Import WordPress Events to OSSEC

WordPress is a very popular in the enterprise world, but a common issue that security administrators have is with visibility into platform events. System administrators want to know what is happening inside WordPress and how those events can be  incorporated into their log management and log-based intrusion detection plan.

WordPress Security Audit Log Trail

A great way to help address this issue can be found in our Free WordPress Security plugin, which is available in the WordPress repository and is also open-source. Our plugin focuses on providing the desired visibility within the WordPress platform. The plugin will hook into multiple WordPress actions and log sensitive actions, such as:

  • Successful logins
  • Failed logins
  • Post or Pages being published
  • Plugins or themes being installed or removed
  • Files being modified
  • Categories being created

These and many other CMS-specific activities would just be lost without the audit trail.

Install the WordPress Plugin

Installing the plugin is easy. We’ve put together a quick guide here that will that help in the process of using it.

  1. Log into your WordPress dashboard (or wp-admin).
  2. Navigate to Plugins and click Add New.
  3. Search for “sucuri-scanner” in the search box.
  4. Find the plugin and click Install Now on Sucuri Security – Auditing, Malware Scanner and Security Hardening.

The name of the plugin is a bit unrelated, as it used to be a front-end for our free malware scanner, SiteCheck. The audit trail is what provides us the visibility we’ll be focusing on in this article.

Once installed, the audit logs will populate within the Sucuri dashboard in your WordPress installation.

Audit logs in WordPress via Plugin
Audit logs in WordPress via Plugin

Integrating OSSEC with WordPress

Having basic visibility is not enough though. Most system administrators have existing log management tools and systems in place that are designed to aggregate information. Until now, this capability has been limited.

In our latest release however, we have introduced a new way to export all those event activities so that you transfer that visibility from within your WordPress dashboard into your OSSEC installation (or other log management tool). For once, you can get visibility into WordPress itself, and you can export data to a log file that can be read by OSSEC or any other log management tool.

How to Export WordPress Logs to OSSEC

Navigate to the plugin Settings -> Log Exporter page and provide a path to export the audit trails as they happen.

WordPress security Log Exporter
WordPress security Log Exporter

In the example above, the location /var/log/wordpress.log was set, which means all events will be captured at that location on the server.

From there, add the log file to OSSEC to be monitored in real time and restart OSSEC:

# /var/ossec/bin/util.sh addfile /var/log/wordpress.log
# /var/ossec/bin/ossec-control restart

That’s it. Now all WordPress-related activity will start populating the log file and consumed by OSSEC.  For example, on the Sucuri blog, I can see when I am logging in:

** Alert 1453833644.78336: – syslog,wordpress,authentication_success,
2016 Jan 26 13:40:41 (blog.sucuri.net) HIDDEN->/var/log/wordpress.log
Rule: 9502 (level 3) -> ‘WordPress authentication succeeded.’
Src IP: HIDDEN / USA
2016-01-26 13:40:41 WordPressAudit blog.sucuri.net HIDDEN : Notice: 1.2.3.4; User authentication succeeded: danielcid

I can also see when someone is failing at entering their password or editing anything inside WordPress.

If you leverage Slack or PagerDuty, be sure to update your OSSEC install with the latest integrator daemon, it pushes all alerts to either medium per your configuration:

User authentication error log from WordPress in OSSEC
Exported user authentication error log from WordPress to Slack or Pagerduty

Need Help with OSSEC?

We leverage OSSEC extensively across all our products to help monitor and protect our servers. If you are not familiar with OSSEC, it is an open source Intrusion Detection System (HIDS); with a powerful correlation and analysis engine that integrates log analysis, file integrity monitoring, rootkit detection, real-time alerting, and active response.

It provides complete coverage if you are looking for an endpoint (server) security solution.

Note that OSSEC requires root access to your servers and is meant for network / server administrators with Linux skills.

Leave a Reply

Your email address will not be published. Required fields are marked *