If you chose to build your site on WordPress, you likely did your research and know it’s a secure, well-developed CMS. But nothing is perfect. No matter how hard WordPress developers work to keep the platform secure, there’s a lot that is out of their control.
Before we dive into the specifics of OWASP A09 – where is some of that control lost?
Mainly via plugins and or themes that may have been secure at one point, but for whatever reason they’re no longer developed, and some were poorly coded in the first place. Whatever the reason, Colorlib estimates that about 13,000 WordPress sites got hacked every day—in 2021—and 92.81% of them came through plugins while 6.61% came via themes. A tiny 0.58% came via core files.
One more interesting stat. Again, as of 2021, 42% of all WordPress sites had at least one vulnerable component installed.
The OWASP Foundation
Chances of your WordPress site getting hacked are high but fortunately, administrators aren’t left in the dark.
The OWASP Foundation has a mission to improve software security. It comprises tens of thousands of global members who have developed the OWASP Top 10, the 10 most critical security risks to web applications.
The most recent list is from 2021, and a few highlights—especially important to WordPress sites—are:
Let’s dig a little deeper into one of those.
OWASP A09:2021 – Security Logging and Monitoring Failures
Breaking down OWASP A09-2021.
First of all, this category was previously called Insufficient Logging & Monitoring. Now renamed, it’s also moved from the 10th position in the Top 10 to #9 in 2021. Hence the name OWASP A09.
Back in 2017, the date of the previous list, the category didn’t include the additional types of failures it does today. The team also states that security and logging failures impact incident alerting and forensics.
Do you know what else impacts alerting? Failing to log and monitor at all.
So the problem OWASP is identifying is, in part, the need for creating and maintaining event logs—also called audits. Without this functionality, errors and hacks could go unnoticed, with catastrophic consequences to your site.
So what does this vulnerability cover? Potentially, any or all of the following:
- No log of either single or multiple failed login attempts
- No log of successful logins
- No backup of logs
- Improper or incoherent logs that make sourcing valuable information difficult, if not impossible
- Monitors that don’t detect suspicious activity or provide alert notifications when they do
- Unprotected logs
Logging and monitoring need to be prioritized as essential components of your WordPress site. Logging and analysis ensure that all suspicious activity is detected in near real-time.
The absence of sufficient records can—and most likely will—lead to slower incident responses which will only compound the potential damage of a breach.
The bad news is that this has made it into the top 10 because the lack of logging and monitoring is a common issue. And unfortunately, it often doesn’t come to the attention of an administrator until they are facing an incident and unable to diagnose it.
So what can you do? Pay attention to the warning! The OWASP Top 10 is provided to generate awareness of security risks. The issue OWASP A09 describes, the lack of logging and monitoring, is a widespread problem, but there’s a fairly easy fix for your WordPress site.
Install a WordPress Plugin to Log and Monitor Your Site
Fortunately, there are a variety of WordPress plugins to track and log all user activity on your site. They can provide you with a variety of functionality, including the following.
WordPress sites have the capability of creating and managing multiple user accounts. And they also often involve collaborations and interactions with a team or teams of users.
Event logging and monitoring provides administrators with detailed records of all user activity, meaning they can monitor changes made to the site’s content, settings, or themes. And while the primary objective is a security focus—looking for unauthorized actions or changes that signify malicious intent—this level of oversight ensures accountability amongst users.
An additional benefit is that administrators can act quickly to mitigate risks associated with user errors or deliberate unauthorized modifications.
So what kind of data is tracked and monitored? Expanding a bit on the mention above about your site’s content, settings, or themes, the following is a list of some of the changes logged.
Within content. Since content is often dynamic, it’s not unusual to have users busy updating, so a logger will keep track of:
- New pages, posts, media, and comments
- Changes to any of the above
- When any of the above content is deleted
- Changes to taxonomy, including categories, tags, and more
Login attempts. Legitimate logins will be tracked along with suspicious. Including:
- Individual user accounts that attempt to log in from multiple IPs
- A high number of failed login attempts using unique usernames and passwords, but all coming from the same IP address
- Multiple failed logins that come from the same IP address in a short period of time
Changes to Core Files and Plugins. At this level, additions and changes will be done by users with administrator access, however, they’re still logged. These changes include:
- Manual or automatic updates
- Any changes to settings and status on comments and permalinks
- Modifications to themes and settings
As mentioned above, sometimes user errors are an issue. These are innocent mistakes that have the potential to cause problems.
Issues that arise could include but are not limited to plugin conflicts or coding errors. So an event logging plugin is a valuable troubleshooting tool.
With the help of captured data that includes…
- The type, time, and date of the event
- The user and IP address
- Where the action took place
…administrators can analyze and track user activity and identify the root causes of issues more efficiently and can reach a resolution quicker.
Wouldn’t it be nice if more websites added security logging and monitoring as another layer of security? In that case, security logging and monitoring failures might drop off of the OWASP Top 10 list entirely.
If reading this article on OWASP A09:2021 has convinced you that you need to start monitoring user activity on your own WordPress website, why not check out WP Admin Audit? It’s a powerful monitoring plugin that has the ability to do everything mentioned above and more.