How to Monitor Your WordPress Site

To monitor your WordPress site for various types of activities, I recommend a few plugins to assist you so that you don’t have to do it manually.

For monitoring the activity of a logged in user, you can use one of the following plugins. They both provide detailed user activity logs such as when they logged in, what did they change, what did they install, etc.

  • Stream – Track and monitor every change made on your WordPress site in beautifully organized detail.
  • WP Security Audit Log – Identify WordPress security issues before they become a problem. Keep an audit log of everything that happens on WordPress including WordPress user activity.

For keeping track of file changes, one plugin stands out to help with this activity.

  • WordPress File Monitor Plus – Monitor files under your WP installation for changes. When a change occurs, be notified via email. This plugin is a fork of WordPress File Monitor.

What Should I Monitor on my System?

Hopefully I convinced you why you should monitor your system activity so the next question becomes, what should I monitor?

Here are a couple common areas to monitor regardless of system function. From webservers to desktops, this list can get you started:

  • What a user did on your system. If you have a system that have multiple users on it, they will likely fall into some sort of typical usage pattern. If it goes beyond that, then you might want to investigate the activity some more.
  • Identifying new files on your system. If you weren’t the one that created those files, then who did? Are those new files malicious at all?
  • Checking for indicators of compromise. Attackers use exploit toolkits and they typically have signatures that you can scan for to identify if you have already been hacked.

Why Should I Monitor My System Activity?

Like many important things in life, security is one of those items that you shouldn’t just “set it and forget it”. Part of having a holistic security system is to monitor your systems for various indicators. You will want to monitor for system activity because you want to be proactive and understand the changes on your system. Don’t put your head in the sand and hope everything will be okay.

Here are some reasons for why you should monitor your systems:

  • What if an attacker was trying to brute force login into your system and you didn’t have a control in place to block them. How would you know if they succeeded or not?
  • What if there was a vulnerability on your site and an attacker uploaded code to have a backdoor in your system. If you didn’t have a system to alert you to changes, how would you know anything changed?
  • What if you were just trying to change a setting and your whole website broke because of a couple changes you did, but you couldn’t remember what you exactly did? If these actions weren’t logged, then you wouldn’t have the ability to go back and review what happened.



How to Restrict WordPress Access

Here is some tactical advice for you to implement in your WordPress site so that you can restrict access and put better controls on your system.

  1. Create an author or editor role for yourself and use this account for all your posting.
  2. Don’t use the admin role for posting content. Only use the admin role for specific administrative functions such as upgrades.
  3. Only allow your WordPress web server to access the WordPress database. Don’t allow everyone on the internet to even be able to get to the front door of your database and attempt a login.
  4. Restrict login attempts and protect your site against brute force attacks with a plugin. Limit Login Attempts works well for this.

Three Additional Access Control Strategies

Below are some some additional access control strategies that are commonly in use.

  1. Limit access to networked systems by IP. Example would be if you have a database server online, does all of the internet have a need to access that system? Or does really only your webserver(s) need access to it?
  2. In the case you don’t limit access by IP, you should at least have a system to block brute force attacks. If you have a system online and don’t restrict access after x attempts, then an attacker can spend an unlimited amount of time trying to break into your system by brute force guessing an account.
  3. Log out of the system when you are done and don’t just close the browser window. If an attacker had access to your machine for whatever reason, they would be able to instantly gain access to those same systems without even knowing your password because you were still logged into it!

What is Least Privilege?

Best practice when using a system that has multiple levels of permissions or roles, is to use the account with the least amount of privileges to perform the action required.

You see this in Windows and Apple OSX machines by default now where you have a regular user account, and then when you want to perform an administrative function, you will get prompted for a password to temporarily gain higher privileges to perform that action.

For systems that you are building that don’t have this model built in, you will want to replicate it. Most of the times I will see the application be installed as an admin, and that is all. You should create a lower level user account that gives you most of the function you need outside of administrative functions, and use this account the majority of the time.