Working with enterprise WordPress installs comes with a set of unique requirements. Security, performance, analytics, design and even development are typically all taken into consideration. Corporate websites have different needs, and one I commonly see is the need for a change detection, logging and recording system.
Large businesses using WordPress will often have specific legal and IT requirements. For example, a publicly traded company will often need a time stamped log of any content change made to the website to comply with SEC regulations. IT departments are often focused on monitoring security threats in real-time. They need to know about any changes made that could be a malicious takeover attempt. In both cases, a real-time push and email notification system is needed to notify the relevant teams at a business when a website change occurs.
Where Change Can Happen
Changes to a website can occur in a few different places:
- Server file system
- DNS or registrar (domain level)
I’ll cover what systems I typically recommend for an enterprise WordPress implementation. Each implementation needs to meet the specific needs of the enterprise, so you should consider this to be a source of methods that can be implemented depending on the requirements of the business.
File System Changes
Many of the ways that WordPress sites are hacked involve issues at the file system level. File Integrity Monitoring systems monitor changes to your file system. If you do get hacked, you can often use these tools to identify the files that were targeted, helping you enhance security to stop future attacks.
Website File Changes Monitor
The simplest way to track your WordPress file system is using a minimal plugin called the Website File Changes Monitor. If you need a basic way to monitor changes to files within WordPress, and you don’t have access or the skills to work with server level software packages then this is most likely your best option.
OSSEC is the world’s most widely used server intrusion detection system. It’s free and open source, and provides a robust way to detect and notify file system changes for a WordPress website. It can also be configured to detect and automatically block threats as they happen based on user defined rules. If you’re working on a high volume website, or a heavily targeted WordPress website with strict security requirements, then this system is a great option to explore. You will need access to install and configure server level software in order to configure this. Common WordPress hosts like WPEngine or Kinsta won’t provide you with the ability to do this. You’ll need to be working with a self-managed server system. For more information about configured and working with OSSEC for WordPress I highly recommend Defending WordPress with OSSEC
Changes made through the WordPress admin area are stored in a your site’s database. To track content management changes made through the admin UI you’ll need a way to track changes to the database. The database changes frequently without user input though, so you’ll need a system that allows you to selectively determine what you want to track and notify team members about.
Stream is a plugin for WordPress is a great minimal plugin option that’s easy to use, and flexible enough to be configured for the demands of an enterprise or large business working with WordPress.
Activity Log is a great option if your use case goes beyond security monitoring. If you’re a public company and need to know who changed what and when, then this may be an ideal choice for monitoring CMS changes. It logs every activity at the user level in WordPress, allowing you to see exactly what people are changing and where.
SiteGuard Security is a quality security plugin for WordPress that’s lesser known but high quality from what I’ve seen. It includes an activity monitor that allows you to monitor detailed activity of known and unknown visitors. If your site is being hacked, a user or a plugin was compromised, you can always use the quick tools to block their future actions.
Domain registrar and DNS managers are another place where malicious or unintended changes can happen. Monitoring changes to all DNS records isn’t an option, because you’ll end up with tons of false positive notifications. Instead, I’ve found that it works well to monitor changes to your domain’s SOA record.
An SOA record contains the following information that we can monitor to identify DNS level changes in real-time:
- Primary name server for the domain, which is ns1.dnsimple.com or the first name server in the vanity name server list.
- Responsible party for the domain: admin.dnsimple.com.
- Timestamp that changes whenever you update your domain.
- Seconds before the zone should be refreshed.
- Seconds before a failed refresh should be retried.
- Upper limit in seconds before a zone is considered no longer authoritative.
- Negative result TTL (for example, how long a resolver should consider a negative result for a subdomain to be valid before retrying).
It’s not too difficult to create a system that does this. If you’re up to the task I’d recommend reading Tracking Unexpected DNS Changes, which provides a great explanation of how to handle this with routines and bash scripts.
If you’re looking for an out-of-the-box system, then DNSCheck provides SOA Record Monitoring as a feature in its software. It will monitor changes to your domain’s SOA record and notify you of anything detected.
Changes happen all the time in WordPress. If you’re working with WordPress in a corporate environment or with a publicly traded company, then you’ll need to implement systems to track and log those changes. This list provides an overview of some of the tools I’ve found useful within enterprise WordPress environments.