Announcing The Wordfence Audit Log

Announcing The Wordfence Audit Log: Off-Site Real-Time Security Event Logging for WordPress

Today the Wordfence team is proud to announce an exciting new feature: The Wordfence Audit Log, included in the Wordfence 8.0 release. The audit log captures and stores security-related events on your website as they happen, and sends them securely to an off-site location to protect them from tampering, and to store them for your analysis.

Let’s dive straight into the details. The events we are logging are based on over a decade of forensic analysis on compromised WordPress websites and analysis of billions of attacks targeting WordPress.

Some of the events logged off-site by the Wordfence Audit Log:

  • User events:
    • New user registration
    • Two factor authentication activation or deactivation
    • Role changes
    • Edits to users including which field was changed
    • Successful login attempts
    • Password resets
    • Changes to role capabilities
  • Application passwords
    • We log if a user creates or deletes an application password and if the application password is authenticated
  • Plugin changes
    • Plugin installation
    • Plugin deletion
    • Plugin activation
    • Plugin updates
  • WordPress Core changes
    • WordPress Core updates or downgrades
  • Settings changes
    • Changes to the default role that users register as (a common pattern in malware)
    • Changes to registration being open or not
    • Changes to the site URL
    • Change to the admin email
  • Theme changes
    • Installing, updating or deleting a theme
    • Customizing a theme

If a security incident happens, it is a powerful advantage to have a full history of exactly what happened, when it happened, and who was involved. And with the Wordfence Audit Log, that history cannot be tampered with by attackers.

The Wordfence Audit Log gives you full visibility into how your website is being used and changed by all users, plugins, and themes, and it’s presented in a simple and easy-to-use display in Wordfence Central.

If you are a user of Wordfence Free, you will have access to preview mode – a handy overview of some of the most recent security events on your site. If you want to unlock the full capabilities of the audit log, you can upgrade to Wordfence Premium, Wordfence Care, or Wordfence Response to track as many security events on your site as you would like for up to 30 Days (Premium) , 60 Days (Care) or 90 days (Response).

Upgrade To Wordfence Premium, Care, or Response to enjoy the full power of the audit log today to take your security visibility to a whole new level.


Audit Log Preview

Upgrade Your Plan To Get Started With The Full Wordfence Audit Log Experience


What You’ll Get When You Enable The Audit Log

We’ve built the Wordfence audit log after over a decade of experience combating billions of cybersecurity attacks on WordPress websites, and analyzing more real-world security threats and actual attacks than anyone in the WordPress security community.

The Wordfence security team has hand-picked the most relevant events happening on your website behind the scenes that every site administrator should be aware of, and which could indicate a potential security risk.

Audit Log Preview Mode

Audit Log Preview Mode


Those events are stored securely off-site in Wordfence Central to protect against hackers who would compromise access to your website. Even if your site is compromised, an attacker cannot modify the audit log, stored safely on our servers. This gives you a forensic evidence trail showing exactly what happened.

This log is so effective that we enable the feature by default for our Wordfence Care and Response customers so that our own security analysts have that data in the event of an incident, to provide a more effective and faster response.


Getting Started with the Wordfence Audit Log

Find The New “Audit Log” Menu Item In The Wordfence Plugin Menu Or Dashboard

Setting up the audit log on your site is easy.

The fastest way to get started with the audit log is to log into your WordPress website and find a link in the Wordfence plugin menu called “Audit Log”.

Audit Log Menu Item


Open The “Audit Log” Tab Of The Wordfence Dashboard

Once you click on the Audit Log link, you’ll see a new dashboard under the “Audit Log” tab focused on configuring and customizing the audit log experience.

  • If your website is using Wordfence Free – you will have access to “Preview” mode by default. This will show you summaries of some important events on the site. Upgrade to one of our premium plans to enable the full features of the audit log. 
  • If your website has Wordfence Premium enabled, you already have access to the full features of the audit log, and it will be set to “Preview” mode by default. 
  • If you are using Wordfence Care or Wordfence Response the full audit log features will be enabled by default. 

 

Wordfence Audit Log Tab

Wordfence Audit Log Tab


Connect to Wordfence Central

Connect your WordPress site to Wordfence Central.

This can be done from the Audit Log page on the Wordfence dashboard.

Wordfence Central is a totally free service for Wordfence users with any license type that allows you to manage security for all your Wordfence-enabled websites from one central location, and streamline your security operations with templates.

You can easily connect your site to Wordfence Central from the audit log tab in your Wordfence dashboard.

Note: If you are a Wordfence Free user, you can connect your site to Central as always, but the audit log will not upload events on your site to Central unless you have a Premium, Care, or Response license for that site.

Connect To Wordfence Central

Connect Your Website To Wordfence Central

Connect Your Website To Wordfence Central


Choose Your Logging Mode: 

In the plugin settings, go to the Audit Log section and select how much detail you want to capture.

You can log “Significant Events” or “All Events”.

Wordfence Audit Log Logging Mode

Choose Your Logging Mode Preference

There are four possible modes for the audit log:

  • Disabled: Disables the audit log, including the preview of recent events.
  • Preview: Events will not be sent to the log on Wordfence Central. Only a limited list of events will appear in the Recent Event Summary table at the bottom of the page, but details such as IP addresses, users, and post IDs are not saved.
  • Significant Events: This includes events related to users, settings, plugins, updates, logins, and more.
  • All Events: This includes all “significant events”, plus more content-focused events such as editing or deleting posts, adding attachments, or sending email. These event records do not include the content itself, but rather metadata and which user made the change. Similarly, email content and recipients are not stored, but subject lines and the number of recipients and number of attachments are recorded.

The “Significant Events” option is recommended for most sites, since logging all events may record a large number of events on some sites.

Be aware that content-related events recorded with the “All Events” option can include custom post types from some plugins, including forum plugins, which may log an event for every new forum post and reply.


That’s it. The Audit Log Is Now Monitoring Your Site For Suspicious Activity

Save your settings.

The Wordfence Audit Log starts recording and sends data securely off-site to Wordfence Central.

Wordfence Audit Log Preview Mode

Wordfence Audit Log Preview Mode

 

Wordfence Audit Log Wordfence Central Dashboard

The Wordfence Audit Log In Wordfence Central

Viewing your log is simple. The links to audit log events in the Wordfence plugin take you to Wordfence Central, where your security audit log is kept off your server, and kept safe from potential attackers.

From here you can filter through the collected data to find the information that may apply to a forensic investigation, or simply understanding what is changing on your site.


The Wordfence Audit Log Helps Protect Your Website, Your Users, and Your Data From Security Breaches

The Wordfence Audit Log not only allows you to proactively monitor your sites for suspicious activity, but it also tells the full story of exactly what happens on your WordPress website, with incredible detail.

In cybersecurity, we call this process of collecting and investigating evidence “digital forensics” and it is essential to recovering from, understanding, and preventing future cyber attacks.

The Wordfence Audit Log provides a clear forensic path to trace events that may include unauthorized access or accounts exceeding the level of access they’ve been given.

Whether you have a small blog, an e-commerce store, or run an agency serving hundreds of clients, the Wordfence Audit Log adds a powerful new layer to your security posture, helping to keep your WordPress investment safe from attackers.


 

Did you enjoy this post? Share it!

Comments

No Comments