Please note: this post is incomplete & pending review.
A10 – Insufficient Logging & Monitoring
The title is self explanatory but the gist of it is if you’re not watching, monitoring, or getting updates about your WordPress installation or the server it’s on, there’s likely to be something that happens that could of been prevented. This includes things like notifications or logs of
- failed log in attempts
- updates available
- vulnerable components
- brute force attempts
- penetration testing
To comat this, it’s important to design an app that anticipates abuse, and have a notification system in place for alerting you. For example: after x failed log in attempts, send an email to you and automatically block the IP address.
Have all your server or app logs readily available, and have a plan in place for what happens to slow down an attack or recover from one.
How Does This Apply To WordPress?
A typical WordPress install will notify you of updates, and may automatically preform WordPress update releases, but not notify you of attacks, brute force attacks, server errors, and so on. It is up to you as a developer to properly configure your servers and enhance WordPress installs security.
For your WordPress install, the following may be considered:
- Installing a third party security plugin like WP Fense
- Installing Login Lockdown and turning on its notifications
- Ensuring “new user” registration email are on
For your server, you should
- Ensure automatic updates are on for the OS, any cpanel/plesk type apps, and WordPress itself
- Have a easy-to-access way to read and monitor error and system logs