In the Feature Spotlight posts, we will highlight a feature in the iThemes Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we will cover the iThemes Security Pro WordPress Security Logs, a great way to keep track of security events on your website.
Why We Developed the WordPress Security Logs
Logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. It is for those reasons that Insufficient Logging landed on the OWASP top 10 of web application security risks.
WordPress security logs have several benefits in your overall security strategy.
- Identity and stop malicious behavior.
- Spot activity that can alert you of a breach.
- Assess how much damage was done.
- Aide in the repair of a hacked site.
If your site does get hacked, you will want to have the best information to aide in a quick investigation and recovery.
What are WordPress Security Logs?
WordPress Security Logs in iThemes Security Pro keeps track of important security events that occur on your website. These events are important to monitor to indicate if or when a security breach occurs.
Your website’s security logs are a vital part of any security strategy. The information found in these records can be used to lockout bad actors, highlight an unwanted change on the site, and help to identify and patch the point of entry of a successful attack.
Security Events Tracked & Logged by iThemes Security
Here’s a look at the security events tracked by the iThemes Security Pro plugin.
1. WordPress Brute Force Attacks
Brute force attacks refer to the trial and error method used to discover usernames and passwords to hack into a website. WordPress doesn’t track any user login activity, so there isn’t anything built into WordPress to protect you from a brute force attack. It is up to you to monitor your login security to protect your WordPress site.
Luckily, a brute force attack isn’t very sophisticated, and it is pretty easy to identify in your logs. You will need to record the username and IP that is attempting to login and whether the login was successful. If you see that a single username or IP has consecutive failed login attempts, the chances are you are under a brute force attack.
The iThemes Security Pro Local Brute Force Protection feature keeps tracks of invalid login attempts made by a host/IP address or a username. Once an IP or username has made too many consecutive failed login attempts, they will get locked out and will be prevented from making any more attempts for a set period of time.
It is important to remember that there is no way to prevent an attack from occurring on your website. But, by monitoring invalid login attempts, you can prevent those attacks from being successful.
iThemes Security Pro is great at locking out bad guys. However, if a bad guy used the username Bob in a brute force attack, and Bob is an actual user on the site, Bob would, unfortunately, be locked out along with the attacker.
Even though it feels great to stop bad guys from breaking into a site, we don’t like it when security affects real users’ experience. We created Magic Links to allow legitimate users to bypass the username lockout, while the brute force attacker remains locked out.
2. File Changes
Even if you follow the WordPress security best practices, there is still a chance for your site to become compromised. A compromise means that a hacker breached your website and infected it with malware.
A security breach is when a cybercriminal can gain unauthorized access to your website or server. Security breaches can happen in many different ways, as hackers exploit some of the most common WordPress security issues. From running outdated versions of plugins and themes to more complicated SQL injections, a security breach can happen to even the most vigilant site owners.
The time to detect a security breach is a critical factor in cleaning an infected website. Unfortunately, the longer it takes you to notice a breach, the more damage a hacker can do to your website, your customers, and you. A piece of malware can cause a staggering amount of damage in 200 days. That’s why it’s so important to reduce the time it takes to spot a security breach.
While the type of damage malware causes on your website varies greatly, what it does can be boiled down to one or a combination of the following three things.
- Add Files – Malware in the form of spyware could add a malicious file that will record your customer’s keystrokes as they enter their credit card information.
- Remove Files – Some malware will remove a legitimate file and replace it with a malicious file of the same name.
- Modify Files – Malware will try to hide its malicious code by hiding it in an existing file that it modifies.
The key to quickly spotting a security breach is monitoring file changes on your website. The File Change Detection feature in iThemes Security Pro will scan your website’s files and alert you when changes occur on your website.
3. Malware Scans
Not only should you run malware scans, but you should also be recording the results of every malware scan in your WordPress security logs. Some security logs will only record scan results that found malware, but that isn’t enough. It is crucial to be alerted as quickly as possible of a breach to your website. The longer it takes for you to know about a hack, the more damage it will do.
While it feels good to see the history of a proactive approach to security paying off, that is just a bonus and not the reason to record every malware scan. If you aren’t documenting your scheduled scans, you will have no way of knowing if there are any scan failures. Not recording failed scans could result in you thinking that your site is being checked daily for malware, but, in reality, the scan is failing to complete.
4. User Activity
Keeping a record of user activity in your WordPress security logs can be your saving grace after a successful attack.
If you monitor the correct user activity, it can guide you through the timeline of a hack and show everything the hacker changed, from adding new users to adding unwanted pharma ads on your site.
iThemes Security Pro monitors 5 types of user activity:
1. Log In / Log Out
The first type of user activity logged is when users log in and log out of your website and from where. Monitoring time and location of the user’s logins can help you spot a user that is compromised. Did that user login at an unusual time or from a new place? If so, you may want to start your investigation with them.
2. User Creation / Registration
The next activity you should keep a record of is user creation, especially the creation of Administrator users. If a hacker can compromise a legitimate user, they may create there own admin user in an attempt to be covert. It is easy for you to notice something strange with your account, but it is much more difficult to identify malicious activity on another user.
Monitoring user registration is also essential. Some vulnerabilities allow hackers to change the default new user role from a Subscriber to an Administrator.
If you have User Logging set only to monitor the activity of Administrator users, only new Admin user registration will be recorded in the security logs. So, if you ever see a newly registered user in your security logs, something has gone wrong.
3. Adding and Removing Plugins
It is vital to make a record of who adds and removes plugins. Once your site has been hacked, it will easy for the attacker to add their custom plugin to inject malicious code into the website.
Even if a hacker doesn’t have access to your server or database, they may still be able to make changes to them from your WordPress dashboard. Using a plugin, they can add redirects to your site to use in their next spamvertizement campaign, or inject malware into your database. After their malicious code is executed, they can then delete the plugin to remove evidence of their crime. Lucky for us, we won’t miss any of it because it was all documented in our WordPress security logs.
4. Switching Themes
Another user activity monitored by iThemes Security Pro User Logging is when someone switches the website’s theme. If you ever find that your theme has unexpectedly changed, you can look in your WordPress security logs to find out who made the change.
5. Changes to Posts & Pages
Finally, you want to monitor any changes to your post and pages. Have any links been added to send your traffic to other sites? Monitoring posts and pages can help you find any embarrassing pages or malicious links added to your website after a breach.
To find out which post was modified, click the View Details links to find the post ID.
How to Use WordPress Security Logs
Enable the following features in iThemes Security Pro to get the most out of your security logs:
- Local Brute Force Protection
- Banned Users
- Database Backups
- File Change Detection
- Malware Scan Scheduling
- User Logging
- Version Management
- 404 Detection
- Trusted Devices
To view your WordPress security logs, click the View Logs button at the top of your security settings.
Now let’s take a closer look at the iThemes Security Pro logs page.
1. Screen Options
Clicking the Screen Options button will display options that will let you customize your WordPress security logs.
2. Log Links
Clicking a log link will display events associated with the link’s log type. For example, clicking the All Events link will display all recorded security events.
3. Module Filter
The Module filter allows you to display events recorded by a specific security module. For example, selecting Brute Force from the dropdown menu and clicking the Filter button will show only recorded Brute Force events.
4. Log Entry
A log entry displays important information about a recorded event.
- Module – The security setting that recorded the log entry.
- Type – The event type associated with the log entry.
- Description – A simple description of the log entry.
- Time – When the security logs recorded the event.
- Host – The IP that triggered the event.
- User – The User that triggered the event.
- Details – Click the View Details link to view additional log details.
See Your Security Logs Visually: The WordPress Security Dashboard
If you are one of the people who feel a little over your head when trying to parse data stored in security logs, you aren’t alone. We heard from so many of you who thought digging through your security logs was time-consuming, and at times the information stored in the logs can be challenging to understand.
With all of that in mind, we wanted to create an easy and fast way for iThemes Security Pro users to see the security activity and health of their WordPress website, without needing to dig through their logs.
iThemes Security Pro also includes a real-time WordPress security dashboard to help pull the data from your security logs into graphs and charts, right from inside your WordPress admin dashboard.
The iThemes Security Dashboard is a dynamic dashboard with all your WordPress website’s security activity stats in one place. The goal of the Security Dashboard is to give you the information you want in a way that makes sense to you. You can start with a blank canvas and add only the cards that are important to you.
To start using the Security Dashboard, make sure it is enabled on the main page of the security settings. Once enabled, you can create your first security dashboard from both the Admin Dashboard menu and Security settings in your WordPress Admin menu.
Insufficient logging is one of the OWASP top 10 web application security risks. Monitoring the right behavior will help you identify and stop attacks, detect a breach, and access and repair the damage done to your website after a successful attack.
iThemes Security Pro makes WordPress security logging easy by automatically monitoring and recording brute force attacks, user activity, malware scanning, file changes and a whole lot more.