Home  »  Interviews  »  WP White Security

Interview with Robert Abela > WP Security Audit Log plugin

Interview with Robert Abela > WP Security Audit Log plugin
 Share the knowledge!

WhatIsMyIPAddress.com founder Chris Parker talks with WP Security Audit Log plugin author Robert Abela about the importance of audit logging on WordPress sites.

Robert Abela is the founder and CEO of the WP Security Audit Log plugin. He is based in the EU and has more than two decades of experience in systems engineering and security. After working for companies such as GFI Software and Acunetix, Robert spent some years helping software startups grow their products and markets. When time allows Robert writes about WordPress security on his blog WP White Security.

CHRIS: What are the most missed security practices for WordPress?

ROBERT: There are two types of WordPress users - those who have a website but do not have any knowledge on what it takes to manage a website, and experienced systems administrator. So you have two extremes, mainly because WordPress is very easy to use so people with no prior experience can setup a website within minutes.

The former typically do nothing in terms of security. They miss the most basic security practises such as not using strong passwords and using outdated software. In fact weak passwords and outdated software (plugins and WordPress core mostly) are the main reason behind the majority of WordPress hacks.

Those who know about WordPress security, typically implement a solution for hardening and protection, but very few implement a WordPress activity log solution. Audit logs are relatively new in the WordPress ecosystem.

There are two types of WordPress users - those who have a website but do not have any knowledge on what it takes to manage a website, and experienced systems administrator.

CHRIS: What is the difference between security plugins and audit logging?

ROBERT: The typical WordPress security plugins protect and harden your WordPress website installation. An audit log plugin keeps a record of all the changes that happen on your WordPress website. It is important to run both a WordPress activity log plugin and a security one because they compliment each other.

CHRIS: Why is audit logging important?

ROBERT: WordPress security is a continuous process based on four principles and not a one time fix. The principles are harden > monitor > test > improve and then repeat. So WordPress administrators should:

  1. harden your WordPress website,
  2. keep an eye on what users are doing, how the website is working and what type of attacks it is being targeted with,
  3. test the hardening,
  4. improve the security based on what they learnt from steps 2 and 3.

It is a continuous process is because there is no perfect WordPress security solution and hack attacks are continuously evolving. As a matter of fact even the big corporations have had their share of bypasses and hacks. Imagine having a high security building without CCTV. You cannot know if someone is trying to break in or out, or if someone is already inside and trying to tamper with the systems unless you notice something that is broken.

Hence it is critical to also keep a record of what is happening on your WordPress website in an audit log. The benefits of keeping an audit log are many, such as:

  1. Identify suspicious behaviour and potential WordPress hack attacks early, thus giving you the chance to take all the necessary actions to thwart them,
  2. Ease WordPress troubleshooting - trying to troubleshoot a problem on a WordPress website without any type of logs is like guess work. If you have a record of what happened you can get to the source of the problem much faster,
  3. You can keep track of users activity and their productivity,
  4. if your website is a business / e-commerce website, you ensure it meets today's strict regulatory compliance rules businesses have to adhere to.

CHRIS: What are the current options users have to keeping activity logs on a WordPress website?

ROBERT: There are quite a few WordPress activity log plugins nowadays, though the majority of them are not built with security in mind and do not a lot of functionality apart from the logging capabilities. Also, they do not have good coverage and the activity log is not detailed. There is nothing wrong with them. They might be the ideal solution for a small three user WordPress website.

Though if you have a business and need a comprehensive and reliable WordPress activity log solution, our plugin WP Security Audit Log is by far the leading solution on the market, thanks to our experience in security and systems engineering industries.

In the past there have also been online services but they failed. I am not surprised they failed. Audit logs contain very sensitive and confidential data, so no business would want to share that, especially nowadays with GDPR and other strict regulatory compliance requirements.

CHRIS: What makes WP Security Audit Log stand out from others?

ROBERT: There are quite a few things that make the WP Security Audit Log plugin unique:

The comprehensive audit log

The WP Security Audit Log plugin has the most comprehensive WordPress activity log / audit log. For example when a user makes a change in a blog post or a user profile, all of the other plugins just report that "a post was changed" or "a user profile was changed". The WP Security Audit Log plugin keeps a record of what changed, for example it will report if the post URL, date, category, content, status, custom fields or any other object was changed. The same applies for user profiles - it will report if the role, email, first or last name, password or anything else was changed in the WordPress activity log.

A complete WordPress activity log solution

The WP Security Audit Log plugin is a complete WordPress activity log plugin solution. Some of the other plugins might offer a feature such as email alerts for free, or search, but the features are very limited.

There is no other WordPress activity log plugin that is as complete as WP Security Audit Log. It has a fully blown reports module, configurable email notifications, text-based search & filters, users sessions management and archiving, mirroring and integration options for the activity log. So if you have a businesses website and are looking for a solid logging solution, WP Security Audit Log is the only plugin that meets your requirements.

World-Class Support

Support for free plugins is only available via forums, and response time is very slow. Some of the plugins have tickets that have been open for years, most probably not being maintained anymore. In a way I understand why this happens - such projects are maintained as a hobby / side project, and the developers do not always have time and resources to maintain the project because they need to focus on their full time job. Rightly so.

In our case, the premium edition of the WP Security Audit Log plugin allows us to run a proper support team, so you are guaranteed great support, even when using the free version. In fact the majority of our plugin's ratings highlight how support good was.

So basically we are focusing on providing a complete solution and service, not just a simple WordPress plugin.

CHRIS: With all the news about GDPR, how does that factor into logging and what needs to be done to stay compliant with GDPR?

ROBERT: Good thing you are asking about GDPR because there is a lot of misunderstanding about it, which is what always happen when new compliance regulations are launched.

One of the requirements for GDPR is to know what your users or employees are doing, and who is accessing the data and what data. So WordPress activity logs should be part of your GDPR toolkit. The WP Security Audit Log plugin enables you to keep a record of, and know who is accessing which pages or records etc.

To help users we have written a post explaining how the WP Security Audit Log plugin can be used on GDPR compliant websites.

CHRIS: What three other WordPress plugins are a must have?

ROBERT: Apart from an audit log plugin I think every WordPress website should have the following plugins:

Backup plugin / service - there are many plugins available, some of which allow you to backup your website to your own cloud. Some others they have a centralized solution or connect you to an online service. Whatever you use make sure your data can be recovered back. So from time to time download your backups and do a test restore on a staging server.

Security plugin / service - similar to backup options, there are many different services and plugins available on the market. None of them are perfect (like any other solution) but the majority of them do a very good job at protecting your WordPress website.

Two-factor authentication plugin - if your security service / plugin does not have 2FA, install a plugin to harden your WordPress login. There are many good and free 2FA plugins. If you do not know from where to start, read my best two-factor authentication plugins for WordPress post. All plugins featured in the post are free.

CHRIS: Where can people go to learn more about the WP Security Audit Log plugin?

ROBERT: The best place is the WP Security Audit Log website. We also have a knowledge base for users who'd like to learn more about the plugin and WordPress activity logs in general. The plugin can be downloaded for free from the WordPress plugins repository.

CHRIS: Why did you choose to use WhatIsMyIPAddress.com for your IP address lookup?

ROBERT: There are quite a few reasons why we chose to work with them. Just to mention a few:

  • They are a genuine business. This was very important for us because we always look for partners who have the same values as us and invest and make an effort to provide a superior service.
  • They could show our plugin users more information on an IP address, which is exactly what we needed.
  • They report the IP address lookup in detail including a map, the ISP, region and other information.
  • It is a security focused website and not just a website that shows you an IP address. In fact they also have a lot of good articles from where one can learn more about staying safe online.
  • They have a variety of IP tools which are helpful for most of our plugin users.
  • They host a free forum where people can ask questions and discuss issues related to IP addresses