Solid Security Pro Feature Spotlight – WordPress Security Logs

In Feature Spotlight posts, we highlight a feature in the Solid Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature. Today, we will cover the Solid Security Pro WordPress Security Logs. These logs keep track of security events on your website and can help you detect and mitigate threats proactively.

What are WordPress Security Logs?

WordPress Security Logs help you keep track of important security events on your website. These events are important to monitor since they may point out threats you can block and vulnerabilities you can protect or eliminate before they lead to a breach.

A security breach is when a cybercriminal can gain unauthorized access to your website or server. Security breaches can happen in many ways, as hackers exploit some of the most common WordPress security issues. From running outdated versions of plugins and themes to more complicated SQL injections, a security breach can happen to even the most vigilant site owners.

Your website’s security logs are a vital part of any security strategy. The information in these records can help you lock out bad actors, highlight an unwanted change on the site, and help identify and patch the point of entry of a successful attack.

Why You Need WordPress Security Logging

Website security logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to an undetected security breach that could have been prevented. That’s why “Insufficient Logging” landed on the OWASP top 10 of web application security risks.

WordPress security logs have several benefits in your overall security strategy. Used as a proactive defense, security logs help you identify and prevent malicious behavior. Logs can also help you uncover a security breach or serious hacking attempt before your site is compromised.

Every day, lots of activity is happening on your site. It’s too much to read through, Many of these activities can be directly related to the security of your site. That’s why logging is so important: activities are tracked so that you can know if a hack or breach has occurred.

Activities like unrecognized file changes or suspicious user activity may indicate your site has been compromised. That’s why it’s important to know when these activities have occurred so you can quickly determine if a breach happened.

Security Events Tracked and Logged by Solid Security

Here’s a look at some of the security events the Solid Security Pro plugin tracks.

Brute Force Attacks

Brute force attacks refer to the trial and error method to discover usernames and passwords to hack into a website. WordPress doesn’t track any user login activity, so there isn’t anything built into WordPress to protect you from a brute-force attack. It is up to you to monitor your login security to protect your WordPress site.

Luckily, a brute force attack isn’t very sophisticated, and it is pretty easy to identify in your logs. You must record the username and IP attempting to log in and whether the login was successful. If you see that a single username or IP has consecutive failed login attempts, the chances are you are under a brute-force attack.

The Solid Security Pro Local Brute Force Protection feature keeps track of invalid login attempts made by a host/IP address or a username. Once an IP or username has made too many consecutive failed login attempts, it will be locked out and prevented from making any more attempts for a period of time you can specify in the plugin settings.

It is important to remember that there is no way to prevent an attack from occurring on your website. But, monitoring invalid login attempts can prevent those attacks from being successful.

Solid Security Pro is great at locking out bad guys. However, if a bad guy used the username “Bob” in a brute force attack, and “Bob” is an actual user on the site, the real Bob would, unfortunately, be locked out along with the attacker.

Even though it feels great to stop bad guys from breaking into a site, we don’t like it when security affects our users’ experience. We created Magic Links to allow legitimate users to bypass the username lockout while the brute force attacker remains locked out.

User Activity

Monitoring suspicious user activity can help you detect or prevent a breach.

Solid Security Pro monitors five types of user activity:

Users Logging In and Out

The first type of user activity to be logged is when (and where) users log in and out of your website. Monitoring the time and location of the user’s logins can help you spot a user who is compromised. Did that user log in at an unusual time or from a new place? If so, you may want to start your investigation with them.

User Account Creation and Registration

The next activity you should keep an eye on is user creation, especially the creation of Administrator users. If a hacker can compromise a legitimate user, they may create their own admin user to be covert. It is easy to notice something strange with your account, but it is much more difficult to identify malicious activity on another user.

Monitoring user registration is also essential. Some vulnerabilities allow hackers to change the default new user role from a Subscriber to an Administrator.

If you have User Logging set only to monitor the activity of Administrator users, only new Admin user registration will be recorded in the security logs. So, if you ever see a newly registered user in your security logs, something has gone wrong.

Adding and Removing Plugins

Monitoring who adds and removes plugins on a WordPress site is vital. Once your site has been hacked, it will be easy for the attacker to add their custom plugin to inject malicious code into the website.

Even if a hacker doesn’t have access to your server or database, they may still be able to change them from your WordPress dashboard. Using a plugin, they can add redirects to your site to use in their next spamvertizement campaign or inject malware into your database. After their malicious code is executed, they can delete the plugin to remove evidence of their crime. Lucky for us, we won’t miss any of it because it was all documented in our WordPress security logs.

Switching Themes

Another user activity monitored by Solid Security Pro user logging is when someone switches the website’s theme. If you ever find that your theme has unexpectedly changed, you can look in your WordPress security logs to find out who made the change.

Changing Posts and Pages

Finally, you want to monitor any changes to your posts and pages. Have any links been added to send your traffic to other sites? Monitoring posts and pages can help you find any embarrassing pages or malicious links added to your website after a breach.

To find out which post was modified, click the View Details links to find the post ID.

How to Use WordPress Security Logs

Enable the following features in Solid Security Pro to get the most out of your security logs:

• Local Brute Force Protection
• Banned Users
• Database Backups
• File Change Detection
• Site Scan Scheduling
• User Logging
• Version Management
• CAPTCHA: reCAPTCHA, hCaptcha, or Turnstile
• Trusted Devices

To view your WordPress security logs, click the Logs link at the bottom of your Security menu.

Screen Options

Clicking the Screen Options button will display options that will let you customize your WordPress security logs.

Log Links

Clicking a log link will display events associated with the link’s log type. For example, clicking the All Events link will display all recorded security events.

Module Filter

The Module filter allows you to display events recorded by a specific security module. For example, selecting Brute Force from the dropdown menu and clicking the Filter button will show only recorded Brute Force events. Selecting User Logging will filter out only the security events logged as actions taken by users on the site.

Log Entry

A log entry displays important information about a recorded event.

1. Module – The security setting that recorded the log entry.
2. Type – The event type associated with the log entry.
3. Description – A simple description of the log entry.
4. Time – When the security logs recorded the event.
5. Host – The IP that triggered the event.
6. User – The User that triggered the event.
7. Details – Click the View Details link to view additional log details.

See Your Security Logs Visually: The WordPress Security Dashboard

If you are one of the people who feel a little over your head when trying to parse data stored in security logs, you aren’t alone. We heard from so many of you who thought digging through your security logs was time-consuming, and the information stored in the logs can be challenging to understand.

With all that in mind, we wanted to create an easy and fast way for Solid Security Pro users to see their WordPress website’s security activity and health without needing to dig through their logs.

Solid Security Pro also includes a real-time WordPress security dashboard to help pull the data from your security logs into graphs and charts from inside your WordPress admin dashboard.

The Solid Security Dashboard is a dynamic dashboard with all your WordPress website’s security activity stats in one place. The goal of the Security Dashboard is to give you the information you want in a way that makes sense to you. You can start with a blank canvas and add only the cards that are important to you.

To start using the Security Dashboard, ensure it is enabled on the main page of the security settings. Once enabled, you can create your first security dashboard from the Admin Dashboard menu and Security settings in your WordPress Admin menu.

Wrapping Up

Insufficient logging is one of the OWASP top 10 web application security risks. Monitoring the right behavior will help you identify and stop attacks, detect a breach, and access and repair the damage done to your website after a successful attack.

Solid Security Pro makes WordPress security logging easy by automatically monitoring and recording brute force attacks, user activity, malware scanning, file changes, and more.