Stream: A Black Box for WordPress Security

You’re searching your blog for spam for the fourth time in the last few days. Not only can’t you figure out how the spammer keeps getting in, you also can’t figure out what they’re trying to sell with the mangled English in their posts… hand bags? sports drinks? Something with too many consonants and not enough vowels?

If only your web site had some kind of “black box” so that you could find out what they’re doing to post the spam.

Figuring out what happened when something goes wrong is an important part of security and operations of web-based services. While our top priority is to avoid break-ins, if someone does get in we really want to know how.

Airplanes carry black boxes to help us understand what went wrong when something catastrophic happens. Your WordPress-based web site can as well.

Simple History

Wordpress security: Simple History
WordPress security: Simple History

I used to recommend the Simple History plugin for WordPress – it keeps an easy to read record of interesting events on a WordPress site, recording events like logins, log outs, password resets, article revisions, plugin installations and activations.

“Simple History” isn’t a bad choice but it suffers from the same problems that airplane black boxes have – you may not be able to recover the black box to access the information it holds. Since “Simple History” is stored in the WordPress database it’s vulnerable to destruction – a cracker may intentionally or accidentally obliterate the history. (There is an add-on to “Simple History” which helps with this which I’ll cover in another post.)

Stream

The Stream plugin is very similar to “Simple History” – it records interesting events and provides a simple interface for browsing them. It also has the same vulnerability – its data may easily be altered or destroyed. Fortunately, ”Stream” makes it easy to copy events off-site, and has two extensions which help with this.

Stream to Slack

If your team uses Slack, you’ll want to check out Stream to Slack. To use it:

  1. create a dedicated logging channel on Slack

    Wordpress security: Stream to Slack
    WordPress security: Stream to Slack
  2. Get a Slack webhook to access that channel
  3. Install the “Stream” and Stream to Slack” plugins
  4. Configure “Stream to Slack” to use the webhook

After this is done you should see interesting WordPress events logged to Slack, safe from tampering by intruders.

Stream to Papertrail

You can also log Stream events to Papertrail with the Stream to Papertrail plugin. Papertrail is an excellent “remote syslog” service. It even offers a free tier, so small organizations can use it at no cost.

Wordpress security: Stream to Papertrail
WordPress security: Stream to Papertrail

To use it:

  1. Create a Papertrail account if you don’t already have one
  2. Install the “Stream” and “Stream to Papertrail” plugins
  3. Configure “Stream to Papertrail” to use the URL and port number for your Papertrail account.

After this is done you’ll see interesting WordPress events logged to Papertrail as JSON (“JavaScript Object Notation”), which is easy to read for both humans and programs.

Once “Stream” is reporting events to a service outside of your site, the record will be resilient against database corruption, server failure and break-ins, giving you the chance to gain some insight into what happened.

  • Hey and thanks for an interesting post.

    I’m the author of Simple History btw.

    I did never actually think much about this problem I must admit. You mention the Developer loggers for Simple History, which actually have a “post to slack” function and a post to syslog-function (which.. err.. I’m not sure if it’s really working). Anyway, this is something I will think a bit more about and hopefully come up with a solution :) Haven’t used Papertrail, but I know about other similar solutions.

    • Hey, thanks for the reply and the excellent plugin!

      I’ve recommended Simple History for many sites :)

      I’m checking on the “post to slack” function and am planning on writing up another post dedicated to Simple History. Probably will be another couple of weeks. And if you make changes to Simple History I’ll be happy to mention them.

      If you want to check out Papertrail, you can create a free account there so it won’t cost anything. And the protocol for posting to it is very easy – here’s their page on posting from PHP:

      http://help.papertrailapp.com/kb/configuration/configuring-centralized-logging-from-php-apps/

      Thanks!
      – john

Comments are closed.