If you keep an eye on the WordPress security scene (as do I), you’ll know that we discover plugin vulnerabilities all the time. Even those that are consistently well-maintained can develop unexpected problems that need to be patched. Worse still is when unmaintained plugins suddenly demonstrate signs of activity, and which can often fly under the radar. I’d written about new plugin authors sneaking in malicious code when they take over abandoned plugins. So if you aren’t already constantly monitoring WordPress security issues, start doing so now!
However, most of the exploits in WordPress involve someone with login privileges with access to the dashboard. Very rarely can random people mess with a well configured and hardened WordPress installation. So if you’re the only user of your site, you’re much more secure compared to one with dozens of backend users. For example, my site WP-Tweaks has just one user – me. I write all my articles and perform all the maintenance by myself. So I limit my exposure to bad actors.
But for sites that do have lots of users, it’s useful to constantly monitor what they’re up to so you can quickly detect suspicious activity. This specially applies to employees who are no longer with you, and might be disgruntled, but who still have access to your backend. Doing so can be hard though. There’s no centralized location for actions taken by all users, so there’s no efficient way to audit your site at regular intervals. Which is where the new Nashaat plugin comes in.
Monitoring User Activity with the Nashaat Plugin
This plugin recently caught my eye as I was browsing the WordPress plugin repository to see what’s new. I immediately realized that it could be an invaluable tool for large teams. You can download and install it from WordPress.org. Once you install it, you can open the Nashaat activity log from the menu item that appears on the left-hand side of the dashboard like this:
As you can see, I’ve done some stuff like deleting posts, comments, modified, and some user data. If you have other users on your site, then this plugin will log their activity as well. It categorizes each item into levels, so you can quickly get a visual indicator of the things that you might want to keep track of. You can also filter each of the headings to only view data of that type – so if you want to check for malicious plugin activity, just click the “Context” heading and filter the results by plugin.
In the Nashaat settings screen, you can also choose the duration for how long you want to keep the logs, as well as the option to purge them.
Finally, you can choose whether or not you want to record admin actions.
Expanding the List of Logged Activities
The plugin author says that they want to include logged activities from popular plugins like Yoast, Gravity forms and others. Also, that they plan to implement a system to enable/disable certain types of notifications. All these would be useful for those sites whose activity log quickly gets overwhelming with the sheer number of events. Particularly if a site has a full-time spam monitoring person whose activity fills up the log with one type of entry.
But even as it is, I find the plugin to be extremely useful for a site with multiple users. Really, if you have even one other person on your site’s backend, you should have some way to monitor their activity. Or at least set up a notification system so that you know what they’re up to. For that purpose, this is a great plugin that you should definitely consider adding to your site!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!