The importance of WordPress audit logging

the importance of wordpress audit logging

Overview

Anyone who’s worked on the backend of systems, worked in IT security, been a developer or been a system administration will tell you about the importance of having logs. WordPress is no exception to this rule and while some errors will be logged and you can increase debug logging for developer issues, WordPress doesn’t have any audit logs built in.

What are Audit Logs?

Audit logs are a collections of events and records which give you the ability to trace through what occurred in chronological order for a system. In the context of WordPress, this includes (but not limited to) events such as:

  • Logins
  • User modification (creation, password updates, profile updates, addition and deletion)
  • Post / Page modification (create / edit / delete)
  • Plugin events (installation, disabling, updates and removal)
  • Theme events (installation, editing, disabling, updates and removal)
  • Core WordPress (updates and similar events)
  • Media file changes
  • Changes to menus, tags, categories, settings and more

For each of these events, we get the exact time it occurred, the IP address the change was requested by and the user who made the change.

Why are audit logs critical?

Think of audit logs like the “black box” flight recorder in an aircraft. You don’t want to ever have to use them, but when things go wrong you want to know exactly what was going on at the time or previous to that.

For WordPress, these become critical when there’s been a change to your website which you didn’t request or worse, when malicious content has been uploaded. In the case of a malicious change, it can be very difficult to trace the root cause if it’s been properly masked.

As an example case, we recently had a site compromised where all of the themes, core and plugins were up-to-date. There was no existing compromised code within the site and the files were verified as being authentic.

A basic scan of the logs shows that there was a successful login (but no specific user), then a plugin uploaded (but no indication as to which one).

With the audit logs, we were then able to determine:

  • Which user logged in
  • What plugin was uploaded
  • What other changes were made to the site at the same time

Are these built in to WordPress?

Sadly, no. This means you need to use a third party plugin to achieve this. We’d love to see it implemented so that it was there by default but given the complexity of WordPress these sorts of changes probably aren’t going to occur anytime soon.

This means, if you don’t have anything installed and a failure occurs then you’ve got no ability to audit actions taken on your website.

What plugins are available to offer this?

There are a number of third party plugins which do provide this. We recommend you test them to see which suits your needs the best. Some of the plugins are free while others have the basics for free and additional features available to purchase.

WP Activity Log

Cost: Free (with premium features available for a cost)
Website: https://melapress.com/wordpress-activity-log/

Stream

Cost: Free
Website: https://wp-stream.com/

Activity Log

Cost: Free
Webiste: https://wordpress.org/plugins/aryo-activity-log/

As is the case with most WordPress plugins and options, there’s probably a dozen others out there to try as well. We recommend testing these three first and if none suit your requirements then look further.

Is there anything else which should be done?

Of course, a counter point here is someone who has access to your website can also potentially scrub your audit logs and hide their trail. This could also be someone accidentally disabling or deleting your audit plugin and you’ll of course lose a copy of the records of who did this.

The solution here is to push or mirror these records off to an external service or storage point. For our Managed WordPress customers, we do this automatically to ensure we have a full audit history available even if they try to delete anything internal to WordPress.

Back to the Blog

avatar of tim butler

Tim Butler

With over 20 years experience in IT, I have worked with systems scaling to tens of thousands of simultaneous users. My current role involves providing highly available, high performance web and infrastructure solutions for small businesses through to government departments. NGINX Cookbook author.

  • Conetix
  • Conetix

Let's Get Started

  • This field is for validation purposes and should be left unchanged.