Moderator
James Huff
(@macmanx)
Volunteer Moderator
Logs can be very heavy depending on the type and popularity of the site, slowing down databases and sometimes getting you past your hosting account’s limits in a matter of days.
I don’t know if this is definitely the reason why the developers have decided not to implement this feature, but it certainly seems plausible.
The good news is, there are lots of plugins like https://wordpress.org/plugins/aryo-activity-log/ and https://wordpress.org/plugins/wp-security-audit-log/
Thank for the response. I appreciate those links.
I’ve been told by our web developer that keeping plugins to a minimum is the smartest route security-wise. Since these are not official WordPress plugins and don’t have very many ratings, would it increase or decrease the security of my websites to install one of them?
Sorry if that’s a silly question. I’ve been trying to eliminate plugins recently, not add them. But an audit log seems beneficial.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Are you going to keep the plugins up to date? They are actively being developed. Updating is a standard security measure.
Yes, I update everything regularly. That’s all it takes to ease your mind about the security of plugins?
Are there any other red flags to watch out for before installing other plugins?
Having just dealt with a hack, I’m being extra cautious.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Moderator
James Huff
(@macmanx)
Volunteer Moderator
All plugins at https://wordpress.org/plugins/ go through very intense security screening by real human volunteers, so you generally have nothing to worry about.
With that said, no one is psychic. Some enterprising hacker may find a new never-before-seen exploit that one of these plugins is vulnerable to. That’s true for every web software, even WordPress itself. When that happens, the developers are notified, and they generally react quickly to release an update with a fix.
Some more reading for peace of mind:
https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/
https://wordpress.org/about/security/
Since we deal with plugin vulnerabilities on daily basis we thought it important to chime in here since some of the information provided here doesn’t seem to be accurate.
Your web developer is right that you are introducing a security risk with each plugin you add, so limiting the number you have installed can be helpful in protecting your website (some vulnerabilities in plugins are still exploitable even if the plugins is deactivated). But if a plugin provides something useful to you then the potential security risk alone shouldn’t dissuade you from using it.
In the case of both of the logging plugins mentioned earlier in this thread, we recently found minor security vulnerabilities in them and in each case they were easy to spot. Both of the vulnerabilities were fixed within a couple of weeks of us notifying the developers.
If there is security screening done on plugins, it seems to be limited, as we recently found a pair of plugins that had a vulnerability that hackers would exploit and that had existed in the plugins since the first version was released on the Plugin Directory several months ago. This was not something that was a “never-before-seen exploit”, but quite easy to spot and considering what the plugins did, should have been something that would have been checked on during even a less than intense security screening.
In our experience the response time by developers fixing vulnerabilities after they have been notified of them varies widely from developer to developer. We have seen minor vulnerabilities that have been fixed within hours of us reporting them to the developer, but we have also seen vulnerabilities that are already being exploited when we contact the developer, that take weeks to get fixed and others of that kind that never get fixed.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
@whitefirdesign, If you are referring to plugins distributed on WordPress.org that never get fixed (for security issues), please report it to plugins@wordpress.org. The plugins team can escalate this. @wordpress_port, It’s the same advice for you.
@andrew Nevins
We already do report them to that address, but all that does is cause the plugin to be removed from the Plugin Directory and the developer notified again. While having the plugin removed from the Plugin Directory does cause many developers to finally getting around to fixing the vulnerabilities, when we were referring to plugins that never get fixed, all of those plugins have been reported to that address.
