Change Reporting for WordPress With Enhanced Activity Logging

Perhaps the hardest part of keeping a WordPress site secure is knowing exactly what is happening on it.

Without any sort of activity logging, a WordPress site is a black box and there are few ways to know what’s happening, or what might have happened.

Without activity logging, the only way to get a sense of what’s happened, is to look at the current state of the site and try to work backwards from there.

We recently wrote about how to perform a WordPress Security Audit and why it’s so important. This inspired us to take a fresh look at how easy Shield Security makes this for our members.

And to be honest, we found gaps and places in much need of improvement.

In this article we’ll talk about some of what we found and outline how we’ve made improvements to Shield in our upcoming release.

Shield Lacked Activity Logging In Certain Areas

When we first built Shield, we recognised that being able to clearly see what has happened on a site is critical to understanding the current state of the site.

But in our review we discovered that there were some areas that we just couldn’t see clearly enough. And there were a number of reasons of that, some of which were:

• The Activity Log is one of Shield’s oldest features. Tracking for certain events wasn’t added because the WordPress API didn’t allow for it at the time.
• Setting up reliable logging for events is a large body of work, so decisions are made to balance what to track vs investment required to track it
• Certain things can never be tracked directly from within WordPress (we’ll get to that later)

With our upcoming release, we’ve done a lot of work to ensure Shield shines a brighter light into these darker areas of WordPress activity.

To illustrate this, the list below outlines the newly added activity logging for many events on WordPress sites:

WordPress Core

• Site title updated
• Site tagline updated
• Site home URL updated
• Site WP URL updated
• Site admin email address updated
• Site option “Anyone can register” updated
• Site option “Default User Role” updated

Users

• User promoted to administrator
• User demoted from administrator
• User email address updated
• User password updated
• User roles updated

Post & Pages

• New Page/Post created
• Page/Post content updated
• Page/Post title updated
• Page/Post slug updated

Database

• DB tables added
• DB tables removed

Plugins

• Plugin manually installed (e.g. via FTP)
• Plugin manually upgraded (e.g. via FTP)
• Plugin uninstalled
• Plugin manually uninstalled (e.g. via FTP)
• Plugin manually downgraded (e.g. via FTP)

Themes

• Theme manually installed (e.g. via FTP)
• Theme manually upgraded (e.g. via FTP)
• Theme uninstalled
• Theme manually uninstalled (e.g. via FTP)
• Theme manually downgraded (e.g. via FTP)

Comments

• Comment created
• Comment deleted
• Comment status updated

NEW: Activity Logging That Captures Changes Made Outside Of WordPress

To-date Shield’s Activity Logging features has relied soley on the native WordPress API to track changes on a site. For any developers, this means hooking into WordPress’ array for action hooks and filters.

If you’re not familiar with this, you can think of it like an “events” system built directly into WordPress, that allow plugins like Shield to integrate.

For example, imagine you activate a plugin. WordPress will perform the task and then fire out an announcment to say “To anyone listening, plugin XYZ has just been activated“.

Developers can “listen” for those events and take any actions it needs to. Shield will write an entry to the Activity Log to say “Plugin XYZ was activated by Jim, at 3:05pm“, for example.

This is the standard approach to WordPress activity logging.

But many things can happen on a WordPress site without loading WordPress itself.

This can cause a problem for activity logging, since if WordPress isn’t running, then WordPress won’t fire an event, and Shield won’t create the activity log for what happened.

So what sort of WordPress-related activity am I referring to here? There are many possibilities, and here are some of them:

• Activating or Deactivating a plugin directly via the WordPress Database
• Installing plugins/themes via FTP (or similar, e.g. cPanel File Manager)
• Deleting plugins/themes via FTP (or simlar)
• Deleting/creating WordPress database tables using a database manager
• Updating WordPress database records using a database manager
• Creating/deleting/updating users directly on the database using a database manager

The most critical of these are the final few which involve directly accessing the WordPress database and making modifications without WordPress itself “knowing” about it.

Sometimes there is legitimate reason to do this, particularly if something has gone wrong and you’re making repairs.

However, there are more nefarious cases where malicious changes can be made. This might happen if a site has been hacked and a backdoor has been added that provides direct access to the site and the database.

Some time ago there was a vulnerability in the Elementor platform that allowed certain users to make changes directly to the database. Since it bypassed the WordPress load, there’s no way you could have known that this had happened unless you were checking all your WordPress settings.

So what does all this mean and how does it help with your WordPress security?

New: Shield’s Change Report Feature

As I mentioned earlier, having a clear view what exactly is happening on a site is crucial to keeping a site secure. The more we can see, the more we know, and the sooner we can take action to correct issues.

To make this easier, we’re introducing Shield’s first major reporting feature: Change Reporting

A WordPress Change Report does 1 job – it displays an easy-to-read report on all changes made to a WordPress site between 2 specific dates. The changes are broken up into “Zones”, namely:

• WordPress
• Plugins
• Themes
• Users
• Posts
• Pages
• Database
• Comments

We will add more zones in the future, and even provide support for integrating with popular platforms, such as WooCommerce and Yoast SEO.

How Does The Change Report Differ To The Activity Log?

The purpose of the activity log is to be able to view all the details of activity on the site.

If you want to dig into the activity from a specific IP address, or instances of particular events and see who did what and when, then the activity log is the tool to use.

If you want to see what has “changed” on a site, the Change Report is what you need. It’ll not tell you when a user logged-in, but it’ll tell you that they changed their password, updated their email address, or were promoted to administrator.

How Can You Get Access To Shield’s Change Report Feature?

The Change Report feature and all the new activity logging features will be available with ShieldPRO 18.2, due for release in a couple of weeks.

Questions or Suggestions?

As always, we encourage our members to offer feedback and new and changing features. We’d love to hear what you think and whether you feel you’d find all these additions useful.