Without a doubt, website security is (or should be) one of the greatest concerns for any WordPress administrator. While WordPress security continues to evolve, it is essential to keep monitoring and testing the security measures you've put in place to identify any loopholes or places that need improvement. With the right tools, you can continuously audit all activities on your site to nip any security threats in the bud. But how can you be aware of what’s going in on your website? That’s where the WP Security Audit Log plugin can play a major role to improve your site’s security.
This review article will focus on the WP Security Audit Log plugin, a WordPress activity log plugin, and how we think it can continuously help you improve the security and robustness of your WordPress websites and multisite networks.
What is WP Security Audit Log?
WP Security Audit Log is a WordPress plugin that tracks and logs all activities that happen in your site's WordPress admin area (but not only) to help you detect any odd or suspicious behavior before it can become a real security threat to your site.
Essentially, this plugin monitors and records all user activity such as changes made to content, themes, plugins, widgets, user accounts and their passwords and any WordPress settings.
In essence, it is a complete WordPress activity log or audit trail of what is happening on your site. Besides being able to track any suspicious behaviour, (for example a compromised user), you can also track any malicious employee behaviour.
For example, if you manage a large website with a large number of authors contributing to the site, you need to make sure you have a full track of what they are actually doing.
This is because, even though you may actually trust the users, they still might eventually turn malicious, performing unauthorized changes, whether with the specific intent to cause harm, and even “by mistake”.
WP Security Audit Log was developed by WP White Security, founded by Robert Abela. The plugin is available in two editions; free and Premium. All the logging functionality is available in the free version of the plugin, which can be downloaded from the official WordPress plugin repository.
The Premium edition has a number of useful and advanced features which help the website owners and / or administrator build a complete WordPress activity log solution that enables them to remain on the ball. One such feature is email notifications - which immediately sends an email if a specified event occurs on the website.
Such features are essential for websites which are monitored and managed by NOCs who typically need to be alerted of specific issues, so that they can take corrective action quickly.
How to set up the WP Security Audit Log plugin
The installation and set-up of the plugin is very straight-forward - once you install the plugin, a new menu item with the name Audit Log appears on your WordPress dashboard.
The menu has a few options pages, but we'll focus mostly on the three main ones:
- Audit Log Viewer and
- Enable/Disable Alerts
The WP Security Audit Log Plugin Settings
The settings page allows you to modify and customize the plugin to fit your specific needs and preferences.
This is necessary since the plugin is able to keep a log of a lot of changes, and unless you want to be overwhelmed with events in the log, you’ll want to enable the logging of the events which interest you.
Let’s have a look at some of the customization options:
Enable / Disable Alerts
There are nearly 400 different type of events that the plugin can keep a log of, which are arranged in different categories for easier navigation. By default, all alerts are enabled but two - logging of 404 alerts and posting of comments. This particular page will let you pick the specific alerts you want to track.
This option allows you to add an alerts widget to your WordPress dashboard. The widget will show you the 5 latest security alerts. This is neat because if you do not monitor the log viewer all the time, you will immediately be alerted to any high-risk events which occurred when you log to your website’s admin.
User control (Can Manage Plugin)
You can determine who can view the WordPress security audit log and who can manage the plugin to ensure that no one can manipulate the logs and settings to hide malicious behavior.
Customize the Audit Log Columns section
You can select which information to display in the audit log viewer screen. By default the following columns can be shown:
- Alert ID
- Source Ip
If you don't want anyone else logging into the site to know you're using a WordPress Audit Log Plugin, you can hide it from the plugin's page.
This is a very intelligent feature if you ask me. If you are suspecting that somebody in your company is acting maliciously and you want to catch them in the act, you can enable this option.
Other Noteworthy Settings
The WP Security Audit Log plugin also allows you to configure the activity log retention, the timezone used, support for web application firewalls and reverse proxies, exclude users from the log and much more, allowing business website owners to really fine tune their WordPress activity log solution.
Audit Log Viewer
This is the crux of the plugin and where the value of the plugin comes in.
All alerts arising out of activities on the site will appear on the Audit Log Viewer page. It is where you will spend most of your time.
For every generated alert, the exact time and date of when the activity took place are recorded, and also the user who performed the action together with their assigned role and source IP Address.
Every type of event in the WordPress activity log has a unique event ID assigned to it, which is useful for when you need to search for a specific change or create an email alert for it.
You’ll notice that the security logs contain vast data about activities on your WordPress website. But such data isn't helpful if you don't know what to look for (converting the data into information). The following are four key areas of focus to get valuable insights from the WordPress audit log.
1. Identifying unusual WordPress user login activity
Malicious hackers usually target weak passwords. They can take these easy pick issues and use them for their own (nefarious) purposes (whether it’s to build backlinks to their dodgy sites, or install malicious software on your site).
Therefore, you should look out for any abnormal login activity. Check whether anyone is logging in outside office hours. Also, check the IP Addresses that users are logging in with. If all users have a fixed IP Address, check for IP addresses originating from other regions or countries.
Even in cases where users don't have a fixed IP address, you can still check for inconsistencies by noting changes in the subnet. Each Internet Service Provider has a limited range of IP addresses, and they usually share the same subnet.
Any login which looks suspicious needs to be immediately investigated.
2. Failed login attempts
There are bound to be a few failed login attempts in a day. You shouldn't be alarmed when you spot a handful of such - because like we said above, you’ll find a that quite a lot of automated scripts (bots) will be hammering at your site to see whether they can find a weak password.
But if the login attempts are ranging in the hundreds or thousands, especially from different IP addresses, you could be experiencing an attack. If you lack the expertise to deal with it, alert your host for help. But you can also prevent the problem from your end by putting a cap on the number of times a user can unsuccessfully attempt to login into the site using such plugins as Limit Login Attempts.
3. A spike in the number of 404 errors
404 errors are quite common - especially if you regularly maintain your website and trim any content which you don’t need.
They usually occur when a visitor requests for a page that doesn't exist on your site. Of course, it’s best to actually 301 redirect old URLs to new or similar content, but if you don’t have any alternatives, best to let the page 404 so that it will be eventually removed from Google and all other references.
They could be visiting a URL that doesn't exist or there could be broken links on your site. Whatever the case, a few 404 errors shouldn't concern you.
But if you notice the number of such errors rising in an unusual manner, you could be staring at an imminent attack from an automated system. It could also mean that a problem has occurred with the setup of your website and some URLs have been changed and not updated correctly.
Whatever the cause, a spike in 404 errors needs to be looked at.
4. Changes in user profiles
When a hacker gains access to your WordPress website, their aim is to create certain privileges for themselves to gain accessibility and control. They might create new user accounts, change passwords of existing WordPress users or email addresses, settings, and user roles for other WordPress users.
They will also probably hide their tracks, either by resetting the password to old values, change users roles to privileged users and then back to their previous role and other changes which wouldn’t happen normally in running a day-to-day website.
While some of these changes may have been affected by the users themselves and shouldn't be a point of concern. However, if you see changes which are unexpected and can only be made by a WordPress administrator you should investigate.
Benefits of the WP Security Audit Log plugin
While it’s actually going to be difficult to mention all of the benefits of using this WordPress activity log plugin, we’re going to mention some of the highlights which we believe are worth noting:
- It will track nearly 400 different actions (and the list is ever growing)
- It supports both multisite and single WordPress installs
- It allows you to pick specific alerts that are important to you rather than letting you sift through a long list.
- It comes with free support offered through the WordPress.org support forums. The developer is quite active on the platform and support is also provided via email.
Different WP Security Audit Log Premium Editions
At this point, we’d like to mention a few of the highlights of the paid edition of the plugin. Besides the free version, there are three different paid versions of the premium plugin:
- Starter ($89)
- Professional ($99)
- Business ($199)
The Starter edition is the first upgrade from the free version of WP Security Audit Log. The two key features of this version are the Email Notifications and the Search and filters.
The WordPress Email notifications allow you to create specific filters which send you an email notification in case any of the alerts happens. This means that anytime a high-risk activity happens you can get an email direct to your inbox.
The beauty of the plugin is that notifications can be built using the built-in wizard in the plugin.
You can also simply pick up a few of the recommended email notifications, which are the typically suspicious activities. Just tick the ones you want to be notified about and enter the email which needs to get notified.
Again, a beautiful setup which makes it easy to send specific alerts to let’s say your blog editor and other alerts to your security administrator.
The Professional version is the one which gives you access to ALL features of the WordPress audit log plugin. Once again, there are a number of features which we have to take note of:
1. External database logging and integrations - this feature allows you to store your WordPress activity log in a database which is independent from the actual database of your website. If you are tracking all the activity of a fairly large multisite network, the Audit Security Log database can grow quite a bit.
For this reason, the PRO edition allows you to log all of the information into external databases. This is particularly important if you need to maintain the data generated by the Audit Log viewer for compliance purposes.
Besides logging to an external database, you can also Mirror data or archive data into other sources as per your needs. This is an excellent feature for those who need to ensure they have a backup of their data in case something goes wrong.
2. Users Sessions Management - this is another feature which is nice because it caters for a very particular scenario i.e. users sharing passwords.
Once again, this is a very suspicious activity. It could also be problematic if your website charges users for logging in to your website and users are splitting the cost by sharing the same username and password between different users.
This feature allows you to put a limit on the number of simultaneous users logging in to your website.
3. WordPress Reports - again this is probably quite important for those users who are using the plugin either for compliance or for specific investigation purposes which will be using 3rd parties. The report feature will allow you to create a fully-parameterized report of the data which has been collected by the WordPress Audit Log Viewer.
The final paid edition of the WP Security Audit Log plugin is the Business edition. This contains all of the professional features of the plugin, but also comes with a 15 minutes setup and consultation call, priority support and a Personal Success Manager.
Again, those who need to make sure their setup is right and need the plugin to really make a difference to their site should opt for this version.
The WP Security Audit Log plugin is an absolutely great addition to your WordPress blog, particularly if you run a website which is critical to the success of your business and which cannot afford any security lapses.
We have found the features of this WordPress activity log plugin to be very well thought-out and implemented for real business use-cases. It is clear that Robert and his team has years of experience in this field and also taken a lot of user feedback on board to implement exactly what business need out of an activity log plugin. Really and truly, this plugin is clearly a leader in this niche.
Whether you are operating a single or a multi-user website, you should be using this plugin to keep a record and track all activities happening on your site to sniff out any suspicious behavior that could pose a security threat. It is immensely easy to install, setup and use and contains the right combination of features that enable you to focus on specific alerts that are important to you.