The value of logs for WordPress Security and Audit
What is a Server LOG?
A server log is a log file (or several files) automatically created and maintained by a server consisting of a list of activities it performed. More recent entries are typically appended to the end of the file. Information about the request, including client IP address, request date/time, the page requested, HTTP code, bytes served, user agent, and referrer are typically added. This data can be combined into a single file, or separated into distinct logs, such as an access log, error log, or referrer log. However, server logs do not collect user-specific information. (from Wikipedia)
As a WordPress Services company, we deal often with compromised websites. Unfortunately, in most cases, we have limited access to customer logs, (being outside of WordPress) which is one of the reasons why we don’t offer a forensic audit by default.
We offer real-time WordPress Security and WordPress Services, monitoring, protection for recurrent customers. We offer WordPress clean-up services on-demand after hack/adware/malware/cryptoware infection, for those, who are not recurrent customers. For these customers, sometimes we need to investigate how websites become compromised in the first place. This usually happens when websites become reinfected after a cleanup (as our 30-day free-services policy). Most of the infected websites we clean have useless information logging or no logs at all – to give us a glimpse of what happened that led to the website compromise.
To better understand logs, let’s consider an analogy. Log entries are steps, the log file is sand. Each time something is added into the log file, a new footstep appears on the surface of the sand. After a few days/weeks/months of uptime, your logs would look like if there was a marathon on the beach. Something like this:
Yes, there would be a gazillion of footprints on the sand and there will be still people on the beach. This is normal. When you audit an online website, there is live traffic and there are live visitors being present. You must download the log file and start eliminating steps, that are not related to the issue you’re investigating. When you successfully identified the culprit, then suddenly this is how your sand looks:
A single path of footprints, leaving a clear trail on the surface of the sand. Of course, this translates in reality into a list of actions, that did harm and destruction within your WordPress. But at least, you can backtrack and prevent the next one. Also, you can identify other unseen actions (like deleting something not visible immediately).
How can you protect yourself? It is a good question, a safe approach for a better and safer tomorrow. We are asked this question a lot. Well, being prepared ALWAYS helps. So, keep logs. Being prepared by a professional helps more. So keep relevant logs. The best however is having real-time WordPress Security. That is much more better. Simply, because this is how your the footprints would look like:
The importance of Logs + what they reveal + advice on how to use them.