How to decode your security logs to improve WordPress security

Review your logs

Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail.

An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.

You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.

An introduction to WordPress security logs (and what they record)

First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail, such as who changed the content of a blog post, along with what they changed and when. Others simply concern themselves with tracking basic activity, such as logins and content posting.

It’s not a stretch to understand why security logs are so vital for peace of mind. If you’re encountering suspicious activity, a detailed log will easily help you narrow down the cause. Even if you’re not currently aware of malicious intent, a security log can clue you into anything suspicious, enabling you to quickly nip issues in the bud.

To actually solve the issues you uncover, you’ll want to consult with those well versed in WordPress security to make sure that malicious activity is severely minimized in the future — a win-win for both you and your users.

Which WordPress audit trail plugin should you use?

There are quite a few WordPress audit trail plugins to choose from, depending on your requirements. If you’re looking for a full-featured, comprehensive audit log — for example, when ascertaining the exact changes made to your site — take a look at WP Security Audit Log.

Security Logs WP Audit

This solution was developed with security in mind, so it’s arguably the most comprehensive WordPress audit log you’ll find. What’s more, there are a number of premium add-ons that can help you configure automated email alerts, generate reports — and more.

However, if you’re looking for a basic log, Simple History is the way to go.

Security Logs Simple History

It was one of the first audit trail plugins for WordPress, and it has fantastic ease of use and enables you to receive audit notifications through an RSS feed.

How to decode your security logs to improve WordPress security (4 key elements)

It goes without saying that without knowing what to look for, your logs are as good as useless. With this in mind, let’s take a look at four elements to focus on when poring over your security logs.

1. Weed out any abnormal login activity

Security Logs Abnormal Login

Compromised logins can account for many security issues. A WordPress audit trail plugin typically keeps a record of all users’ logins, so you can spot abnormal activity. For example, if you believe users generally log in only during office hours, look out for activity outside of those times.

Another red flag could be the IP address of the logged-in user.

 

If you know they have a fixed IP, you’ll understand that a login originating from different IP address means potential danger. However, it’s also possible to spot suspicious activity for users without fixed IPs.

Every Internet Service Provider (ISP) has a range of IP addresses it can use (for example, all addresses containing 82.16.xxx.xxx). So if you notice login activity from an unfamiliar address — such as one from a different country — it should set alarm bells ringing.

2. Investigate large numbers of failed login attempts

Security Logs Failed Attempts

There will always be failed login attempts, so seeing them on a daily basis is not necessarily a cause for concern. However, if you’re seeing the daily number increase, you should be prepared to take action — especially if those failed logins originate from different IP addresses.

The likely cause here could be a “brute force” attack against your WordPress website. At this stage, you’ll likely want to notify your host if you don’t have the expertise to resolve the situation adequately. However, to prevent these issues going forward, you’ll want to first start by limiting the number of logins users can make at any one time.

3. Look closer at any WordPress user profile changes

Security Logs Profile Changes

The better you understand what malicious hackers do when they exploit vulnerabilities, the more insight you can get out of a WordPress security audit. They typically aim to gain privileges for themselves, in ways such as:

  • Creating a new WordPress user to maintain access to the hacked website
  • Changing passwords for existing WordPress users
  • Changing the email, user role or settings for some WordPress users

Of course, in isolation none of these are a real cause for concern. However, if you’re the sole administrator for a website (something we recommend), and you haven’t amended these types of details, they could be signs of a possible WordPress attack.

4. Examine any increase in 404 errors

Security Logs 404 Errors

For the uninitiated, 404 errors occur when a visitor requests a page on your site that does not exist. Typically, they’re generated due to broken links, or by accessing a non-existent URL.

Much like other activity, 404 errors aren’t usually a cause for concern. However, if you notice an increase in them based on seemingly random URLs, potentially from a number of IP addresses, it’s a sign of attack — usually with an automated system.

Conclusion

Decoding your WordPress security logs sounds like a hassle that might not seem worth it. However, a compromised website can be disastrous, so finding a method to quickly study how your site is being used is crucial for security.

In this post, we’ve shown you how to decode your WordPress security logs. Let’s recap the four elements to watch out for:

  1. Strange login activity.
  2. Failed login attempts.
  3. Any increase in user profile changes.
  4. Large numbers of 404 errors.

Editor’s note: Take your security to the next level with GoDaddy’s Website Security, powered by Sucuri. It’s a great way to keep any site malware-free.


Also published on Medium.