReplyDelete
  48. mAHAFebruary 5, 2022 at 9:26 AM

    We are tied directly into the sate’s renewal database which allows us to process your request almost instantly. Health Insurance for Freelancers

    ReplyDelete
  49. FairyFebruary 15, 2022 at 10:47 PM

    This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck. merchant cost consulting

    ReplyDelete
  50. HarryFebruary 16, 2022 at 1:42 AM

    Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work. building contractors

    ReplyDelete
  51. HarryFebruary 22, 2022 at 12:01 AM

    Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject! Oxford Liquor Store

    ReplyDelete
  52. mAHAMarch 9, 2022 at 7:59 AM

    Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. Best real estate agent near me

    ReplyDelete
  53. Robert HudsonMarch 11, 2022 at 3:12 AM

    I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more. shibari

    ReplyDelete
  54. Robert HudsonMarch 24, 2022 at 8:44 AM

    Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Petros Paradise #519

    ReplyDelete
  55. FairyApril 3, 2022 at 11:55 PM

    The article posted was very informative and useful. You people are doing a great job. Keep going. mellow fellow delta 8

    ReplyDelete
  56. HarryApril 4, 2022 at 10:09 AM

    Hey There. I found your blog using msn. This is a very well written article. I’ll be sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely return. Joint pain supplements

    ReplyDelete
  57. HarryApril 9, 2022 at 10:55 AM

    You re in point of fact a just right webmaster. The website loading speed is amazing. It kind of feels that you're doing any distinctive trick. Moreover, The contents are masterpiece. you have done a fantastic activity on this subject! builder Oxford

    ReplyDelete

Subscribe to: Post Comments ( Atom )