Stream: A Black Box for WordPress Security

2 minute read

You’re searching your blog for spam for the fourth time in the last few days. Not only can’t you figure out how the spammer keeps getting in, you also can’t figure out what they’re trying to sell with the mangled English in their posts… hand bags? sports drinks? Something with too many consonants and not enough vowels?

If only your web site had some kind of “black box” so that you could find out what they’re doing to post the spam. Figuring out what happened when something goes wrong is an important part of security and operations of web-based services. While our top priority is to avoid break-ins, if someone does get in we really want to know how.

Airplanes carry black boxes to help us understand what went wrong when something catastrophic happens. Your Wordpress-based web site can as well.

Simple History

[caption id=”attachment_795” align=”alignright” width=”208”]Wordpress security: Simple History Wordpress security: Simple History[/caption]

I used to recommend the Simple History plugin for Wordpress - it keeps an easy to read record of interesting events on a Wordpress site, recording events like logins, log outs, password resets, article revisions, plugin installations and activations.

“Simple History” isn’t a bad choice but it suffers from the same problems that airplane black boxes have - you may not be able to recover the black box to access the information it holds. Since “Simple History” is stored in the Wordpress database it’s vulnerable to destruction - a cracker may intentionally or accidentally obliterate the history. (There is an add-on to “Simple History” which helps with this which I’ll cover in another post.)

Stream

The Stream plugin is very similar to “Simple History” - it records interesting events and provides a simple interface for browsing them. It also has the same vulnerability - its data may easily be altered or destroyed. Fortunately, ”Stream” makes it easy to copy events off-site, and has two extensions which help with this.

Stream to Slack

If your team uses Slack, you’ll want to check out Stream to Slack. To use it:

  1. create a dedicated logging channel on Slack [caption id="attachment_785" align="alignright" width="300"]Wordpress security: Stream to Slack Wordpress security: Stream to Slack[/caption]
  2. Get a Slack webhook to access that channel
  3. Install the "Stream" and Stream to Slack" plugins
  4. Configure "Stream to Slack" to use the webhook

After this is done you should see interesting Wordpress events logged to Slack, safe from tampering by intruders.

Stream to Papertrail

You can also log Stream events to Papertrail with the Stream to Papertrail plugin. Papertrail is an excellent “remote syslog” service. It even offers a free tier, so small organizations can use it at no cost.

[caption id=”attachment_786” align=”alignright” width=”300”]Wordpress security: Stream to Papertrail Wordpress security: Stream to Papertrail[/caption]

To use it:

  1. Create a Papertrail account if you don't already have one
  2. Install the "Stream" and "Stream to Papertrail" plugins
  3. Configure "Stream to Papertrail" to use the URL and port number for your Papertrail account.

After this is done you’ll see interesting Wordpress events logged to Papertrail as JSON (“JavaScript Object Notation”), which is easy to read for both humans and programs.

Once “Stream” is reporting events to a service outside of your site, the record will be resilient against database corruption, server failure and break-ins, giving you the chance to gain some insight into what happened.

Updated: