iThemes Security Pro Feature Spotlight – User Logging

In the Feature Spotlight posts, we will highlight a feature in the iThemes Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature.

Today we cover the User Logging feature in iThemes Security Pro.

Why We Developed User Logging

The iThemes Security Pro plugin can prevent most attacks on your WordPress website from being successful, but it can’t guarantee that it will stop 100% of attacks. You won’t find a security tool or method that is 100% effective against all attacks. Unfortunately, even if you follow all of the WordPress security best practices, your website could get hacked. Because a full-proof security method doesn’t exist, we need to monitor and record security events on our website.

Logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. It is for those reasons that Insufficient Logging landed on the OWASP top 10 of web application security risks.

Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data.

There are several different types of security events that you should monitoring and recording in your WordPress security logs, including brute force attacks, file changes, malware scans, and user activity. However, in this post, we are going to focus on recording user activity.

Keeping a record of user activity in your WordPress security logs can be your saving grace after a successful attack.

What is User Logging?

The User Logging feature automatically monitors and records specific user actions in the iThemes Security Pro security logs.

5 User Actions Recorded by iThemes Security Pro

1. Log In / Log Out

The first type of user activity logged is when users log in and log out of your website and from where. Monitoring time and location of the user’s logins can help you spot a user that is compromised. Did that user login at an unusual time or from a new place? If so, you may want to start your investigation with them.

2. User Creation / Registration

The next activity you should keep a record of is user creation, especially the creation of Administrator users. If a hacker can compromise a legitimate user, they may create there own admin user in an attempt to be covert. It is easy for you to notice something strange with your account, but it is much more difficult to identify malicious activity on another user.

Monitoring user registration is also essential. Some vulnerabilities allow hackers to change the default new user role from a Subscriber to an Administrator.

If you have User Logging set only to monitor the activity of Administrator users, only new Admin user registration will be recorded in the security logs. So, if you ever see a newly registered user in your security logs, something has gone wrong.

3. Adding and Removing Plugins

It is vital to make a record of who adds and removes plugins. Once your site has been hacked, it will easy for the attacker to add their custom plugin to inject malicious code into the website.

Even if a hacker doesn’t have access to your server or database, they may still be able to make changes to them from your WordPress dashboard. Using a plugin, they can add redirects to your site to use in their next spamvertizement campaign, or inject malware into your database. After their malicious code is executed, they can then delete the plugin to remove evidence of their crime. Lucky for us, we won’t miss any of it because it was all documented in our WordPress security logs.

4. Switching Themes

Another user activity monitored by iThemes Security Pro User Logging is when someone switches the website’s theme. If you ever find that your theme has unexpectedly changed, you can look in your WordPress security logs to find out who made the change.

5. Changes to Posts & Pages

Finally, you want to monitor any changes to your post and pages. Have any links been added to send your traffic to other sites? Monitoring posts and pages can help you find any embarrassing pages or malicious links added to your website after a breach.

To find out which post was modified, click the View Details links to find the post ID.

How to Use User Logging in iThemes Security Pro

To start logging user actions in iThemes Security Pro, navigate to the security settings’ Features menu and enable User Logging.

After enabling User Logging, click the User Groups link to decide whose activity you want to monitor.

Tip: When adding user logging, keep in mind you may only want to monitor users that can make changes to your site. Monitoring customer or subscriber activity could result in bloated logs, making the information more difficult to parse.

To view the recorded user activity, navigate to the security logs, and click the All Events link. Next, select User Logging from the dropdown menu and then click the Filter button.

Hover over the IP address or Username and click the Filter icon to only view activity from that IP or username.

Wrapping Up

Unfortunately, even if you follow 100% of the WordPress security best practices, there is still a chance that your website will get hacked. Keeping a record of user activity in your WordPress security logs can be your saving grace after a successful attack.

Monitoring the correct user activity can guide you through the timeline of a hack and show everything the hacker changed, from adding new users to adding unwanted pharma ads on your site.

Having a timeline of a compromise will drastically reduce the downtime experienced after a hack.