WordPress security is an ever-evolving process and not a one-time fix. As a WordPress administrator, you should first implement robust security measures on your website, then continuously monitor, test and improve from there.
Monitoring and understanding what is in the WordPress audit trail is one of the most critical process involved in securing your website, and the process on which all others depend. You test and implement new security solutions and improve the existing security measures based on what you learn from monitoring what’s already in place.
This article explains how to use a WordPress audit log viewer to spot possible malicious activity and continuously improve the security of your WordPress websites and blogs. But first, a quick word on how to get started.
Implementing a WordPress Monitoring (Audit Trail) Solution
Implementing an audit train that you can monitor your website is no sweat. Once you do that, you can even fully maintain your WordPress site yourself. You just need to install one of the audit trail plugins available on the WordPress plugin repository. Once you install the plugin, it will automatically start keeping a record of everything that is happening on your WordPress site.
Using the WordPress Audit Log to Spot Attacks & Protect Your Website Against Them
Abnormal User Logins Activity
Weak passwords are one of the most commonly exploited security issues in WordPress websites, so abnormal login activity from unknown systems is definitely something to keep a lookout for.
If your users typically login during office hours only, watch out for login activity outside of those hours in the audit trail. Another sign of suspicious activity could be the IP address from where users are logging in. If your authors have a fixed IP, or always login from the same region / country you can watch out for login activity originating from different IP addresses or different regions of the world.
It is also possible to spot suspicious activity even when your users do not have a fixed IP address. Every Internet Service Provider (ISP) uses a limited range of IP addresses, for example all IP addresses in the subnet 82.16.xxx.xxx. So if you notice user login activity that is not from a familiar subnet, you should definitely dig deeper into the logs and find out exactly what the user is doing.
Failed Login Attempts
A handful of failed login attempts on a daily basis are a normal occurrence on a WordPress website, so do not alarm yourself if you see any. You should worry if you notice hundreds or thousands of failed login attempts within a short time span from unknown systems or users.
If you do notice such activity it means that malicious hackers launched a brute force attack against your WordPress login page. At this stage you can either block the offending IP addresses at .htaccess level, or ask your hosting provider to block them for you.
Large Number of Requests to Non-Existing Pages (404 Errors)
HTTP 404 errors happen when visitors request a page that does not exist on your website. Typically 404 errors are generated because of broken links, or when users try to access a URL that no longer exists.
Similar to failed login attempts, do not alarm yourself if you see a handful of 404 errors in the WordPress audit trail. Though keep a lookout if you see hundreds or thousands of them within a short time span. A lot of 404 errors are typically generated when attackers scan your WordPress website using an automated scanner.
If you notice such activity block the offending IP address or advise the hosting provider about it so they can block it.
WordPress User Profile Changes
The more you know about what malicious hackers do when they exploit a vulnerability and successfully hack into a WordPress website, the more insight you can gain from your WordPress audit trail. The attackers’ actions depend on the type of vulnerability they exploit, and the privileges they have during the hack, but typically they:
- Create a new WordPress user to retain access to the hacked WordPress website,
- Change the password of an existing WordPress user,
- Change the email, role or other important properties of the WordPress user.
You should definitely be on the lookout for this type of activity on your WordPress. If you are the only administrator on the website (and you should be since there should only be one WordPress administrator account) and you did not create a new user, or you or the user himself did not change the passwords or email address, then you should dig deep in the WordPress audit trail and find out what is happening. All of these changes can be signs of a possible WordPress hack attack.
Troubleshooting WordPress Issues
So far we have looked at the WordPress audit trail as a security solution, though it can also be a great tool for troubleshooting WordPress issues as well. As WordPress professionals we have all been there; a customer’s website stopped working and they did not make any changes. Something changed and no one ever logged into the WordPress website. How is that even possible?
A WordPress audit trail plugin helps you trace back the change that a user did and affected the customer’s website.
Time to Install a WordPress Audit Trail Plugin
The advantages of keeping a WordPress audit trail are multifold, and it is really easy to get started. There are plenty of essential plugins you should install on your WordPress site, but this one is going to make all the difference. All you have to do is install the WordPress audit log plugin of your choice and it will automatically start logging all activity. So there are no excuses.
Which WordPress Audit Trail Plugin Should You Use?
There are quite a few WordPress audit logging plugins available on the repository. Some of them have very good coverage and keep a record of every minute little detail, such as what and who changed the content of a blog post, changed the properties of an item in WooCommerce, enabled, disabled or updated a plugin and much more. Some others just keep track of basic activity, such as logins and content posting activity.
If you are looking for a comprehensive audit log, because you need to know exactly what has changed in a blog post, rather than just knowing that it has changed, or because of some compliance requirements, I recommend WP Security Audit Log. This plugin is built as a security solution, so it is the most comprehensive audit log solution you’ll find for WordPress. WP Security Audit Log also has a number of premium add-ons which you can use to configure automated email alerts, generate reports etc.
If on the other hand you are looking for something simple, Simple History is the way to go. It is one of the first audit trail plugins for WordPress and is mostly well known for its simplicity, ease of use and the availability of the audit trail through a RSS feed. Two other WordPress audit trail plugins that have been around for quite some time and have a good number of downloads are Audit Trail and Activity Log.
Do you already use a WordPress audit trail plugin yourself? If not, knowing exactly what kind of activity is happening on your WordPress site will add another layer of security as well as give you vital information in case anything goes wrong.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.