The Vital Role Of Logs In WordPress Security

This is the third article in a 3 part series on the use of activity logs in WordPress.
Read the first article here.
Read the second article here.

This is the last part of the three article series about how activity logs can help WordPress site administrators. In the first article we have seen how, with a WordPress activity log, you can improve user accountability and tick some compliance check boxes on your WordPress site.

In the second article of this series we looked into the different types of logs WordPress site administrators and developers have at their disposal to help help them ease the troubleshooting of technical problems.

In this third and last article we will see how activity logs can help WordPress site administrators like you to:

  • Improve the security of your WordPress site
  • Track down the source and damage in a post-hack scenario (forensics)

To highlight how important logs are in WordPress security, I’d like to use a quote from the PCI DSS compliance document:

“Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.”

Which Logs To Use And When?

The most important logs for detecting and preventing attacks, and to do forensic work on WordPress sites are:

Detecting & Preventing WordPress Hack Attacks With Logs

In an ideal world, site administrators have time to review the logs. This is most probably one of the most underrated site admin activities, and unfortunately many, including yours truly, are too busy to do it.

When you analyze the logs you can notice suspicious behaviour which could be a sign of an attack. You can also learn how attackers are trying to break into your WordPress site. Here are some examples of what to look out for in the logs.

The WordPress Audit Trail

WordPress Audit Trail

Failed login attempts: You should not alarm yourself if you notice a few failed login attempts every day. That is normal. However, if you notice hundreds or thousands of failed login attempts using random usernames, that means that someone launched an automated brute force attack against your site.

If you notice that a particular user has a high number of failed login attempts check with the owner of that username, because it could also be a sign of a targeted hack attack.

Requests to non-existing pages: Similar to failed login attempts, the few daily occurrences of website visitors requesting non-existing pages is nothing to be alarmed about. However if you see a lot of such requests to directories such as /wp-content/plugins/* or the uploads directory then it is something to worry about.

Abnormal user activity: As a website owner you get used to your users’ working patterns. You know roughly when they login, from where they login and what they typically do when logged in to your WordPress site. This knowledge allows you to spot a user login or a content/site setup change during odd hours, or from an unusual IP range. When this happens, double check with the actual user if the activity is legitimate.

Web Server Log Files

In the web server access and error log file you can see what type of scans attackers are launching against your website and what type of vulnerabilities they are trying to exploit.

The above is just an abstract from our site’s access logs. The first two requests are generated from the SiteLock spider, which means that someone is using Sitelock to scan our website. In the other two lines we can see that someone is trying to find the login page. Actually there are hundreds of requests from each of the above IP addresses in the logs, which means they are automated scans.

In some cases you might spot attackers that are trying to exploit a known vulnerabilities in a WordPress plugin that you might not be even running. Check the example below:

The above are abstracts from an access log file of a web server. We can see that someone is automatically scanning the web server, trying to exploit the notorious Revolution Slider vulnerability that was discovered years ago. You might notice such patterns in your logs even if you do not have the plugin installed. And that is expected, because most of these attacks are automated mass scans, i.e. non targeted WordPress attacks.

The Need To Setup A WordPress Intrusion System

Most probably you barely have time to generate enough content for your business’ WordPress site, let alone review the logs. The good news is that you can automate part of this process with a WordPress Intrusion Detection System. If you use the WP Security Audit Log plugin you can configure a number of email notifications so that, when there is suspicious activity, you are alerted instantly, enabling you to take the necessary evasive action.

What Can You Do Once You Spot Suspicious Behaviour?

It depends on the nature of the case, but here are a few things you can do:

  • Double check with the user if it was legitimate behaviour.
  • Block the IP range at website level, or ask the hosting provider to block it at their firewall level.
  • If you notice that someone was able to access some files they shouldn’t have accessed, or some section of the website they shouldn’t have access to, update the permissions at quickly as you can.

The above is just a high level idea of what you can do. As such it is very difficult to tell what remedial actions you can take to evade an attack because it always depend on the situation. Nevertheless, it is imperative to always double check things before changing the setup to ensure you do not block legitimate changes.

The Role of Logs in WordPress Forensics

In a post-WordPress-hack scenario you have to trace back the malicious users’ activity to find out what flaw they exploited and what damage they have done on your website. Sounds easy, right? It is not.

The purpose of analyzing the logs in a post-hack attack is primarily to find out how the users gained access to your website and close that security hole. Not doing this could result in your site being hacked again.

So how did it happen? Did they exploit a vulnerability in an outdated plugin, or did they guess a user’s weak password?

In forensics there are no blueprints that tell you what you need to do to trace back activity. Every case is unique. That is why it is a very tricky and difficult job. You should use all of the logs available to try and figure out how the malicious attackers gained access and what they did once they gained access. Use the:

  • WordPress activity logs to see what the attackers did once they gained access. Maybe you can also find out how they managed to get in, especially if they guessed a weak password.
  • Web server logs, including the error log to try to find out if they exploited a known issue in WordPress, a plugin or a theme. This might be possible if you are running out-dated software.
  • SFTP log files to see if they guessed a users’ FTP password.

If you have a dedicated/virtual server and are running other network services it could also be that the attackers gained access through another service, or a known issue in the operating system. In that case you have to dig deeper and analyse the syslog (system logs) and all the other available log files.

You Know Your Website and Setup, so You Know Best

Security professionals can give you a lot of tips on what to keep an eye on and what to lookout for when analyzing the logs. This will help you learn about possible attacks or do post-hack forensic work. However, you are the one who knows your WordPress site, how it’s set up, and the web server hosting setup the best.

It is vital that you learn as much as you can about your users’ behaviour and your setup, so you can easily spot and prevent any possible attacks, ease troubleshooting, and improve user accountability on your WordPress site.

Logs for WordPress Security

WP Mayor trusts in WP Security Audit Log for activity logs on our WordPress sites.

Get the Plugin

Disclosure: Some of the links used above are affiliate links, meaning that, at no extra cost to you, we may earn a commission if you click through and make a purchase.

About Robert Abela

Robert is the CEO and founder of WP White Security, a niche WordPress security plugin development company based in the Netherlands, Europe. Their flagship product is WP Security Audit Log, the most comprehensive and widely used activity log plugin for WordPress sites and multisite networks.

Related Articles

Let's block ads! (Why?)


SHARE

Unknown

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment

57 comments:

  1. This blog is really great. The information here will surely be of some help to me. Thanks!. clean wordpress site

    ReplyDelete
  2. Wow i can say that this is another great article as expected of this blog.Bookmarked this site.. security service

    ReplyDelete
  3. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. security guard school

    ReplyDelete
  4. Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. t shirts in Portugl

    ReplyDelete
  5. Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work! top in ear headphones

    ReplyDelete
  6. This is exactly the information I'm looking for, I couldn't have asked for a simpler read with great tips like this... Thanks! best eliquid brand in uk

    ReplyDelete
  7. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work red led light therapy before and after pictures

    ReplyDelete
  8. This article gives the light in which we can observe the reality. This is very nice one and gives indepth information. Thanks for this nice article. spirulina juice

    ReplyDelete
  9. This is a fantastic website , thanks for sharing. milk cosmetics

    ReplyDelete
  10. Thank you for helping people get the information they need. Great stuff as usual. Keep up the great work!!! Bets

    ReplyDelete
  11. I read a article under the same title some time ago, but this articles quality is much, much better. How you do this.. custom aftermarket wheels

    ReplyDelete
  12. I will be interested in more similar topics. i see you got really very useful topics , i will be always checking your blog thanks עו"ד ביטוח לאומי

    ReplyDelete
  13. Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. custom writings

    ReplyDelete
  14. Excellent work done by you once again here. This is just the reason why I’ve always liked your work. You have amazing writing skills and you display them in every article. Keep it going! Click here where to buy xanax online

    ReplyDelete
  15. I think it could be more general if you get a football sports activity url shortner

    ReplyDelete
  16. I’ve been searching for some decent stuff on the subject and haven't had any luck up until this point, You just got a new biggest fan!.. bottoms and leggings

    ReplyDelete
  17. It was good experience to read about dangerous punctuation. Informative for everyone looking on the subject. Treasure at tampines condo

    ReplyDelete
  18. Always so interesting to visit your site.What a great info, thank you for sharing. this will help me so much in my learning computer repair

    ReplyDelete
  19. Very awesome!!! When I seek for this I found this website at the top of all blogs in search engine. Web Design Shoreline

    ReplyDelete
  20. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog. Ceremonial Cacao

    ReplyDelete
  21. I see the greatest contents on your blog and I extremely love reading them. Home Cleaning

    ReplyDelete
  22. I would like to say that this blog really convinced me to do it! Thanks, very good post. baby names

    ReplyDelete
  23. This is really a nice and informative, containing all information and also has a great impact on the new technology. Thanks for sharing it, podsystem

    ReplyDelete
  24. Cool stuff you have and you keep overhaul every one of us general election 2022 Bahamas

    ReplyDelete
  25. i am for the first time here. I found this board and I in finding It truly helpful & it helped me out a lot. I hope to present something back and help others such as you helped me. Custom pop up cards

    ReplyDelete
  26. I'm happy to see the considerable subtle element here!. spettacoli per bambini

    ReplyDelete
  27. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing. toys for black children

    ReplyDelete
  28. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work items to relax my self

    ReplyDelete
  29. A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one Erklärungsvideo

    ReplyDelete
  30. I have to search sites with relevant information on given topic and provide them to teacher our opinion and the article. best car shipping companies

    ReplyDelete
  31. I have bookmarked your website because this site contains valuable information in it. I am really happy with articles quality and presentation. Thanks a lot for keeping great stuff. I am very much thankful for this site. the secrets book series

    ReplyDelete
  32. Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing. Läkarintyg

    ReplyDelete
  33. Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work! singapore best baby clothing

    ReplyDelete
  34. wow... what a great blog, this writter who wrote this article it's realy a great blogger, this article so inspiring me to be a better person go2college

    ReplyDelete
  35. this is really nice to read..informative post is very good to read..thanks a lot! liquor home delivery near me

    ReplyDelete
  36. Super site! I am Loving it!! Will return once more, Im taking your food likewise, Thanks. home builders in mississippi

    ReplyDelete
  37. Admiring the time and effort you put into your blog and detailed information you offer!.. law firms in oxford

    ReplyDelete
  38. It proved to be Very helpful to me and I am sure to all the commentators here! Affordable Local SEO

    ReplyDelete
  39. It's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. electronic textbooks

    ReplyDelete
  40. I have been searching to find a comfort or effective procedure to complete this process and I think this is the most suitable way to do it effectively. digital marketing near me

    ReplyDelete
  41. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. FPV Drohnen Pilot

    ReplyDelete
  42. With so many books and articles coming up to give gateway to make-money-online field and confusing reader even more on the actual way of earning money, website development company

    ReplyDelete
  43. If you don"t mind proceed with this extraordinary work and I anticipate a greater amount of your magnificent blog entries Liquor Store Mississippi

    ReplyDelete
  44. I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts. bottom

    ReplyDelete
  45. This is an awesome motivating article.I am practically satisfied with your great work.You put truly extremely supportive data. Keep it up. Continue blogging. Hoping to perusing your next post Tito's Distilled

    ReplyDelete
  46. Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. medical malpractice attorney

    ReplyDelete
  47. I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details. Commercial Roofers

    ReplyDelete
  48. We are tied directly into the sate’s renewal database which allows us to process your request almost instantly. Health Insurance for Freelancers

    ReplyDelete
  49. This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck. merchant cost consulting

    ReplyDelete
  50. Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work. building contractors

    ReplyDelete
  51. Wonderful illustrated information. I thank you about that. No doubt it will be very useful for my future projects. Would like to see some other posts on the same subject! Oxford Liquor Store

    ReplyDelete
  52. Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. Best real estate agent near me

    ReplyDelete
  53. I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more. shibari

    ReplyDelete
  54. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. Petros Paradise #519

    ReplyDelete
  55. The article posted was very informative and useful. You people are doing a great job. Keep going. mellow fellow delta 8

    ReplyDelete
  56. Hey There. I found your blog using msn. This is a very well written article. I’ll be sure to bookmark it and come back to read more of your useful info. Thanks for the post. I’ll definitely return. Joint pain supplements

    ReplyDelete
  57. You re in point of fact a just right webmaster. The website loading speed is amazing. It kind of feels that you're doing any distinctive trick. Moreover, The contents are masterpiece. you have done a fantastic activity on this subject! builder Oxford

    ReplyDelete