The case for WordPress activity logs

So, you are in business, and your WordPress site is up and running, while your killer content attracts increased new business visitors, resulting in more quality leads and increased sales. You have built a valuable asset, and it is working out well for you. 

WordPress is now a vital part of your business success.

But what are you doing to protect that asset and mitigate against the genuine risks of reputation harm and regulatory noncompliance risks resulting from data breaches, external and internal threats, human risks, and more? These risks are real.

A late 2019 report by Scott Steinberg over at CNBC, which makes for sobering reading, states that Cyberattacks now cost companies $200,000 on average, putting many out of business. Other key findings indicated that:

• 43% of cyberattacks targeted small businesses
• More than half of all small businesses suffered a breach within the last year
• 60% go out of business within six months of being victimized
• digital threats tend to go an average of 101 days before being detected".

How do you know and monitor what changes are being made on your WordPress website, when, and by whom? It is here that WordPress activity logs prove invaluable, a must have in your website security toolbox.

So why do I need a WordPress activity log?

First thing, WordPress does not have any built-in activity log. Yet, the information provided by activity logs is crucial to your business and the security of your website.

Information forms the basis of making informed decisions, identifying potential weaknesses, user mistakes, and threats, and ensuring that everything is going to plan.

After all, just like any business, you use specific metrics to ensure that your business is performing to plan and to keep track of the health of your business. Such key metrics would include; Revenue trend up or down? Profitability, up or down? Sales order values up or down? Returning customers, new customer acquisition, what's selling and what's not, amongst a host of other metrics you may use.

These metrics are no brainers. You use these metrics and knowledge to make the right decisions to continue to drive your business in the right direction; otherwise, you wouldn't be in business for very long.

Well, the WP Activity Log plugin does this for your WordPress site. An activity log provides you with critical information on what is happening, in real-time, on your website or e-commerce solution, enabling you to make the right decisions to manage your team and secure your vital commercial asset. This introduction to WordPress activity logs is a useful primer.

WP Activity Log continually monitors and reports on all activity on your WordPress sites. These include systems settings updates and file changes, notifying you with real-time alerts sent by SMS and e-mail, enabling you to take any remedial action that may be necessary.

Where can an activity log help me out?

If you:

• Store or process any personal information, such as e-mail addresses for mailings, newsletters, etc.
• Engage in e-commerce activities, processing and storing of credit card information,
• Have a team of people managing your e-commerce store, products, sales, and orders,
• Are in an industry that has regulatory compliance requirements, such as health, finance, and insurance.

Then it is a requirement to keep a log of the changes made to your WordPress website. It is not just a nice to have, but mandatory! Logs will help you out in many ways, but in this article, we will focus on three key topics:

• Human errors, and how to mitigate against these compliance issues,
• and finally, security threats, both external and internal

To err is human - and to blame it on a computer is even more so! (Robert Orben)

Mistakes can and do happen to each and every one of us. They can happen at any time; it is just human nature.

Some mistakes may cause embarrassment and annoyance but will cause little consequential loss, such as errors in posting, content changes, changes in categories, tags, status, URL's, and custom fields. But some errors can result in a substantial consequential loss to your business. Imagine the damage that erroneous changes made to your e-commerce like WooCommerce, for example. 

Mistakes made in updating product pricing, tax, stock quantity, and shipping rates can significantly impact your bottom line. WP Activity Log provides you with a full audit trail on all changes made because it has a dedicated activity log for WooCommerce module.

The bottom line here is that while human errors will always happen, however, with a comprehensive activity log, you can quickly identify the changes made, when and by whom, so you can roll those changes back.

Now, remind me again of my compliance responsibilities.

Do you process and store personal information of any kind? Most definitely you do, an e-mail address is personal information. In such a case, then you have compliance obligations.

If you are working within regulated industries such as health, financial, and insurance, you will know the stringent regulatory record-keeping compliance obligations you must meet.

And, even if you use a third-party payment gateway to store and process credit card payments, your WooCommerce and WordPress powered store must comply with the Payment Card Industry Data Security Standard (PCI DSS). For example, PCI DSS requirement 10: track and monitor all access stipulates:

"Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise"

Your specific industry regulatory bodies will have different requirements. What they all have in common, however, is the obligation for you to keep records and logs of all activity on your website. 

You must also be able to produce comprehensive audit trail reports, on-demand, detailing the changes made, when, and by who.

Finally, no discussion on compliance is complete without looking into GDPR. 

If you are processing personal information on European citizens residing in Europe or anyone living in Europe, GDPR applies to you.

What is the GDPR? "The General Data Protection Regulation (GDPR) sets out detailed requirements for companies and organizations collecting, storing, and managing personal data. It applies to European organizations that process personal data of individuals in the EU, and to organizations outside the EU that target people living in the EU."

The GDPR applies if:

• your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
• your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behavior of individuals within the EU.

Therefore, under GDPR, organizations collecting and processing data must ensure they create and document technical and security measures. A key aspect of this is monitoring and logging for security issues and attacks. Read Enhancing your GDPR toolkit with the WordPress activity log for further information.

And failure to comply can result in relatively significant fines for breaches. 

WordPress, the world’s #1 CMS . . . and consequently the #1 attack target

WordPress, being the world's most successful Content Management System (CMS) with an estimated market share of 35.2%, of course, gets more than its fair share of attention from the bad actors out there. That is the price of success, and the rich pickings that potentially await them.

According to a report by our good friends at Sucuri, in their 2019 Website Threat Research Report, WordPress accounted for no less than 94% of all attacks they worked on in 2019.

Now, this is not to say that WordPress is particularly vulnerable or more susceptible to hacking attempts. It is due to its success and flexibility, with thousands of plugins available to enhance functionalities.

However, it must be stated, and commended, that the WordPress community has identified this issue and taken measures to tackle the problem head-on. The automatic updates process introduced in version 3.7 provides an efficient method of patching identified security threats in a timely and automated manner. In version 5.5, automatic updates for plugins and themes were also introduced.

WordPress security plugins such as Sucuri, Malcare, and WordFence do a great job of protecting your WordPress site from external threats. But, what they don't do is provide extensive activity logs. An activity log really does compliment your security plugins.

We discussed how logging is essential in compliance situations. However, in terms of the website's security, logging is crucial, so crucial in fact that the OWASP Top 10 list of most critical web application security risks has included the lack of logging and monitoring in web applications as a significant issue.

WP Activity Log continually collates an audit trail of all activities and changes on the system. Whether they be informative changes such as user logins, posting and editing events, or more important plugin updates and theme changes.

Critical core systems updates or file changes can directly impact your website security, performance, and functionality. These activities can be notified directly to you by SMS and e-mail, so you can check immediately on these changes and decide if they were legitimate and authorized.

Just as with the recent WooCommerce exploit Analysis of a WordPress Credit Card Swiper, which was also documented by our friends at Sucuri, WP Activity Log would have alerted you to the changes with real-time notification. Armed with this information, you could ask yourself, What is this change? Why was this changed? Was this change authorized?

 Gain total visibility with a WordPress activity log

An activity log is fundamental to good business and security practices. It gives you a view, and the information, on what is going on within your key business asset. It complements your existing security plugins by adding another layer of security, further hardening your website against attack.

It will highlight any user errors, assist in regulatory compliance reporting, and form a basis of proper security planning and monitoring. Indeed, a proactive logging solution will help you to:

• Improve user accountability and productivity
• Get a detailed overview of what is exactly happening on your WordPress website
• Thwart malicious WordPress attacks before they happen
• Catch attackers red handed to limit the damage
• Identify the exploited flaw in a Post-hack scenario

To see how an activity log fits into your business, get a free 14-day trial of WP Activity Log, the #1 user-rated WordPress activity log plugin.