On 25th of May 2018 the General Data Protection Regulation (GDPR) becomes enforceable across Europe and any business that deals with either a EU citizen or anyone who lives within the EU. In advance of the deadline, we have been getting our own systems and business processes in order. We’ve also taken the time to explain what you need to explain about the WP Security Audit Log plugin to your own site users.
Today we’re going to explain how the WP Security Audit Log plugin can become a vital part of your data protection toolkit, and can help you to document the technical and security measures that healthy compliance requires.
New responsibilities for web site administrators
When Europe’s first data protection rules were drawn up in 1995, web site administration was an obscure job for university IT departments. Now, in a world where anyone can have a business web site up and running in a day, we are all web site administrators – whether we realise it or not!
With great power, however, comes great responsibility. GDPR requires web site owners and administrators to become more attentive about the ways that their systems are set up, protected, and, unfortunately, misused.
Under GDPR, organisations collecting and processing data, whether that is the largest corporation or a one-man-band business, must ensure they create and document technical and security measures. A key aspect of this is monitoring and logging for security issues and attacks.
Tools like WP Security Audit Log can do this job for you.
The plugin logs the changes made by internal users to both content (including posts, pages, tags, categories, custom post types, comments, widgets, and menus), and functionality (user accounts, plugins, themes, databases, and universal settings.) If you use WooCommerce, BBPress, or Paid Membership Pro, the plugin also logs events and changes related to these services.
These events are logged in three categories of severity: Notice, Warning, and High. It’s easy to see how these categories span everything from harmless user actions which should nevertheless be logged all the way to active threats. You can configure email alerts for these actions; you may, for example, wish to be immediately alerted to High warnings such as a user deactivating a plugin. Here is a full list of actions which will be recorded by the plugin.
Preparing for data breaches
GDPR requires site administrators to prepare for data breaches, and to take preventive security measures to prevent them from taking place. A data breach does not just mean data which leaks to the outside; it can mean, for example, data being visible to staff members without the appropriate authorisation, or equally, the company giving excessive access to data that an employee does not explicitly require to see.
The sad truth about most data breaches is that not only are they preventable, they happen internally. Sometimes they are accidental, such as an employee using an insecure WiFi connection to access corporate data. Sometimes it is down to carelessness, for example, an intern’s login is left active after they leave the company. And sometimes, as we know, it is malicious: a disgruntled employee leaks data or disables a plugin.
In the event of a data breach, the WP Security Audit Log plugin will help you identify who was using the site at the exact time that a breach took place. It will also show you the IP address they were logged in from. This information will help to inform any internal investigation you do, and can also provide vital clues as to whether a breach was accidental, careless, or malicious. That WordPress audit log data will also provide the information that a regulator (such as the ICO) would require as part of their own inquiry; having that data to hand will show that you are serious about putting things right.
A WordPress Plugin for GDPR?
No plugin alone can provide you GDPR compliance. You need a collection of plugins instead and each of them will help address one aspect of your compliance journey. You can start by installing and activating the WP Security Audit Log plugin, which will provide you with a robust component of the security precautions you need to take as a responsible business WordPress website administrator.