127 – The importance of keeping logs from your WordPress websites with Robert Abela

In this episode:

Interview – The importance of keeping logs from your WordPress websites with Robert Abela

WP Builds is brought to you by...



GoDaddy Pro

DEAL ALERT: Get 20% off WP Security Audit Log – use the offer code “WPBUILDS20

In this episode of the WP Builds WordPress podcast we speak to Robert Abela who has a great ‘security’ plugin which you could use on your client’s websites.

If you have ever had a problem with a site you know that tracking down the problem can be a little hard. Maybe the site just had a white screen of death, or there appears to be a user who is editing content that they really have no business editing.

In an ideal world the software that you use will keep comprehensive logs of all of the things that have been happening with it, but sadly WordPress does not do a great job of this. I’d go further and say that it’s probably a good thing that it does not, because WordPress core is trying to be as lean as possible; trying to do the job of publishing content as effectively as possible and so logging all of the things that happen becomes the domain of 3rd party solutions like WP Security Audit Log.

Want to get your product or service on our 'viewed quite a lot' Black Friday Page? Fill out the form...

Robert has a long history working in internet security and he saw a need for adding this functionality into the world’s most popular CMS… WordPress… and so he built it.

It all started out with a need to track who was logging in, but quickly the plugin evolved into a much more complex tool. It keeps a log if pretty much anything and everything that is done by anyone interacting with your WordPress site.

It’s not a security plugin in the sense that it does not block attacks or implement a firewall. The idea here is more about keeping track of what happened. Think of it like this, most security plugins try to build walls to stop things from happening and this can certainly be effective. WP Security Audit Log is more like installing a set of cameras around a building; the camera don’t directly stop a thief from getting in, but they are sure useful to work who did break in and how they went about doing it!

As the plugin is all about keeping logs, it does that in a really comprehensive way. There might be more in the plugin than you really need, but Robert makes no apologies about this. You can turn on the things that you think you’re going to need and switch off those logs that you don’t think are required in your unique set up. Commonly people who install the plugin use the following features:

  • 404 request logs with IP addresses attached
  • what IP’s are trying to log in
  • were there any failed logins and which usernames were commonly being hit
  • what users are doing on your site, what did they update, what did they install, what did they delete
  • are any custom fields updated or altered
  • are menus altered (including settings)
  • widgets amendments
  • any of the WordPress settings updated
  • if any files are added / amended to your WordPress installation – not limited to WordPress, anything outside of WordPress is also covered

This is a very robust plugin and might be really suitable for agencies who want a reliable solution for all their WordPress installs. Go check it out.

Mentioned in this episode:

Get 20% off WP Security Audit Log – use the offer code “WPBUILDS20

The WP Builds podcast is brought to you this week by…


Omnisend is the top-rated email and SMS marketing platform for WordPress. More than a hundred thousand merchants use Omnisend every day to grow their audience and sales. Ready to start building campaigns that really sell? Find out more at www.omnisend.com

GoDaddy Pro

The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at go.me/wpbuilds.

The WP Builds Deals Page

It’s like Black Friday, but everyday of the year! Search and Filter WordPress Deals! Check out the deals now

Transcript (if available)

These transcripts are created using software, so apologies if there are errors in them.

Read Full Transcript

00:02 Welcome to the WP podcast bringing you the latest news from the WordPress community. Now welcome your host, David Waumsley, Nathan Wrigley.

00:21 Hello there, and welcome to the WP builds podcast once more. This is number 127 and titled the importance of keeping logs from your WordPress websites with Robert Abela. It was published on Thursday the 9th of May, 2019 my name's Nathan Wrigley from picture and word .co. uk, a small web development agency based in the north of England and there's no David Waumsley today because it's not a discussion episode. It's an interview episode with Robert. He's got a WordPress plugin called WP security audit log, but we'll come onto that a little bit later. For now, if you wouldn't mind going over to the WP builds.com websites. There's a whole bunch of links at the top there. For example, the subscribe link will allow you to get onto all of our mailing lists. If you'd like to hear about what we do and you know you can go to iTunes and subscribe to the podcast there, the Google podcasts app, and so on, and leave some reviews and all that good stuff.

01:18 Anyway, it's all over at wpbuilds.com forward slash subscribe. We've got a whole bunch of deals including today's plugin, WP security audit log on the deals page at WP builds.com forward slash deals, whole bunch of plugins over there, so go and check them out. If you're minded to buy some plugins, WP Builds .com forward slash contribute if you'd like to come on and do an episode with me about something that you've specifically think is really cool. We've done quite a few of those recently and last, but by no means least WP Builds .com forward slash advertise. If you would like to have your product or service promoted on the WP builds podcast, we'll happily do that for you. We've got banner ads and audio ads and the audio ads sound a bit like this.

02:06 The WP builds podcast was brought to you today by the page builder framework. Do you use a page builder to create your websites? Well, the page builder framework is a mobile responsive and lightening fast WordPress theme. It works with beaver builder, elemental brizy, and other page builders with its endless customization options in the WordPress customizer. It's the perfect fit for you. We are agency go to WP dash page builder, framework.com today

02:35 and WP admin pages pro. Have you ever needed to add custom admin pages to your client's WordPress dashboard, but you couldn't find the right tool to do it? Wp admin pages pro is here for you. Create beautiful admin pages using your favorite page builders such as beaver builder, elemental, brizy and more. Check it out to WP admin pro.com and we do thank all of our sponsors for their support of the WP Builds podcast because it certainly does help us keep putting this content out. Okay. Today's episode is with Robert Abela. He's from the WP security audit log plugin.

03:18 It's a fabulous plug in which you may not have come across before. Indeed, you may not have taken logging seriously before. The whole point really is, I suppose it's a bit like an insurance policy. It's a whole load of data about, well in the case of this particular plugin about anything at all on your WordPress website. So you can go in and see exactly what's been happening and if regrettably something has gone wrong, you should be able to track down what the problem was and get it patched up. So wonderful episode, really interesting and we've never talked about this subject before so I highly commend it to you. I hope you enjoy it. Hello there. Welcome to the WP builds podcast interview section. Today we have on the line, all the way from Edinburgh, although originally not from Edinburgh. We'll learn about that in a moment. We've got Robert Abela. Hello Robert.

04:08 Hello Nathan. Thanks for having me on this podcast.

04:10 You're very, very welcome. So you're living in Edinburgh, but you're not from Edinburgh. Where, where are you from Robert?

04:16 I'm originally from Malta. And for those who do not know, I mean it's, it's a very small island in the center of the Med. It's just, it's literally 21 miles by, by 14. [inaudible]

04:29 so you've, you've, you've, you've swapped sunshine for rain.

04:34 Correct. In fact, I'm, um, when I speak to my friends, I've moved from the most sunny place in Europe to the darkest place.

04:43 No regrets. It's a nice place. Edinburgh. We've got Robert on the call today because he, um, he's a, he's a WordPress professional about, in this particular case, we're going to be talking about a plugin, which he has got on offer, um, and it's called WP security audit log. You can find it over. It's www dot WP security audit, log.com. No spaces and so on. So that's what we're going to discuss today. So although it's got the title of security at the beginning, we're going to discover the, yeah, it's not your typical security thing. It's something quite different. And the bit, the bit entitled audit log is perhaps where the conversation is going to go. So, first of all, um, Robert, what's your background in this space? What gives you the credentials to flog a security audit log plugin?

05:35 Okay. Um, I started, I started to working in it around 17 years ago and I've always worked for security software companies. So, uh, I've always kind of like been dealing with it security, web security etc. Um, I said to the software tester and that was a systems engineer. I moved a lot. I was an r and d. Um, I've done some basic development QA, security researcher etc. Um, so basically I have, I have a strong background working with software startups and also insecurity. Um, around six, six, seven years ago when I was working with a software company and we tried to build a security solution for WordPress back then I remember Securi was so I think that's, well our solution was a failure. We know exactly why. So at least we've learned from it. And that's where I kind of like discovered WordPress. And when I started freelancing because I was like, I've, I was working like for 14, 15 years and uh, and the in the corporate places.

06:40 I wanted to kind of like start my own thing. So I started freelancing and like almost any other WordPress security person, I started playing around with cleaning some hacked websites, ecetera. Um, because I have always wasn't security. And one thing I've noticed and WordPress is constantly get some multi user set up. I was quite surprised that it had no sort of logging solution, you know, like what users are doing when they are logged in etc. I've seen some back then I've seen like some, some plugins, but they were still like very smart plugins, nothing major. So yeah. So um, considering I have a security background, I was doing these cleanups, I wanted to know like what's happening, why these websites are getting hacked or what people are doing. I, I sort of automatically started developing the plugin. I'm not a developer myself as in I've written some codes I can write, I can write, read and write code, but I'm not a developer. So basically around six years ago, I started the plugin with some help of friends or um, paying other people to develop what I've been kind of managing the project.

07:49 Hmm. Yeah. Great. Okay. So a history in it security strikes me that in this day and age, security is kind of more important than ever and also more troublesome than ever because everybody's carrying a small, um, either, um, unix or Linux machine around in their back pocket. Everybody's getting hacked. The stories in the press all the time. It seems like a really hot topic. Um, so you say that there's absolutely no security log of any description in WordPress. So what kind of things, if we were to install, um, your plugin, so WP security audit log, what, what would we, what would we notice if we first opened it up? What kind of things is it starting to login? We should probably tell anybody who has not used any kind of looking before that. Logging is essentially, it's how to describe it. It's almost like a spreadsheet of things that have happened on the website. So at that point I'll, I'll hand it over to you. What would we see in your plugin?

08:53 Okay, good question. So first of all, you mentioned in the beginning the whole thing started from security point of view. That's why it's called WP security audit log. So basically in very simple terms, as you said, it keeps a record of what people are doing. So once you open up the plugin, it's almost like a spreadsheet. You'll see like if someone logs in, you'll see the date and time and it was our logged in do use our name and that he logged in order to change the post. So yes, it's basically like a record of what people are doing. I started, as I said, I have a background in security. It's the whole, the plugin started as a security plugin, has that security logging plugin again. So I was like mostly focused on keeping a log of, of, for example, when someone is scanning your website so the plugin would detect it, tell you like someone is generating a lot of for request, for example, a or someone is strength to login.

09:46 And so that's how it started. Um, but yes, um, as as time passed, it became more than a security audit log. It's not actually a complete activity lock solution. Basically, we still call it security because of course security has, I'm sorry, logs have a lot of practices on our website now. One of them is security of course. It's like, of course keeping a record of what happened. So basically if my keeping our guts of what's happening, there are a lot of advantages from a security point of view because you can actually see if someone is trying to attack your website. So we can say, okay, this Ip is generating a lot of suspicious activity. So you can block it using something that's a, and it's also used unfortunately in forensics. So when a website is hacked, uh, it's not just enough to restore it. You need to know exactly what happened because if you restore it, the security whole is still there and an attacker might use it.

10:42 So you can use an activity log to see exactly what the attacker it is, maybe, uh, he exploit the vulnerability. Then he hijacked the user accounts, changed its role. You also an activity log helps you see all these things. Um, but as I say, it's, it's definitely, it's been six years now. It's moved. It's still a security plugin. It's not the traditional security plugin. It's, it's uh, I would say a security focus plugin, but it's not the typical firewall type of plugging protects your website. So it's purely Alex, but compared to where they're active developed plugins, since we have a security background, our logs are much more comprehensive. So of course they're, um, they're really useful to people who have like, who are more like security oriented, you know, it's, for example, if you have a flower shop, let's say website, you know, like one, two users only.

11:38 Most probably there are like kind of like simpler plugins. So ours. In fact, even if you look at our websites, some of our clients are like universities, uh, finance institutions. It's, the logs are much more detailed, are much more comprehensive. So basically you'll find it to be everything. You're fine. For example, add another activity log plugin would just tell you, for example, there's a blog post was updated. In our case, we'll tell you what was updated in the blog post, the title content. It's what actually even tell you. Like if custom fields are changed or things are changed directly in the database. So the looks are definitely much, much more comprehensive law coverage of the plugin. It's much more extensive than other plugins. So infact if, if you're not really kind of like into logs and into security, people might find all that information a bit overwhelming. But then of course we have solutions. I mean you can literally diable and reenable any type of of logging.

12:39 Okay. So, um, if we were to, you know, you've been doing this for six years. If we were to ask you what are the common things that people, uh, that you've noticed in your time looking through the security logs that your, your plugin has, um, has found, if you like, what are the common things that are, that a user should be looking for? What are the, what are the common rows or columns that people should be checking out?

13:07 Yes, so basically the most common off course, most common, especially before, and I think I to just to gain access or whatever they typically try to scan your website so they will generate a lot of 404 requests and find the plugin sees that another specific Ip. Is there anything, a lot of 404 requests, um, then it will, it will, it will show a log entry. Like this Ip address has generated so much requests that usually is a sign. It's a scan. So that's already there, like a sign that someone is trying to attack you, someone is strength with take your login page. So basically if you see an IP address in the log files that it's constantly generating a failed to login. Again, that's most probably some sort of brute force attack. And then there are other types of attacks or for example, if a user account is hijacked, which is very common unfortunately because of weak passwords.

13:56 Typically they tried to change the extra content by injecting malware. They tried to install, for example, that Plugin or old plugin or change, even like Abbott's more hidden, let's see, they tried to change some text widgets rather than the actual content. So yeah, so basically if you look at the logs, um, typically when running our website on a day to day, but you don't install plugins every day, you know, like the first few months you kind of like setting up the website, but then it's just typically blogging maybe some content updates and that's it. So you have to keep an eye off, especially if you're a small number of users, uh, as, as, uh, and especially if you're use roles, you know, for example, or cannot install plugins or, so if you see any activity that is typically not associated with that user, then of course that the threat is some suspicious. So you have like faild logins, lots of 404 errors, maybe a change of user role that's not very common. Um, installing of plugins and changes of things like widgets, content. It depends because I mean people change quantity, it's all about content, but changes of quantitative widgets and our or costume feeds or direct changes to the database, those are definitely things that are suspicion.

15:09 Okay, that's great. That was really interesting. The, the next thing I'm going to ask is about the options in the, in the back end. I don't know if it's possible for you to list all of them. Um, I'm wondering if you could tell us what the, what the possible rows or sorry columns that we could see in this audit log. Ah, so if you could tell us everything that it's possible to log. So for example, you mentioned, um, that, you know, if somebody changes their user role, that will be logged. If somebody updates content that could be logged, if somebody's a updates or adds a widget that can be logged. Could you, although it might take a little while, are you able to go through a list of the things that the plugin is able to log for us? Because our listeners are fairly technical and they'll probably get it

15:56 good. It's a very extensive list. That's why I said in terms of coverage or plugin is very extensive. And I have a complete list available on the website, which can give you the words later, but in general in a nutshell. So basically it logs all type of user activity. So logins, logouts, failed login's, um, uh, if it was or has been blocked, uh, uh, have been blocked from, from logging in again. Uh, and then when it comes to posts, it's, it's really, I mean it's, it's less, you know, like when a user published a post or modify to post, uh, change the category URL, order status, visibility dates, you know, if I did, if they added a custom posts, sorry, by the way, when I talk about posts, we're talking about any type of any page, custom post et. Um, it also monitors the custom fields in posts. So if someone adds a custom fields, removes a custom feed or modifies the title or the actual content of the custom field, and it also monitors the themes and plugins. So any theme install, uninstall deletion updates and changes in plugins, it will alert you as well. Uh, it, it's monetary widgets, the WordPress menus. So if you add the menu, remove menu, change the order of things in the menu or change any of the settings in the menu, uh, it will also keep a log of comments. Um, so basically if a user posts comments deleted the comment approved mark as spam etc, the WordPress I think so you have to think like the WordPress time zone, the admin email address, the fair Malik's and all these things. It keeps a log. So whenever someone does these changes as well, it's good to keep it all goes well.

17:43 And one of the user profiles, so they user changes the name. He may have Sarah name display name the passwords for users and just his roll or another user or he says the passwords if for another user it all, it's all reports it. And one thing which is really kind of really happy about, like something that sets us apart from all the rest from all the other activity logs is we also have a file integrity scanner. So basically if a file changes on the website, if a new file at that a file is deleted or changed on the website, it's real. It's real allergy when they're in the activity log as well. So you can see the activity log, for example, file Xyz that was added to your website or file index. Dot. PHP was modified. Um, the, the, the good, the good thing about it is it's not limited to WordPress. So basically any file the WordPress root. So even if you have like some custom software or custom plugin, whatever, if something is modified in those files, it's alert you. So it's not limited to WP is, it's just a file integrated scanner for all the files in your work.

18:49 Wow. That's absolutely fascinating. That wasn't one of my later questions is kind of handled outside of WordPress. That's really cool. Yeah, I'd like to get onto that in a, in a little bit so we can, so all of that sounds to me in effect, it monitors everything. Um, could be a good way to sum it up. That's going to be a bit overwhelming for me if I was to see all of that displayed. Um, presumably I can switch certain things on. So for example, um, you know, uh, I don't want to see about changing changes of widgets. I can turn that off and I don't want to see about it. Is, is it possible to filter that giant spreadsheet because even the most, um, even a site with not a lot of interaction on the backend probably is still going to be generating a huge amount of logs with page views and things like that. Um, is it possible to sort of filter down to these things? So show me, show me user things, show me widget things, show me amendments to content things. Can you do all of that? That

19:48 yes. Yes. First of all, I agree. Yes. To be honest, uh, until version three until early on this year, kind of like since version three, we started improving the plugin to make it kind of like more user friendly because the plugin, as I said originally, it was built from security point of view. And I always, it's a mistake I've done, but I always expected that anyone who is using the plugin is familiar with these things. Exactly. What's that big mistake. So, so basically, um, I understand that, what is that? Sometimes you install the plugin as you said, you're a hobbyist. You have someone who's a hobbyist, they installed the plugin. It's like Whoa, all of a sudden all this information and they uninstall it. That was something very common. So what we're doing, and I was a bit different, first of all, we really improving the plugin from the usability point of view.

20:35 We have when you saw the plug and we have a startup wizard that will tell you like we have two levels of luck. So let's see. We have the basic log level and the Geeks, the basic, um, doesn't support like all the, I would say under the hood activities like custom field changes, direct database changes, et cetera. And the geek of course is the fully blown. But apart from those two levers whenever you want. Um, if you see us a particular log event ids, if you don't want to be informed about if you just hovered the mouse over them and tidy, you get the option to disable that. So you're no longer that event about, I don't know for example you don't want no, every time I use user changes, his surname, you know you can disable those type of events. So in the future, whenever a user changes his surname, you don't get to the event though we have an entry in the settings and users can go in this entry it was called is able to events and they can literally skim through all the events there are enabled or disabled and that they like.

21:33 So if there are, I don't know, roughly I think about there are hundreds of different events. Users can see them all like user changes, name, user login and can enable or disable any of them. So which is good cause users. In fact, what I personally recommend, if someone is new, I was recommended disabled everything and only enabled like 10 or 20, like the most important for you, like a user login, user change the password, failed login, you know, like the most critical. And once you kind of like comfortable with that and you'd like to see more detail, then start that. Sometimes it's easier to switch off everything and start slowly rather than have everything. And sometimes like all those laws and trying to disable disabled one by one, it can become a bit. Yeah,

22:16 yeah. Start simple and, and, and work up. So presumably the, because because it's not a traditional security plugging in the sense that it's not a, it's not a web application firewall. It's not trying to block connections. It's not trying to figure out this Ip addresses malicious, just disallow it for 30 seconds or something like that. It's just trying to give you data on everything that's gone on in the backend. Um, now I guess that that requires a certain degree of manual interactions. Let's say each week, um, you go in and you, you troll through the logs, give it a certain amount of time. Is there a recommendation that you have for a typical website owners such as myself? Is there a recommendation of what, what the protocol is that you should set up, you know, a weekly quick scan, a monthly deep dive. Is there a, is there a suggested way of, of keeping on top of these logs and kind of purging them after a certain amount of time so that they're not using up space on your hard disk?

23:14 Yes, unfortunately in most cases, um, logs are kind of like an insurance. You only refer to them when you need them when something bad happens. I was like 15 years ago I was a systems engineer myself and one of the best practices for systems engineers which, unfortunately not to much to do. I didn't use to do it cause I don't have time. I didn't use to have them go through the logs and see if you can support something suspicious, you know, want to spend half an hour once a week or whatever and see if you can spot some suspicious. Um, but of course logs give you all the information you need if you know what you're looking for because if you don't know what we're looking for, we have like this long list of records like, okay, what does it mean to me? So, um, it's really the fence, the plugin is as such, it's, it's, it's quite bare I would say in terms of features.

24:06 Then of course you can add on the features and the premium edition. For example, once you get used to like what's the normal, what's users typically do on your website after a week or two, you can get an idea of like, okay, so typically there are these type of logins in the morning. Typically, there's, I don't like 20 posts and it's at a, you know, you, you need to kind of like start learning. Start learning, was is the big activity? And then of course once a week, if we can do the get half an hour, can see if you can spot something suspicious. How do you spot something suspicious? Um, every type of events or for example, a user login always has the same id id 1000 so whenever you see id 1000 that means there's a login. And of course everybody use your name, role, password, the Ip address from where the date, but 1000 means a login always.

24:56 Uh, so about 1000 and three for example. It means afraid, look at it. So whenever we see a 1003, you can just take a look. You know, again, it's, it's about learning about the behavior of your websites, learning a bit more, something a bit the logs and, and trying to understand the more, you still have those, the free edition is purely logging and we do not limit in any way the log. So the free edition is, is, is, is purely locks and you can see all the looks. Of course, there are tools which we can talk about faith in the premium edition, which kind of help you kind of make more sense and automate much more of these processes, you know, without having to, to look for the week.

25:33 Yeah. The, I guess it's one of those things where with the benefit of hindsight, if you, if your website regrettably has been hacked, it'll be, it'll be your constant regret that you didn't make your security logs your constant study or you know, you'll be thinking, I wish I'd spend the time every day looking through the logs because good Lord, it would have been what has saved me a load of effort on this end. That's kind of what, where my question was coming really, you know, is that the idea of going through it once a week, just a quick scan or something, and with the best will in the world, you're just not going to do it. And imagining that, you know, somebody's a typical WordPress website user of the however many millions of installs they are, they're not going to do this. So it sounds like the job for a kind of WordPress professional, somebody that's built the site maybe could take this on as a task, may be part of a care plan or something you could throw in.

26:25 Well we'll, we'll inspect your logs once a month for an extra little fee. That kind of thing might be, might be quite useful. Um, yeah, really, really interesting. Now the, although it doesn't sort of do sort of security detection, is there anything that it does do, so example to alert you that something is going on. Can you set up triggers? So for example, somebody is repeatedly logging in, getting this 1003 and it's failing. Does it, does it have anything to, to make you come back in and look through the logs? Something to force your hand a bit to, there's something fishy going on here. Please come and inspect the logs before it's too late.

27:06 Yup. Good question. In fact, that's kind of like, yeah, this is kind of like where we were, where I was going into the premium features. So when the premium features, quite a few, um, one of them, which is something which you mentioned already, like triggers and the, so basically you get one of the premium features, it's what's called email notifications. So you can literally build a trigger and say if there is a login. I don't know, after this time of the day or not from this Ip address, I can build like any type of criteria. Uh, and Dan sent me an email. So you can say like, if there is a login and it's not from user Robert and it's nuts from this IP and it's not, and it's after 5:30 PM, then send me an email. Because typically, you know, typically you know that maybe Robert Sometimes logs in after 5:30.

27:53 But if it's not Roberts, then just, it's not someone legit. So send me an email so we can build literally any type of triggers you can say, for example, because the plugin even keeps, uh, keeps a log of changes done direct to a database, a database. For example, if the plugin notices that some something to WordPress changed at table structure for example, or hazards in data directly to the table, it's will alert you as well. So you can create like these type of notifications which don't typically hope happen everyday. You know, like if a tabling database modified, send him an email because then it's something I should definitely worry about. Yeah. We also have a daily email notification. There's, so the premium edition you get a daily notification, which can be disabled as well. But most people leave. It's on a force. Like it gives you like a daily roundup, like how many log ins there were, um, how many failed logins there where and from which Ip addresses if there were any plugin changes, someone updates the the plugin, you know, like the most crucial things.

28:55 Yeah. What we also have reports, so for example, apart from generating the reports, you can configure the plugin to send you a daily, weekly, monthly or quarterly reports. So, for example, uh, you can configure a report to say, listen, send me a report of all the plugin installed. It's once every week. Maybe you have, I don't know, every active website of plugging intalls, uninstalls and changes. So once a week at least to get that report. So once we get the report you go quickly over it and say, okay, I approve this bug and I approve this plugin. I don't know about this plugin. So that raises a flag. So it's all these automations and triggers. At least you don't have to go and do that extra half an hour during the logs manually. And also by automating all of these, again it's something you can, you don't build overnight.

29:38 It's something you can always build up. Yeah, you get to to what type of logging there is, what type of user behavior we have on that website. And of course you build your own email alerts reports etc and of course hopefully within a few weeks or months you have kind of like a very stable system. Or if something hot, something out of place happens, something suspicious within an email alert or within a report, you can quickly say, listen, okay, that's wrong. You know, because imagine of course ideally should have like half an hour every week literally going into the login and say, okay, okay, no, no, but most people in real life, they don't have this thing. So I think if we get a weekly report of plugins and so as for example, or off database changes, you can quickly go through it and say, listen, okay, this is true. Just not true as I approve it.

30:26 And you can get every quick overview. Always kept up to date, especially with email alerts because emails, even if you're outside, everyone nowadays has an email. So yeah, that someone looked at tonight. No, not so much within it. You know, at least you got, you got and the future. We are so working rights now. In fact, we're also working on a some integrations and other stuff. So yeah, hopefully the idea is we keep the logs and we're trying to automate as much of that half an hour a week you should do for you. You know, we're just trying to keep you updated, bombarding you with information. We need to find that fine balance, right? Kind of like how much information

31:07 I suppose in a sense that's the, that's the goal that most people would be seeking for when they purchase a plugin. Like this is a kind of set it, configure it, forget it.

31:18 Yes. But unfortunately that,

31:20 so that's kind of not, not what, not what it's purpose is really is it, um, in a way. But if you can figure it cleverly enough, maybe it is.

31:28 Yeah. It's, it's a comprehensive solution and it depends also on your website. So, but yes, hopefully within a few months after learning about the behavior on your website and learning about the features on the website, you should find some sort of right balance maybe. And maybe at least only you need to check it, the plugin to meet once a month or every two months just to maybe edit trigger first. What's the whole picture should be coverage.

31:54 Now you mentioned earlier that it was able to, for example, um, check the contents of a, of a, of a post, say, um, does a lot of the settings are kind of binary, you know, somebody logged in or they didn't log in, somebody was using this administrator account or they weren't. Whereas the, the, the post content is a bit more difficult isn't it? Let's say somebody has decided to hydrate your website simply to deface it and put some links in. Is there a process where like you can carry out a diff, a differential, you can look at what it was and what it is so you can figure out, oh, there's the, there's the little line which shouldn't be there.

32:31 Yes. Um, in terms of content, when we talk specifically about content, WordPress has it's own built in system and we use that system. So basically when there is an actual content change, you, you get this event in the activity log and it says, Robert, it's changed the content of blog posts A click here to see differences. And once you click there, you can actually see at def of of the changes,

32:57 it's the normal, the normal WordPress stuff.

32:59 Yes, we were making it accessible. Yeah, we talked about within our own diff system because I'm a, WordPress doesn't have it for custom posts, although you can do it, kind of, you can enable this way, a few tweaks here and there. Um, but still at this stage we've never had so much demand for it. So I mean, because most of the people who use the posts and pages so, so, so far we might do it in the future. Yes. But we're still kind of like seeing how, how important is, but, um, apart from content, so yes, we do show a diff of content, but also apart from the typical user login. But whenever a user changes, just like a status of a post, the URL, um, can I take over east whatever. We always report the old and the new. So if you change the URL was x and now it's Y. The status was private and what's public as public, you know, we always report where it's, where it's even like the paramedics, the permalinks were category dash, post name, and now they're date dash category. So what we can, we always post the old and the new and that's again, that's what really kind of like sets us apart from,

34:06 I'm pretty sure. So going back to a thing that you mentioned a moment ago, the fact that it can scan through the coal WordPress files. So anything within route if you like. Um, how does it do that? In other words, is it looking in the WordPress repository and doing a diff on? There's what, there's what WordPress, the vanilla WordPress should be, here's what your WordPress is. Um, and config dot PHP has got this extra line in it that's a bit weird. And can it learn to ignore things? Like I've fiddled with my config dot PHP file. Just leave it alone. I'm happy with those changes. Don't keep alerting me that there's something different. How does it do that? Is it looking in the repo and, and whatnot?

34:50 No,

34:50 we, we don't look at the reef off. The simple reason that if I encountered, especially when dealing with bigger websites, a lot of people actually really customize WordPress. Yeah. So if you had to compare it to the report, you get a lot of alerts and false positives. Um, so we don't compare to the repo. What we do is this one, the first time you install the plugin department takes a snapshot. Perfect. Yep. And whatever change there is from the snapshot, then it's familiarity. You got, the thing is this, if, if, if it takes a snapshot today and later on today, you change the ads and new line in the WP conflict, for example, tomorrow it will alert you on the next scan would tell you, listen, we found this new line, but then there's the new snapshot. So if, if if did thereafter it's cancer again, there's, there are no further changes.

35:35 So it's kind like updates keep the latest snapshot, you know, because otherwise it would keep alerting, I you every time that the, um, the WP conflict photos was wonderful. Right? That's one of the reasons why we didn't use the word Drupal because, um, we've seen other solutions. Some of them work well, but you get a lot of the false false positives. Yes, I know about this change. I know bodies change. So we're keeping an image, especially if a user has customized their website, we can really say, okay, this is the image of your website and we're going to work on this one. So basically if there is a change between scans, it'll report this change, you'll file a deleted file or modified and it's not a, it's not restricted. It's actually kind of scan as long as it's under the root of WordPress. If you have even like a custom PHP script or whatever, uh, uh, it was kind of, it, it's fully configurable. So if you go to the plugin settings, you can exclude directories, you can exclude files, flies by extension, you know, do stuff.

36:40 Can I change the, the period of time in which it's scanning. So for example, if it creates a snapshot today and I'm, I'm, I'm on the week, it's the weekend, I'm not going to look. Um, and for at least two days. So that snapshot will now be the correct one. But it, you know, the attack took place Friday afternoon, I missed it, that one of my files got changed. But by Monday, what I'm going to be looking at it again, the snapshots now saying this is all legit. Could I say do this monthly, do this weekly or can I do weekly and monthly?

37:12 Yeah, it's so configurable. You can configure the frequency if it's daily, weekly or monthly, and you can configure it. So at the time I think, I'm not sure, but I think by default the Plugin Scans, I'm sure it's cans once a week, but I think it scans it on Sunday at its way or something like that. Um, but yeah, you got comfortable that you can say, listen, it's kind of daily and 8pm for this article for the, um, the, the thing is, it's when people do worry about performance, again, it depends on the size of the website, but by default most images and not executable files on a student from the scan. And those were typically, people have a lot of files. So you shouldn't worry. I'm going to just give you an idea. We've done some tests whenever a small server, a test server, it's not even a life saver. And on average, the plugin enough list to cans around 17,000 files and their own five seconds. So it's, it shouldn't be a big issue. Wow.

38:13 Impressive. What you can do these days, isn't it? How's it? One of the things that struck me when I was thinking about this was obviously it kind of feels a bit like an insurance policy. You know, you've got this log, something's gone wrong, you've spotted that there's an error. Um, maybe you can go in and clean it up yourself. Maybe you're going to hand it over to a third party service to fix it up, in which case the security log would be at Manna from heaven. They would love it. You're wow, great. Somebody bothered, we can find out what went wrong. Um, you know, easily as opposed to trying to figure out one file at a time. Um, but what if my site is taken offline? Um, they change every conceivable username and password, maybe even delete the thing. God help us. How on earth did we get to the log?

38:59 Good, very good question. Uh, I, I've seen cases where it's happened in the past. Um, the logs by default, our stored and two tables, in the WordPress database. So yes, if the website is hacked, uh, the chances of the locks being tempered over high or as you said, if they deleted the database, there are no locks. But in the, in the premium edition of the plugin, we have what we call the database too and integrations feature. So basically you have quite a few options. Um, you can, uh, you can configure the login to store the activity log and an external database which is not very pressed. So you can start the activity log on a different database on the same server or on the fringe database on a different server. So you're kind of like taking it far away, segregate, segregating it from. But apart from that you can also configure mirroring.

39:53 So Nice. Then when, when the logs, whenever the logs database is updated, there's also a Sys, lock the paper through it right now with also working on a slack integration. So yes, you can mirror your luck somewhere else. So basically if, if the database, the origin of the database where the, WordPress audit logs are stored is destroyed, then you always have, um, a mirror, which you can refer to. Ideally of course the mirror should be a different solution like slick sis log or even on an extended the database, you know, like what, it's not on the same server, if there WordPress server is, do you still have something which is intact?

40:33 So it, it mirrors just the tables that create this audit log. It's not remembering the WordPress database on maen. Just the just, so how do you then go about viewing those? Would you need to install a, you know, a typical WordPress user? Um, would they just install WordPress again and uh, you know, somewhere else and view those, download it from the, the mirrored site and so on?

40:59 Yes, at the moment, to be honest, there is no, we don't provide an, uh, an automated easy to use solution to be honest. And we are thinking of developing, sorry, as of utility that can help you automate that and, and, and uh, if, if that had to happen at the moment, all you have to do as in solid WordPress again, um, and important dialogues and the same representative base and once installed the plugin, you can actually read those logs. So the process a bit manuel. Yeah,

41:30 I guess, I guess, you know, if, if it's mission, um, and you really need that log, then being able to install WordPress and download into that, it's not that troublesome in my view. You know, if you need your website back, you're going to go through those hoops. But you're right. I think having some kind of um, viewing system that you can just look at the, the mirrored log, um, independently without having to set WordPress back up. That would be good. So I'm, I'm on www.wpsecurityauditlog.com and I've actually navigated over to the pricing page, which is forward slash pricing. And I noticed that you've got three offerings. You've got a starter offering, you've got a professional offering and you've got a business offering or with different prices and different options. Do you want to just quickly talk us through those?

42:16 Sure. This starter edition is basically only has to premium features, which are the email notifications and the search, which are quite frankly the most, he was full for most bloggers. Hobbyists are small businesses. Um, the professional edition is the full blown edition. We have email notifications, search report, the external database support, integration tools, and such. A management session management is something I didn't mention before. So basically once you install the premium edition, you can see in real time who is logged into your website and what is their last change that then they decided, yeah, and you can also control like simultaneous connections. That's something quite advanced. So yes, the professional edition is the full blown the business edition, which costs $40 more, um, as basically it's exactly the same as professional, but you get priority support. So typically, um, we support business edition people within two to three hours maximum.

43:21 Um, all of the other ambitions you will always get support. Um, typically we have quite a, a quick response response rates, but you are guaranteed a response within 24 hours and they end the business edition. You are guaranteed a response within four hours. So, okay. So especially if you have like we got to customers who are like in the finance industry, etc. Typically they go for the business. Of course it depends on the criticality of the website. But yeah, if you have finance industry and your website is your business, then off course it's something very critical. So if something, if you need some logs or something goes wrong, you know, you need, you need assistance asap.

43:58 I notice in the, um, I think it was the video that I saw on your website. I can't remember where I saw it, but I notice that you support multisite and um, and a few of the communities that I'm in, the whole multisite thing is kind of taking off again strangely. Um, I was wondering how the pricing worked for multisite. So for example, could you get away with a single site license on a multisite network?

44:21 Not there, not there enough. First of all. Yeah, we do support is completely, in fact, we also have events in the activity to look specifically for MultiSite. So if, if, if an ad's been, creates a site on the multi site that this report it, if a user is added or removed from a website, all of that is reported in terms of licensing. Ah, you have to buy a license which cover the number of, of MultiSites. So if you have a MultiSite with 50 sites, you have to buy after to that. The simple reason why we've done it, because we've been asked about this a couple of times. To be honest, it's is very simple. I think it's, it's to me, I think it's very unfair for someone who has one website to pay $99 and someone has a, MultiSite decide to 50 sites, which most probably if you have that amount of sites, it's something much more uh, successful I would say or something. It's only fair to pay a bit more also because typically if you have a MultiSite of 50 sites, you generate a bit more support. That's who has one. So I think it's only fair even for that user has one website that the other user base.

45:23 Yeah. Um, so the pricing page typically just shows up to 25 licenses per account here. Presumably there's a, there's a contact us now button for agencies. If they've got a requirement to go over 25, you can reach out and see what, see what's what

45:41 Correct yes. In fact we do have different pricing. So the, the, the um, the pricing page, as you said, it shows up to 25 sites. If you have an enterprise or an agency, there are like contact us now buttons, you can contact us and we can discuss different price in terms of pricing. We typically give a, we have a fairly good volume volume discounts.

46:00 Okay. That's all. Sounds great. I have asked all the questions that I wanted to ask, so as is typical at the end of the podcast, I'm going to hand it over to you. You got 'em however much time you want to tell us about where we can find you. Email addresses, Twitter handles, Facebook pages and all of that sort of stuff. So over to you.

46:19 Sure. Thank you very much. Um, so basically as you say, the um, the plugins website is www dot WP security audit log dot com and there you can also find the icons for the, uh, social media channels, which we have, which are basically it's Twitter, linkedin and Facebook. My Twitter handle is Robert Abela. Abela is my surname. Um, I'm also on Facebook and my email is robert @ wpsecurityauditlog.com. Great. Apart from the plugin. I'm also, I also have our website's called a WP white security .com? It's basically like the mother company. I would say like the mother company of the plugin because apart from WP security or the flock, we just launched a new plugin towards two months ago. It's a password policy plugin. If you have time, check it out and give us any feedback.

47:12 Yeah, cool. But very much in line with what you're doing here. You know it's all security related for sure.

47:17 Yes. In fact the, the blog on WP, white security is that vendor neutral blog where we write about security in general. So yes, even if you'd like to read something about WordPress security in general, you know like boss where it's logs or anything guys actually an eye patch management that Jethro, you can go to the WP white security block. Nice. Nice. Nice. Hey, thank you for coming on the podcast today. Much appreciate this and it's an interesting topic and not one. We definitely haven't talked on anything like this before. We've touched on security but not on this specific aspect. So my advice would be if you're, you know, if, if you've ever experienced a hack or your site going down for reasons unknown, something like this probably in your back pocket would have been really useful if you've never had it. You know, it's the reason you go out and buy car insurance. You, you don't want to have an accident. But when it happens, good lord, it's useful. Um, yeah, so you know, have, have a think, especially if you've just, if you've just got the one site, they've got licenses for that and as you, as you go up, you know, if you've got a business where you've got some critical websites, this might be very useful indeed.

48:22 So thank you. Thanks Robert for coming on and telling you to tell us, tell us telling couldn't speak. They're telling us all about it. Thank you. And Nathan, thank you very much.

48:32 Well, I hope you enjoyed that episode. It was a bit of an eyeopener for me recording that was all sorts of useful and interesting information in there about all sorts of things that I didn't really know about. I didn't understand quite how much security logging information could be done and also how it could prevent things from happening to you and I suppose if you've got an agency and you're dealing with many, many multiple sites, information like this could get you back up and running much more speedily and stop. You're wasting time trying to track down what the problem was. The WP builds podcast was sponsored today by WP&UP one in four of us will be directly affected by mental health related illness.

49:14 WP&UP supports and promotes positive mental health within the WordPress community. This is achieved through mentorship events, training and counseling. Please help enable WP&UP by visiting wpandup.org forward slash give and we thank WP&UP for sponsoring our podcast and keeping the lights on. Okay, that's it for today's episode. I hope you enjoyed it. I hope you'll come back next week. Next Thursday. Join us once more for the podcast. If not, we've got a weekly roundup of the news, which comes out on a Monday morning, and we've also started doing a weekly live roundup of the news with some notable people in the WordPress community that goes out in our Facebook group live. Usually it's going to be on a Monday, um, might not be on a Monday every week depending on schedules and things, but the idea is that it'll be around panel discussion about some of the things going on in the WordPress world for that week. Okay. That's it. I'm going to fade in some cheesy music and say bye bye for now.

Support WP Builds

We put out this content as often as we can, and we hope that you like! If you do and feel like keeping the WP Builds podcast going then...

Donate to WP Builds

Thank you!

Nathan Wrigley
Nathan Wrigley

Nathan writes posts and creates audio about WordPress on WP Builds and WP Tavern. He can also be found in the WP Builds Facebook group, and on Mastodon at wpbuilds.social. Feel free to donate to WP Builds to keep the lights on as well!

Articles: 884

Please leave a comment...

Filter Deals

Filter Deals


  • Plugin (23)
  • WordPress (13)
  • Lifetime Deal (5)
  • eCommerce (4)
  • SaaS (4)
  • Admin (3)
  • Hosting (2)
  • Other (2)
  • Security (2)
  • Theme (2)
  • Blocks (1)
  • Design (1)
  • Training (1)

% discounted

% discounted

Filter Deals

Filter Deals


  • WordPress (39)
  • Plugin (33)
  • Admin (30)
  • Content (18)
  • Design (11)
  • Blocks (6)
  • Maintenance (6)
  • Security (5)
  • Hosting (4)
  • Theme (3)
  • WooCommerce (3)
  • SaaS app (2)
  • Lifetime Deal (1)
  • Not WordPress (1)
  • Training (1)

% discounted

% discounted



WP Builds WordPress Podcast



WP Builds WordPress Podcast