Logging and reporting

WAF: Logging and reporting

In the Logging and reporting section you can change the way Admin Tools logs and reports various activity items and security exceptions happening on your site.

Save user sign-up IP in the user profile

When enabled, the IP from which new users signed up will be stored as a note in the user profile.

[Important]Important

This feature is guaranteed to work only when a user registers to your site using the public user registration form provided by WordPress. Users created through the Users page of the administration interface will not have their IP saved as a note because it makes no sense to do so (it's an administrator registering the user account on their behalf). Third party plugins creating new user accounts may also not trigger the hook we are using to be notified of user account creation..

Log security exceptions

It is suggested to keep this option enabled. When enabled, all potential security issues —blocked by Admin Tools— will be logged in the database and made available under the Security Exceptions Log tool.

Turning on this option will also create a file named admintools_security_issues.log in your site's wp-content/plugins/admintoolspw/app/log directory. This contains all the debugging details of what Admin Tools detected whenever it issues a 403 error. When asking for support, please include this log or at least the portion relevant to the 403 error page you are receiving in order for us to better serve you. Do note that your logs directory MUST be writeable for the log file to be produced.

[Important]Important

When this option is turned off the automatic IP blocking of repeat offenders, automatic blacklisting of IPs and most email notification features will be deactivated.

[Important]Important

By default we are using a .htaccess file to prevent direct web access to the log file. This works on Apache and LiteSpeed web servers. If you are using a different server, such as NginX or IIS, you need to prevent direct web access to this directory. If you are not sure how to do that please ask your host.

IP Lookup Service

Admin Tools will provide you with a link to look up the owner of an IP address in the emails it sends you, as well as the Security Exceptions Log and Auto IP Blocking Administrator pages. By default, it uses the ip-lookup.net service. This option allows you to use a different IP lookup service if you so wish.

Enter the URL of the IP lookup service you want to use in this text box. The {ip} part of the URL will be replaced with the IP address to look up. For example, the default URL (for ip-lookup.net) is http://ip-lookup.net/index.php?ip={ip}

Email this address on security exceptions

Enter one or more email addresses (separated by commas) which will get notified whenever a security exception happens on your site. For example [email protected] for one recipient only or [email protected], [email protected], [email protected] for multiple recipients. The email addresses need not be in the same domain name and don't even need to be users of the site itself. Any email address will do.

A "security exception" is anything which triggers Web Application Firewall. This is useful to get an ahead warning in the event of a bot trying to perform a series of attacks on your site.

The contents of the e-mails can be configured using the Email Templates feature in the Web Application Firewall page.

Email this address on successful administration login

Enter an email address which will get notified whenever someone successfully logs in to your site's administration area (wp-admin). If you do not wish to use this feature, leave this field blank. If you enter an email address, every time someone logs in to the administration area an email will be sent out to this email address stating the username and site name. If you want to send a notification to multiple email addresses separate them with commas, e.g. [email protected], [email protected]. The email addresses do not need to be in the same domain and they don't even have to be linked to users of your site.

This allows you to get instant notification of unexpected administrator area logins which are a tell-tale sign of a hacked site. In that unlikely event, immediately log in to your site's back-end area, go to Admin Tools and click on the Emergency Off-Line Mode button. This will cut off the attacker's access to the entirety of your site and gives you ample time to upgrade your site and its extensions, as well as change the password (and maybe the username) of the compromised administrator account. For maximum security, after taking your site back on-line, log out, clear your browser's cookies and cache and log in again.

The contents of the e-mails can be configured using the Email Templates feature in the Web Application Firewall page.

Do not log these reasons

Security exceptions caused by these blocking reasons will not be logged. As a result, IPs triggering this exception repeatedly will not be automatically banned from your site. Moreover, as there is no log, it will be impossible to tell why someone is being blocked from accessing your site when they trigger one of those reasons.

For a list of what each reason means please consult the list of WAF log reasons. You can start typing or click on on the field to show the list of reasons.

Do not send email notifications for these reasons

Security exceptions caused by these blocking reasons will not result in an email being sent to the email address specified in "Email this address on security exceptions".

For a list of what each reason means please consult the list of WAF log reasons. You can start typing or click on on the field to show the list of reasons.

[Important]Important

Keeping this setting empty is only advisable when you are first configuring Admin Tools your site, or when you are troubleshooting an issue.

During normal operation you are advised to put at least the following: Spammer (via HTTP:BL), Bad Words Filtering, Site IP DIsallow List, Admin Exclusive Allow IP List, SessionShield, and WAF Deny List. These are the features which don't cause “false positives” since they are either explicit blocking reasons, or IP-based blocking.

For best performance of your site we strongly recommend that during normal operation of your site you put all available options in this setting except for Monitor Super User list, Backend Edit Admin User, Frontend Edit Admin User.

Why you should follow these instructions. When your site is under heavy attack your web server is struggling to provide the necessary resources to process the concurrent requests. Sending e-mails will use even more resources for each blocked request. As a result, it will take much longer for the various concurrently processed requests to reach the execution point where Admin Tools can “see” the blocked requests from a single IP and block it. This may result in you receiving hundreds of emails over the course of several minutes even if you have told Admin Tools to block an IP after 3 blocked requests in one minute; all these emails were sent by requests blocked within seconds from each other, but due to how busy the server was they were only sent with a big delay. Disabling email sending alleviates this congestion during a very heavy concurrent attack, and attackers' IP addresses are blocked much faster – it takes about 3 to 20 more requests than you've configured.

Enable security exception email throttling

When this feature is set to Yes the email throttling options in the Email Templates feature in the Web Application Firewall page will be taken into account before sending an email to the email address specified in "Email this address on security exceptions". By default, Admin Tools will not send more than 5 emails in 1 hour. When this option is set to No there will be no limit on the amount of emails Admin Tools will send you. Disabling this can be a bad idea because it will slow down your server and fill up your inbox in the case of a bot performing a massive attack against your site.