The value of logs for WordPress Security and Audit
What is a Server LOG?
A server log is a log file (or several files) automatically created and maintained by a server consisting of a list of activities it performed. More recent entries are typically appended to the end of the file. Information about the request, including client IP address, request date/time, the page requested, HTTP code, bytes served, user agent, and referrer are typically added. This data can be combined into a single file, or separated into distinct logs, such as an access log, error log, or referrer log. However, server logs do not collect user-specific information. (from Wikipedia)
As a WordPress Services company, we deal often with compromised websites. Unfortunately, in most cases, we have limited access to customer logs, (being outside of WordPress) which is one of the reasons why we don’t offer a forensic audit by default.
We offer real-time WordPress Security and WordPress Services, monitoring, protection for recurrent customers. We offer WordPress clean-up services on-demand after hack/adware/malware/cryptoware infection, for those, who are not recurrent customers. For these customers, sometimes we need to investigate how websites become compromised in the first place. This usually happens when websites become reinfected after a cleanup (as our 30-day free-services policy). Most of the infected websites we clean have useless information logging or no logs at all – to give us a glimpse of what happened that led to the website compromise.
To better understand logs, let’s consider an analogy. Log entries are steps, the log file is sand. Each time something is added into the log file, a new footstep appears on the surface of the sand. After a few days/weeks/months of uptime, your logs would look like if there was a marathon on the beach. Something like this:
Yes, there would be a gazillion of footprints on the sand and there will be still people on the beach. This is normal. When you audit an online website, there is live traffic and there are live visitors being present. You must download the log file and start eliminating steps, that are not related to the issue you’re investigating. When you successfully identified the culprit, then suddenly this is how your sand looks:
A single path of footprints, leaving a clear trail on the surface of the sand. Of course, this translates in reality into a list of actions, that did harm and destruction within your WordPress. But at least, you can backtrack and prevent the next one. Also, you can identify other unseen actions (like deleting something not visible immediately).
How can you protect yourself? It is a good question, a safe approach for a better and safer tomorrow. We are asked this question a lot. Well, being prepared ALWAYS helps. So, keep logs. Being prepared by a professional helps more. So keep relevant logs. The best however is having real-time WordPress Security. That is much more better. Simply, because this is how your the footprints would look like:
The importance of Logs + what they reveal + advice on how to use them.
We advise having a plugin to log activities on your WordPress. This is a major step for your WordPress Security. Having audit visit a website is necessary for e-commerce sites to be PCI DSS certified. Logs are likewise extremely handy when you need to fix technical concerns or make sure user responsibility. An activity log plugin can:
- be an early alert system to let you know if something has actually gone wrong;
- work as a tool to help you keep a close eye on what is occurring on your site;
- assist you examine the attack vector after it happened.
Nonetheless, the web server logs do not show exactly what happened. There is a presence on the HTTP GET and POST requests. These are the demands made by visitors to download a web page (GET) or submit content to the server (POST). These logs allow you to have a concept of what was gone to on the site, but you can not tell which action each user carried out. That is why audit log plugins are very useful when examining an infection or reinfection.
It is a lot easier to trace back to what occurs if a WordPress site has actually auditing plugins installed. Some changes that auditing plugins can show are:
- core files changes;
- setting changes;
- post or page changes;
- plugin changes;
- theme changes;
- successful logins.
Audit logs can also serve as an Intrusion Detection System (IDS). For example, when using a WordPress activity log plugin, you can set up alerts if there is unusual activity, like a successful login that happened outside your office hours or successful logins from an unusual IP address (other countries/continent).
Another option in Your Website Security expertise. All these features help to safe-keep your websites better. If something happens, you can check the logs to see if there was a compromise from using a stolen password or perhaps a more complex attack that would require a review of the Apache/Nginx logs.
Audit logs also give you visibility over any changes made. If a website compromise occurred, you can revert those changes if needed. This is another useful way to use an audit plugin. And if you know your website has been compromised but do not know where to start, contact us and we will be happy to clean your website for you.