Building a WordPress Intrusion Detection System (IDS)

Identify suspicious hacker activity on your WordPress at an early stage with a Intrusion Detection System

What is an Intrusion Detection System?

An Intrusion Detection System is a software that monitors a host and notifies you of suspicious activity, in this case your WordPress website. Such suspicious activity can be a sign that attackers are trying to find a security hole to exploit on your WordPress website, or have already hacked into it.

It is of utmost importance to be notified as early as possible about possible attacks, so you can take the necessary evasive actions to thwart the attack, or to limit the damage in case of a successful hack. This article explains how you can build an intrusion detection system for your WordPress websites and WordPress multisite network with the WP Security Audit Log plugin, WordPress’ most comprehensive audit trail solution.

Detecting And Getting Notified of WordPress Hack Attempts

Prevention is better than cure, so let’s start with the prevention first. What do malicious hackers typically do to find vulnerabilities or security weaknesses on your WordPress websites? They:

  1. Use an automated scanners (such as WPScan) and scripts to scan your website and detect possible old and vulnerable plugins, themes or WordPress core.
  2. Use automated software to launch a dictionary / brute force attack against your WordPress website and try to guess weak credentials.

With WP Security Audit Log you can create rules to get alerted via email when your website is scanned or is a target of a brute force attack. Here is how;

Detecting Automated WordPress Security Scans

During an automated scan the scanner sends thousands of HTTP requests, trying to exploit known vulnerability in WordPress, a plugin or a team. This activity generates a lot of HTTP 404 errors, and the WP Security Audit Log plugin keeps track of all requests to non-existing pages with two alerts:

  • Alert 6007 for 404 errors generated by logged in users,
  • Alert 6023 for 404 errors generated by anonymous users.

So you can easily identify automated scans in the WordPress audit trail, as per the below screenshot.

Records of 404 requests in the WordPress Audit Trail

The plugin can also log all the HTTP 404 errors to a log file. By analysing these log files you can learn about the type of attacks or vulnerabilities attackers are trying to find and exploit on your WordPress website, thus allowing you to better protect your website.

Get Notified Instantly When Your WordPress is Scanned for Vulnerabilities

The WP Security Audit Log plugin can alert via email when your WordPress is being scanned for vulnerabilities. To receive such alerts simply enable the 404 HTTP errors alert from the Recommended Email Security Notifications tab in the Email Notifications menu node, as shown in the below screenshot.

Enabling email notifications to get notified when there are 404 errors

Detecting Brute Force Attacks On Your WordPress Login Page

During a WordPress brute force attack, an automated software tries to guess a username and password combination to login to your WordPress. For example it tries to login to your WordPress using the below combinations of username/passwords:

  • admin/admin
  • admin/password
  • admin/qwerty
  • admin/administrator
  • administrator/administrator
  • administrator/password
  • administrator/qwerty
  • administrator/12345678

WordPress Security Tip: Here are some tips on how you can secure your WordPress administrator user.

This means that a brute force attack on WordPress generates a lot of failed login attempts, which the WP Security Audit Log plugin keeps a record of by using these two type of alerts:

  1. Alert 1003 for when someone tries to login to WordPress using a non-existing user.
  2. Alert 1002 for when someone tries to login using an existing user.

Therefore it is very easy to configure email notifications in WP Security Audit Log so you are alerted of such activity, as explained below:

Get Notified Instantly of a WordPress Brute Force Attack

Similar to what we have done to get notified of automated scans, you can use the Email Notifications add-on to be alerted instantly via email when there are failed login attempts on your WordPress. As per the screenshot below, you can enable either one of the rules, or both.

Email alerts for WordPress bruteforce attacks

Personally I wouldn’t be really bothered about failed login attempts of non-existing usernames, but I would keep an eye on failed login attempts using existing usernames, as explained in Dealing with Failed WordPress Logins.

Detecting and Being Alerted of a Successful WordPress Hack

There is no bullet-proof WordPress security solution. You can have the best WordPress firewall and security plugin, though your WordPress website can still get hacked. Therefore it is imperative that you also think of being notified should the worse happen, when your WordPress is hacked. The earlier you find out about a hack, the easier the recovery process will be.

First things first; to be able to configure a good IDS we need to understand what hackers typically do when they hack a WordPress website. For example they:

  • Create a new username and use it to retain backdoor access,
  • Install their own plugins,
  • Modify content, widgets etc.

Let’s look into how we can use the Email Notifications in WP Security Audit Log to be alerted of any of the above changes, so we can catch hackers red handed and limit the possible damage.

Get Notified When a Hacker Creates a New User & Logs In To Your WordPress

The WP Security Audit Log plugin uses Alert 4001 to record the creation of a new WordPress user. So by creating the below trigger you will be alerted via email when a new user is created on your WordPress website:

ALERT ID IS EQUAL 4001

Below is a screenshot of the configured email notification trigger.

WordPress Email Notification for newly created user

Get Notified When a User Logs In For The First Time

A hacker can also create a new WordPress user directly in the database, maybe by exploiting a SQL injection vulnerability, or by gaining access to the database via other means, such as phpMyAdmin. In such case you can still get notified of such activity by enabling the notification Alert me the first time a user logs in in the WP Security Audit Log Email Notifications. Below is a screenshot of an email notification, alerting the WordPress administrator that a user logged in to the WordPress website for the first time.

Email alert for first time a WordPress user logs in.

Get Notified of Suspicious Login Activity on Your WordPress

When using the Email Notifications option in the WP Security Audit Log plugin you can also build more complex email notifications rules by using the AND and OR operands, and by using groups. For example, if you and your team always login to the WordPress website from the office, which has an IP address of 66.65.55.44, you can create an email notification rule to be alerted when there is a login that is not from the office’s IP address. Here is the rule:

ALERT ID IS EQUAL 1000 AND IP ADDRESS IS NOT EQUAL 66.65.55.44

Below is a screenshot of the configured email notification rule:

Email notification trigger for suspicious WordPress logins

You can also create a notification to be alerted when someone logs in outside office hours, in case you and your team always login to the WordPress website during the same times. For example the below trigger will send an email when someone logs in to WordPress outside the office hours (9AM – 5:30PM):

Alert ID Is Equal 1000 AND (TIME is before 9am OR TIME is after 5:30pm)

Notice the brackets to group the alerts. They can be configured by using the grouping drop down menu, as shown in the below screenshot:

Configure more complex email notifications rules to monitor suspicious WordPress login activity

Get Notified of Other Suspicious WordPress User Activities

You can use the Email Notifications in WP Security Audit Log to be alerted of any possible change that happens on your WordPress. The options are endless because WP Security Audit Log keeps a record of all these changes that can happen on your WordPress website. From a security point of view, I would recommend configuring the following email notification when using WP Security Audit Log:

  • A WordPress user changes the password of another user,
  • A WordPress user logs in from a different IP address (if he/she always logs in from the same IP address),
  • A WordPress user logs in during odd hours,
  • A WordPress user installed or activated a plugin.

Browse through the list of changes that the plugin can keep a record of for more ideas on what type of email notifications you can configure to be alerted of possible suspicious activity.

It’s Simple! Configure Your Own WordPress Intrusion Detection System

By investing some time in understanding how your WordPress website is being used, you will be able to configure a solid WordPress Intrusion Detection System that can help you prevent possible attacks and save you on a rainy day. Take all the other necessary security precautions as explained in the WordPress security wheel and you should be able to tighten the security of your WordPress website, thwart possible hack attacks before they happen, and in an unfortunate event, act as soon as possible to limit the damage.

Leave a Reply

Your email address will not be published. Required fields are marked *