WPAuditor Product Documentation

Menu: WPAuditor → SIEM Dashboard (home entry point)

WPAuditor continuously secures your WordPress site by turning your installation into a lightweight SOC (Security Operations Center). It combines deep event logging, a SIEM-style dashboard, Active Defense (ADS), global rate limiting, file integrity tools, quarantine, and alert routing — all designed to run efficiently on typical hosting.

Requirements

• WordPress 5.8 or later.
• PHP 7.4+ recommended.
• Write access to wp-content/logs/ for the SIEM log file.
• Optional: cron support (for ADS scans, auto-clean, scheduled backups).
• Optional: outbound HTTPS to use Cloudflare API and WordPress.org checksum APIs.

Installation

1. Upload the WPAuditor plugin folder or install the ZIP from Plugins → Add New → Upload Plugin.
2. Activate the plugin. WPAuditor will create (or reuse) a log file in wp-content/logs/.
3. Visit WPAuditor → SIEM Dashboard to confirm that the log file path is valid.
4. Follow any on-screen onboarding prompts (timezone, basic options).

Quick Start Checklist

• Verify logging is working in the SIEM Dashboard by generating a test login and viewing the event.
• Open WPAuditor → Alert Center and set:
  • Default recipients for security alerts.
  • Minimum severity for email notifications.
• Enable Active Defense (ADS) in Dry Run first and watch what it would block.
• Review File Activity Monitoring, Obfuscated PHP Files, and File Permission Scanner for immediate issues. Quarantine anything suspicious.
• Configure Backup & Restore to create AES-256 encrypted backups of your database and filesystem.
• Optionally enable Global Rate Limiting and Custom Login URL for extra hardening.

Event Logger & Log File

Used by: SIEM Dashboard, ADS, Threat Simulator, Timeline, Alert Center

The core event logger runs globally and records structured events into a log file under wp-content/logs/. The logger captures:

• HTTP details: method, URI, query string, IP address, user agent.
• WordPress activity: logins, login failures, password resets, plugin/theme changes, post/media edits, and more.
• Web application attacks: XSS, SQL injection, LFI/RFI, path traversal, suspicious uploads, unusual HTTP requests.
• Enriched context: category, severity, session identifiers, and MITRE ATT&CK mapping for many patterns.

If the log file is missing or not writable, WPAuditor shows a clear warning in the SIEM dashboard. Fix the path and permissions, then reload.

SIEM Dashboard

Menu: WPAuditor → SIEM Dashboard

• KPI cards summarising events by severity, category, and time range.
• Interactive charts (Chart.js) visualising attack and event trends.
• Filters by date range, severity, category, and search terms (IP, URI, username, etc.).
• Paginated log table (100 rows per page) with mobile-friendly layout and no horizontal scroll.
• Per-row Expand / Collapse to show full URI and extended details safely.
• Copy-to-clipboard actions for IPs, URIs, and other common fields.
• Inline Block IP action with a confirmation dialog that integrates with the blocklist and ADS.
• Optional auto-refresh mode during live investigations.

Timeline & Session Correlator

Menu: WPAuditor → Timeline

• Groups log entries into sessions by IP, user agent, and (when available) logged-in user.
• Expandable session rows show the full sequence of requests, logins, configuration changes, and blocks.
• Time-based Chart.js visualisation to see attack bursts and dwell time.
• Pagination and filters to stay responsive on busy sites.

Web App Attack Detection Engine

Feeds: WEB_APP_ATTACK, UNUSUAL_HTTP and related categories

• Regex signatures for OWASP Top 10 style attacks (XSS, SQLi, command injection, LFI/RFI, path traversal, etc.).
• Inspection of query strings, request bodies, file uploads, and selected headers.
• Events categorised and mapped to MITRE ATT&CK tactics/techniques.
• All detections logged and surfaced in both SIEM Dashboard and Timeline.

Active Defense System (ADS)

Menu: WPAuditor → Active Defense

• Per-IP risk scoring based on severity and type of recent events within a configurable look-back window.
• Separate thresholds for temporary block and permanent block.
• Configurable temporary block duration and per-IP cooldown to avoid thrashing.
• Automatically excludes loopback and server IPs to avoid self-blocking.
• Supports local blocklist and optional Cloudflare API integration for remote firewall rules.
• Recent actions ledger (last ~30 actions) to show what ADS did and why.
• Dry Run mode logs would-be actions without enforcing them — ideal for tuning.

Tip: Start in Dry Run, observe 24–48 hours of traffic, adjust thresholds, then enable blocking.

Global Rate Limiting

Menu: WPAuditor → Global Rate Limiting

• Limits total requests per IP within a sliding time window (seconds).
• Enforces temporary bans (seconds) once the limit is exceeded.
• Supports IPv4 and IPv6 addresses, plus CIDR ranges in the whitelist.
• Whitelist parser accepts commas, spaces, and newlines, stored in normalised form.
• Proxy and Cloudflare-aware IP resolution using X-Forwarded-For where appropriate.
• Panic constant (WPAUDITOR_DISABLE_GLOBAL_RATELIMIT) to hard-disable from wp-config.php.

Threat Simulator (Dry Run)

Menu: WPAuditor → Threat Simulator (Dry Run)

• Simulates common threats such as brute-force attacks, SQL injection attempts, and generic scanners.
• Generated events enter the log pipeline exactly like real traffic.
• Use it to confirm SIEM charts, alert emails, and ADS scoring work as expected.
• Designed as a safe tool – does not actually damage or alter site content.

Recently Modified / Edited Files

Menu: WPAuditor → File Activity Monitoring

This view lists files that changed in your site and uploads folders during the last N days (for example, 90 days), based on file modification time. Many changes are legitimate (plugin/theme updates or your own edits); this view surfaces them so unexpected changes stand out.

• Scans key paths (site root, wp-content/, uploads, themes, plugins).
• Shows file path, last modification time, and an age badge (Most Recent, Recent, Past Week, Older).
• Helps you quickly spot edits you don’t recognise.
• Suspicious items can be moved into Quarantine; no direct delete from this page.

Obfuscated PHP Files Scanner

Menu: WPAuditor → Obfuscated PHP Files

• Finds PHP files with suspicious or heavily encoded content (e.g. base64_decode, eval, nested encoders, XOR loops, high-entropy blobs).
• Uses api.wordpress.org/core/checksums to automatically verify WordPress core files.
• Verified core files are whitelisted and hidden from this view to avoid confusion.
• Focuses your attention on custom or third-party PHP files that look obfuscated.
• Supports Quarantine actions for suspicious files (no direct delete).

File Permission Scanner

Menu: WPAuditor → File Permission Scanner

• Scans for files and directories with insecure permission modes (e.g. 0777, 0666).
• Displays current and recommended permissions.
• Offers a Fix permissions action where the server allows it.
• Shows clear error messages when permission fixes fail due to environment limits.

WordPress Core File Integrity

Menu: WPAuditor → WordPress Core File Integrity

• Fetches official WordPress checksums for your version + locale.
• Compares each core file (root, wp-admin, wp-includes) with the expected hash.
• Flags missing, modified, and extra/unexpected files.
• Supports re-scan and exporting or filtering results.
• Pairs well with Quarantine for handling unexpected PHP files inside core folders.

Quarantine Manager

Menu: WPAuditor → Quarantine Manager

• Central view of all quarantined files, including original path, source scanner, and date.
• Quarantined files are moved to a protected directory under wp-content/ and made non-executable.
• Restore action puts files back to their original location when you confirm they’re safe.
• Supports permanent deletion once investigations are complete.
• Designed to be reversible by default — safer than direct deletion from scanners.

Backup & Restore

Menu: WPAuditor → Backup & Restore

• Creates full backups (database + filesystem) in AES-256 encrypted ZIP archives.
• Stores backup files in non-public locations where possible.
• Supports on-demand backup runs and scheduled backups via WP-Cron.
• Restore tools assist in recovering the site after compromise or accidental changes.

Custom Login URL

Menu: WPAuditor → Hardening → Custom Login URL

• Hides the default /wp-login.php and moves your login page to a custom slug.
• Once enabled, your login is set to kitchen-key/ by default (e.g. https://example.com/kitchen-key/).
• You can change the slug to a custom value at any time.
• Provides a secret bypass query parameter so you can still log in if caching or WAF rules misbehave.
• Supports a hard disable constant (WPAUDITOR_DISABLE_LOGIN_RENAME) in wp-config.php.
• Displays a clear status notice: feature ENABLED or DISABLED and your current login URL.

Disable XML-RPC

Menu: WPAuditor → Hardening → Disable XML-RPC

• Blocks or restricts xmlrpc.php to reduce attack surface for brute-force and XML-RPC amplified attacks.
• Recommended if you do not rely on XML-RPC (some mobile apps, Jetpack features, etc.).
• Toggle on/off from the WPAuditor UI when you need to re-enable it temporarily.

REST API Hardening

Menu: WPAuditor → Hardening → Disable REST API

• Limits anonymous / unauthenticated access to the WordPress REST API.
• Reduces fingerprinting and data exposure while keeping admin/editor flows functional.
• Blocked REST API attempts are logged so you can see them in the SIEM Dashboard.

Alert Center & Email Routing

Menu: WPAuditor → Alert Center

• Configures when and how security alerts are emailed.
• Minimum Severity: only events at or above this level generate email alerts.
• Default Recipients for all alerts plus optional per-severity routing (e.g. CRITICAL → on-call address).
• Built-in SMTP settings via PHPMailer (host, port, encryption, auth), as an alternative to default wp_mail().
• Throttling / cooldown settings to avoid alert storms during large attacks.
• Diagnostic tools: DNS lookup, TCP connection, banner, STARTTLS, and SMTP auth checks.
• Status strip summarising whether alerts are ENABLED or DISABLED.

Log Retention & Auto-Clean

Menu: WPAuditor → Settings / Logs (exact label may vary)

• Manual Clean Logs operation to remove entries older than a selected date.
• Automatic clean-up via WP-Cron (e.g. delete logs older than 15 days).
• Respects the WordPress timezone for all time comparisons.
• JavaScript confirmation prompts before permanent clean-up.

Severity Levels

WPAuditor normalises severities into the following levels (lowest to highest). Many modules (Alert Center, ADS scoring) rely on these values.

• INFO — Routine information and low-risk events.
• NOTICE — Noteworthy events (for example, a login from a new IP) that may be benign.
• WARNING — Suspicious activity or misconfiguration that should be reviewed.
• HIGH — Clearly malicious or high-risk events, likely requiring investigation.
• CRITICAL — Severe incidents or high-confidence indicators of compromise.

Common Event Types

Below are some event categories you will frequently see in the SIEM Dashboard:

• WEB_APP_ATTACK — Detected web application attack patterns (XSS, SQLi, etc.).
• UNUSUAL_HTTP — Non-standard requests, scanners, or noisy probing activity.
• AUTH_LOGIN / AUTH_FAIL — Successful and failed login events.
• PLUGIN_CHANGE / THEME_CHANGE — Plugin/theme installs, updates, or removals.
• POST_UPDATE / MEDIA_ACTION — Content and media changes relevant during incident review.
• IP_BLOCKED / IP_UNBLOCKED — Automated or manual IP blocking/unblocking actions.
• BACKUP_RUN / RESTORE — Backup and restore operations initiated via WPAuditor.
• WEB_APP_ATTACK (simulated) — Events generated by the Threat Simulator for testing.

All event lines are designed to be both human-readable and machine-parsable, so you can build external reports, forward logs to other SIEMs, or write your own automation around them.

Back to top ↑