Configuring the WordPress File Changes Warnings in the Activity Log

You are here:
Back

The WP Security Audit Log plugin has a WordPress file integrity scanner. The scanner is used to keep a record of file changes on a website in the WordPress activity log. The file integrity scans are not limited to WordPress core, plugins and theme files only. So you can get WordPress files changes warnings whenever any file, including non WordPress files are changed on your WordPress website.

The plugin uses three different event IDs to keep a lot of WordPress file changes in the activity log. These are:

  • Event ID 6029 – New file has been created on the website
  • Event ID 6028 – A file on the website has been modified
  • Event ID 6030 – A file was deleted from your website

Refer to the complete list of WordPress activity log event IDs for more information on all the WordPress website changes the WP Security Audit Log plugin can keep a log of.

This article explains how the WordPress website file changes scanning technology (also known as WordPress file integrity scanner) in the WP Security Audit Log plugin works and how you can can configure it.

Default file integrity checks & WordPress file changes warnings in the Activity Log

By default, the WordPress file changes scanner in the WP Security Audit Log plugin is configured to:

  • Scan the website or multisite network once a week, on Monday at 4:00AM.
  • Exclude files with the following extensions from the scan – png, jpg, jpeg, bmp, pdf, log, mo, po, mp3, wav, txt

Why are files with specific extensions excluded from the scan?

Media files are omitted from the default scan because even though some media file types can be tampered and injected with malware, considering the way WordPress works it is much easier for attackers to inject malware in PHP / JavaScript files, hence it is more important to scan those files.

Configuring the WordPress File Changes Scanner Settings

You can change the default configuration of the WordPress file integrity scans from the File Integrity Checks & Warnings tab in the plugin’s settings, as shown in the below screenshot.

Enabling or Disabling File WordPress Changes Scanning

The scanning of WordPress file changes can be enabled or disabled from the File Integrity Scan settings tab in the plugin settings. By default the option Keep a Log of File Changes is set to Yes.

Settings to enable or disable the WordPress file integrity scanner

Configuring which WordPress file changes to keep a log of

You can enable or disable any of the file changes events by clicking the Configure Events link of the Which file changes events do you want to keep a log of in the activity log? option. Once you click on it you are redirected to the file changes events section in the Enable / Disable Events as seen in the below screenshot.

Enabling and disabling WordPress file changes events

If you disable all the events the file changes scanner will be automatically disabled. If for example you disable event ID 6030, the plugin will keep a log when a file is added or modified on your website, but not when a file is deleted.

Click the Save button at the bottom of the settings page to save your changes.

Configuring the WordPress file changes scan schedule

Configuring the schedule for the WordPress file changes scans

These two settings allow you to configure how often and when the plugin runs the WordPress file integrity checks to check for file changes.

Use the Scan Frequency setting to specify how often a scan should run. The options are:

  • Daily
  • Weekly
  • Monthly

Use the Scan Time setting to specify when the scan should run. When configuring weekly or monthly scans you have to configure both the time the scan starts and also on which day it should run.

When you configure a new frequency and time, click the Save button at the bottom of the settings page to save your changes.

How often should you scan your WordPress website for file changes?

The WP Security Audit Log file integrity checker is well optimized and can run on any type of server – it can scan up to 21,000 files in just a minute on a low spec’d server. Though it also depends on how big your website is and how many resources you have available on the server.

Ideally you should run daily scans although weekly scans are good enough. Only do monthly scans if you have very limited available resources.

Configuring which WordPress directories to scan on a website

Select the directories to scan for file changes

Use the checkboxes in the Directories to scan setting to specify which directories should be scanned on your WordPress website and multisite network.

When the plugin is installed on a WordPress multisite network the plugin will automatically scan all the uploads directories of all the sites on the network. So if you have three sites, the plugin will also scan the content in the following directories:

/wp-content/uploads/sites/2/

/wp-content/uploads/sites/3/

/wp-content/uploads/sites/4/

If you do any changes to the directory selection setting, click the Save button at the bottom of the settings page to save your changes.

Configuring the maximum file size for the scanner

By default the plugin will not scan any file that is bigger than 5MB. If it encounters a file that is bigger than 5MB, it will exclude it from the scan and report event ID 6031 in the WordPress activity log. However you can configure the maxium file size from the File Size Limit setting shown in the below screenshot.

Configuring the maximum file size for the WordPress file integrity scanner

Excluding directories, files & file types from File Integrity (changes) Scan

Settings to exclude directories, files and files of specific type from the WordPress file integrity scan

You can exclude directories and files from a WordPress files integrity scan. Files can be excluded by their name or type.

If you have some custom code, or files in a specific directory that you do not want to scan, you can exclude all the files in that directory from the scan by excluding the directory. To exclude a directory and its path in the Exclude all files in these directories setting.

If you want to exclude a specific file from a scan add it to the Exclude These Files list. This setting does not support wildcards so an actual filename and its extension has to be specified for it to be excluded from a scan.

If you want to exclude files by their file type, for example Excel files (xls, xlsx etc), specify the extension of that file type in the Exclude File Types setting.

Click the Save button at the bottom of the settings page to save your changes.

WordPress file changes scanner protection limit

The scan engine will only scan up to one million (1,000,000) files during the WordPress file changes scan. If your website has more than one million files the plugin will report event ID 6032 in the activity log. This limit is to protect the plugin from going into an infinite loop and wasting server resources. If you get these alerts contact us for assistance.

Get WordPress File Changes Warning Emails

You can get notified via email when a file is added, modified or deleted from your WordPress website or multisite network with the WordPress email notifications feature. All you have to do is enable the built-in email notification and specify the email addresses which should be notified, as shown in the below screenshot.

WordPress file changes email notifications

You can also create a file change email notification by creating a trigger. Below is an example of the trigger that you can create to be notified whenever there is any type of file change on your website:

(EVENT ID = 6028) OR (EVENT ID = 6029) OR (EVENT ID = 6030)

Below is a screenshot of the configured email notification trigger:

A WordPress email notification for when files are changed on the website