One of the most common techniques malicious hackers use to retain access to a hacked WordPress website is to create an obscure WordPress user with administrator privileges. They create it to retain access, so they can log back in to the hacked WordPress anytime they want.
Unfortunately many WordPress administrators and users will not notice such user because most use WordPress to write content, and maybe to change the looks of the website (here are some tips how to find out if your WordPress was hacked). It is even more difficult to identify the user the attackers created when the WordPress website is a large one, or a multisite network that has tens or hundreds of users.
In this article we will explain how you can use the WP Activity Log plugin and the Email Notifications Add-On to get instantly alerted via email when a new WordPress user is created, or logs in for the first time. By doing so you can catch hackers red handed and stop them from doing any further damage on your WordPress websites and blogs.
Get Alerted via Email When A New User is Created on WordPress
When a new user is created on a single or WordPress multisite installation, WP Activity Log plugin logs a security alert in the WordPress audit trail. The security alert with ID 4001 includes all the details, such as the user who did the change, the user created, the role and several other details as shown in the screenshot below.
Therefore if you configure a trigger in the Email Notifications Add-On for alert 4001, when a new user is created on your WordPress you will get alerted via email.
Get Alerted via Email When the Password of a WordPress User Changes
If instead of creating a new user the attackers change the password of an existing user, you can also be alerted via email. The WP Activity Log plugin logs a security alert with ID 4004 when a user changes the password of another user, or alert with ID 4003 when a user changes its own password.
In this case, as shown in the screenshot below you can configure a trigger in the Email Notifications Add-On so when one or the other happens, you are alerted via email.
Getting an Email Alert When a User Logs in the First Time on WordPress
The above examples only apply if the attackers use the normal means to create a WordPress user or change its password. Though in most cases things are not so straight forward. As seen in this interesting WordPress hack attackers are exploiting another vulnerability that allows them to upload a PHP file in the WordPress website. Then they execute the PHP file which creates a new WordPress user directly in the WordPress database. In such case the plugin won’t log a security alert in the WordPress audit trail, but WP Activity Log plugin still has a solution for such cases.
Built-in WordPress Email Alerts
The Emails Notifications add-on has a built-in WordPress email alert that alerts you the first time a WordPress user logs in to your WordPress. So even if as explained in the case above the attackers create the user manually in the database, the first time they login with such username you will be alerted via email, thus allowing you to take action as soon as possible to thwart their attack.
Email Alerts for WordPress Audit Trail
The above examples highlight the importance of keeping an audit log of everything that is happening on your WordPress. This also shows that logs are not there just to record what happened, but can also be used to instantly notify us of changes that we need to take action on. There are also several other benefits you can take advantage of when keeping a WordPress audit trail.
Extend the Functionally and Scope of your WordPress Audit Log
The WP Activity Log plugin has several other add-ons that allow you to extend the functionality and scope of the WordPress audit log. For example you can use the Search add-on to do free-text based searches in the audit log or the Reports add-on which allows you to generate user and regulatory compliance reports.