WP Security Audit Log: Keeping a watchful eye on your WordPress sites
WordPress is, without a doubt, the most popular website management system in use. The latest statistics put the number of websites running on WordPress over 60 million, and those include many popular news/media, company/brand, and personal sites.
Attackers who seek to take over websites for a variety of malicious purposes couldn’t be happier about this: a zero-day or recently patched vulnerability in the CMS (or a popular WP plugin, extension, or theme) can open many sites to a quick compromise, as admins fail to update speedily enough or at all.
Often times, the compromise goes unnoticed for quite a while. And while this might not be a critical problem for people running personal blogs, companies whose official sites rely on WordPress risk considerable monetary and reputational loss.
One way to prevent a compromise before it happens or spotting it as soon as it happens is to use a WordPress activity log plugin solution such as the WP Security Audit Log plugin.
The beginnings
The main man behind the WP Security Audit Log plugin is Robert Abela, a former lead systems engineer at GFI Software, and product manager at Acunetix.
He started the project five years ago and has been slowly building the product and the userbase ever since.
“I started developing WP Security Audit Log but after a few weeks I realized that even though I can read and write code, I am not a developer. I was much better at running the show, so I’ve paid other people to write the code while I did everything else,” he told Help Net Security.
When he started, security was something relatively new in the WordPress ecosystem, he says, and only a handful of people were making a living out of a WordPress security service or plugin. But five years later there are finally two full-time people working on the WP Security Audit Log plugin project, and they might be adding more members to the team very soon.
A comprehensive solution for the WP audit logging problem
Abela’s background in web security spurred him to create a solution that will not only help businesses to troubleshoot problems on their websites, but to also identify suspicious behavior, thwart attacks, and meet regulatory compliance requirements (GDPR, PCI DSS, ISO 27001, HIPAA and many regulatory compliance bodies require businesses to keep a detailed log of all the changes that happen on their websites).
“We’ve came a long way and I am proud to say that through the plugin we managed to raise awareness about the need for audit logs in the WordPress ecosystem. Since we’ve started, a few other audit log plugins have popped up, but WP Security Audit Log plugin is still the definitive solution for WordPress activity logs in terms of features, coverage and details,” he says.
There are several other things that make it stand out from the competition: comprehensiveness, an extensive list of features, great support, and sustainability.
“When you make a change in a blog post or a user profile, other plugins simply report ‘post was changed’ or ‘user profile was changed’. Some might report some details, but our plugin tells you if the post URL, date, category, content, status, custom fields, and so on have been changed. The same goes for user profiles: it will tell you if the email, password, first name, display name, role or anything else was changed,” he explains.
“We are also the first WordPress activity log plugin that keeps track of file changes on WordPress websites. This does not apply only to WordPress/plugins/themes, but to any type of file in the WordPress website.”
WP Security Audit Log offers reports, email alerts, search, archiving, users sessions management, mirroring (syslog, papertrail), automated reports, etc. “We have such a complete list of features that you can actually build a WordPress Intrusion Detection System (IDS) with our plugin,” he adds.
The team is dedicated and the plugin is updated often. There is a free version that offers just comprehensive audit logging, but the other three versions (i.e., pricing tiers) offer more to novices, professionals and businesses.
“If you run a business website, you want to find a solution that will be around for a while, that will be updated, that will work with the next WP version, and a team that offers prompt support,” he notes.
“The plugin is our main income. If you look at our changelog, you’ll notice that we release an update nearly every month. It is also in our interest to solve our users’ problems as quickly as possible. Check out our support forums and you’ll notice that we always reply within a few hours – even if the user uses the free edition.”
Security is process
The thing that all security employees must always keep in mind is that they cannot set up something and let it work on its own.
“Whether you’re a systems engineer, website owner or security professional, you need to check and test the systems from time to time, do scans, check the logs, set up alerts, and so on,” Abela advises.
“Also, whatever you know today and whatever you’ve done today is not enough. A new vulnerability or a new way to bypass your security system will constantly be discovered, and keeping your knowledge and your systems up to date is crucial.”
Finally, don’t be adverse to automation.
“Today’s complex systems are constantly changing because of the customers’ requirements so, unless you have an army of people, it’s impossible to do everything manually. Automation is the key and it’s easy today when we have so many great solutions available,” he concludes.