Latest TweetsVery honored to be included with such amazing #WordPress influencers. Thanks to @wpblogdottcom for including me www.wpblog.com/top-wordpress-i…
Perishable Press

How to Monitor the WordPress Login Page

[ Monitor WordPress Login Page ] There are all sorts of plugins that you can use to monitor and protect the WordPress Login Page. That’s not what this post is about. This post is aimed at developers and DIY site admins, who like to keep a close eye on site activity. Talking hands-on with code.

How familiar are you with the traffic hitting your WP Login Page? Do you know the difference between a brute-force attack and legitimate login requests? The WP Login Page (wp-login.php) is arguably THE most heavily attacked part of any WordPress-powered site. Understanding how it works is key, and that is what this tutorial is about.

Get Detailed Login Information

If you follow through this tutorial, you will learn how to hook into the WordPress core functionality with a custom function. The custom function listens for any login requests, and sends an email alert for each one. Each email alert includes the following information:

  • Site name and Login URL
  • All GET variables
  • All POST variables
  • All COOKIE variables
  • User IP address
  • Referrer URL

So the email notification really gives you a detailed look at all the variables that are sent with each login request. It also includes the visitor IP address and referrer URL. Basically a focused look at everything involved with each login request, all rolled up tight in a simple plain-text email alert. You rule with this information, seriously. Check out the example email alerts later in the post.

How it Works

In the next section, you will find three functions that all work together. You copy and paste those functions into your theme’s functions.php file, or add via simple plugin. Up to you. Once uploaded to the server, the code taps into WordPress via the login_init filter hook. That hook fires every time the login form is initialized. So it’s perfect for grabbing Request variables and sending email alerts. Or doing other tasks; whatever fits the bill.

Once the code is added to your site, it will send a simple email alert anytime something accesses your Login Page, logs in or out, resets their password, or makes any other type of request for wp-login.php. Thanks to the login_init hook, you will see it all. Like the Eye of Sauron. Or Google.

The Code

To monitor your Login Page via email alerts, add the following code to your WordPress site, either via functions.php or simple plugin. Boom:

/*
	
	Monitor WordPress Login Page
	https://perishablepress.com/monitor-wordpress-login-page/
	
	The following three functions work to send an email alert
	each time something requests or submits the WP Login Page.
	
*/
function shapeSpace_monitor_login_page() {
	
	$email = get_bloginfo('admin_email');
	$site  = get_bloginfo('name');
	$url   = wp_login_url();
	
	$subject = 'Login Page Alert for '. $site .' @ '. $url;
	
	$message = '';
	
	if (isset($_GET) && !empty($_GET)) {
		
		$message .= 'GET Vars'. "\n\n";
		$message .= shapeSpace_write_message($_GET) ."\n\n";
		
	}
	
	if (isset($_POST) && !empty($_POST)) {
		
		$message .= 'POST Vars'. "\n\n";
		$message .= shapeSpace_write_message($_POST) ."\n\n";
		
	}
	
	if (isset($_COOKIE) && !empty($_COOKIE)) {
		
		$message .= 'COOKIE Vars'. "\n\n";
		$message .= shapeSpace_write_message($_COOKIE) ."\n\n";
		
	}
	
	if ($info = shapeSpace_request_info()) {
		
		$message .= 'Request Info'. "\n\n";
		$message .= $info ."\n\n";
		
	}
	
	mail($email, $subject, $message);
	
}
add_filter('login_init', 'shapeSpace_monitor_login_page');

function shapeSpace_write_message($vars) {
	
	$message = '';
	
	foreach ($vars as $key => $value) {
		
		if ($key === 'pwd') continue; // do not send password via email!
		
		$message .= esc_html($key) .' = '. esc_html($value) . "\n";
		
	}
	
	return $message;
	
}

function shapeSpace_request_info() {
	
	$info = '';
	
	$info .= isset($_SERVER['REMOTE_ADDR'])  ? 'IP Address: '. esc_html($_SERVER['REMOTE_ADDR'])  . "\n" : '';
	$info .= isset($_SERVER['HTTP_REFERER']) ? 'Referrer: '  . esc_html($_SERVER['HTTP_REFERER']) . "\n" : '';
	
	return $info;
	
}

No changes are required for this to work, it’s entirely plug-&-play. Everything is kept as simple and straightforward as possible for the sake of understanding, etc. So you may want to go in and tweak a few things, add more variables to the alerts, change the email address, and so forth. Much is possible, so use your imagination and have fun. Also make sure to check the important notes, below.

Code Explanation

So there are three functions to this “monitor login” technique:

  • shapeSpace_monitor_login_page() — main function, fires via login_init filter hook
  • shapeSpace_write_message() — auxiliary function, adds variables to alert message
  • shapeSpace_request_info() — auxiliary function, adds request information to alert message

The main function, shapeSpace_monitor_login_page(), is responsible for grabbing all of the GET and POST variables, request details, and other pertinent information. It then combines the information into a single string, which is sent as the $message along with the email alert. The two auxiliary functions are used to streamline and simplify the code. They basically add variables to the $message string, like helper functions. Hit the important notes below for further details.

shapeSpace_? Wondering what’s up with the shapeSpace_ prefix used for each function name? It’s the namespace for my free WordPress starter theme.

Important Notes

The MAIN thing to be mindful of with this technique is that it sends potentially sensitive information via email. To help emphasize security, the code includes the following line to exclude any passwords from email alerts:

if ($key === 'pwd') continue; // do not send password via email!

This line ensures that passwords aren’t sent plain-text over the wire. Sending the other login and request information is fairly innocuous without the password. But either way, be aware of the security aspects of this technique. Very important.

Another note is that, by default email alerts are sent to the registered admin’s email address. To change this, you can adjust this line in the main function:

$email = get_bloginfo('admin_email');

So you can send alerts wherever is necessary, without having to change the admin email address.

Also note that you may want replace the current technique for getting the IP address with something more accurate. This tutorial at WP-Mix.com provides a more robust technique for getting the actual IP address.

Lastly, if you want to add more request details to the alert, like for Host Name, User Agent, and so forth, check out my post on WordPress 404 email alerts. There you can find numerous variables that may be included in the alert.

Email Alert Examples

To give you an example of what the email alerts look like, here are some examples showing what the message part of the notification looks like.

Something requests the WP Login Page directly:

COOKIE Vars

wordpress_test_cookie = WP Cookie check
PHPSESSID = suatqlpug7os3rnr0sqsmpc7c90

Request Info

IP Address: 123.123.123

Someone logs into WordPress successfully:

POST Vars

log = Example User
wp-submit = Log In
redirect_to = https://example.com/wp-admin/
testcookie = 1

COOKIE Vars

wordpress_test_cookie = WP Cookie check
PHPSESSID = suatqlpug7os3rnr0sqsmpc7c90

Request Info

IP Address: 123.123.123
Referrer: https://example.com/wp-login.php

Someone logs out of WordPress:

GET Vars

action = logout
_wpnonce = 397fdfe4e6

COOKIE Vars

wordpress_test_cookie = WP Cookie check
wordpress_logged_in_051cf9e2e7f51c2e47c7d96c25231b5b = Example User|1536130369|xZjNcs8ik...
wp-settings-1 = editor=html&libraryContent=browse&post_dfw=off&hidetb=1&editor_expand=off&ed_size=206&unfold=1&mfold=o&urlbutton=none&imgsize=full&posts_list_mode=list
wp-settings-time-1 = 1536130369
PHPSESSID = suatqlpug7os3rnr0sqsmpc7c90

Request Info

IP Address: 123.123.123
Referrer: https://example.com/wp-admin/

Note that alerts for failed login requests, password changes, etc., will look similar to the above examples, only some of the information will be slightly different, depending on your setup, etc.

That’s all for now, I hope it helps! Happy Login Monitoring :)

Jeff Starr
About the Author Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
Archives
Drop a Comment  ]
RSS