Are new admin accounts a sign of website intrusion?
Web and digital agencies are always on the lookout for any sign of website intrusion. That’s why we built the Early Warning Audit. The audit monitors sensitive items on your site up to 8 times each day and notifies you when unexpected changes occur.
Today we add admin user monitoring to the early warning audit. This is a new feature that will help keep your site safe from intruders.
Why are you monitoring admin accounts?
For many users, adding new admin accounts is rare and never happens without prior approval and planning. So we added a new notification to the Early Warning Audit to detect when admin accounts are created. If you receive an unexpected new admin user notification from Watchful, you’ll probably want to investigate right away to see if an intruder has started creating new admin accounts on your site.
However, this new feature is not just limited to creating new admin accounts. It also detects when an existing user is granted admin privileges. This is important because some types of website attacks start with basic user accounts which are then escalated to admin users. This type of attack is called vertical privilege escalation. Once an existing user is an admin, all sorts of havoc can result.
At Watchful, we use the term User Admin Change to mean one of these two events.
What roles and usergroups are considered to have admin privileges?
In WordPress, the only role considered to have admin privileges is the Administrator role.
In Joomla, the Manager, Administrator and Super User usergroups are monitored.
What happens when an admin account change is detected?
When a change is detected in an admin account, a log entry is made and a notification email sent immediately. Here’s is what the log entry will look like:
As a potential sign of website intrusion, receiving the email notice right away is critical in a fast response.
If you have used the
Refresh Data button to manually perform the Early Warning Audit, you will also see a notification in your dashboard.
How to enable or disable this feature
Admin User Change monitoring is enabled by default on all accounts. However, you must be running the following versions of the Watchful Client:
- Watchful Client for Joomla 1.12.12 (or later)
- Watchful for WordPress version 1.2.18 (or later)
It is not possible to disable this feature. However, you may disable the email notifications related to this feature. To do this, select
Admin Users Changes when personalizing email notifications.
What are some other signs of website intrusion?
On a well-maintained website, most of the critical files, services and add-ons are quite stable. This includes critical files like
.htaccess and the template
index.php, the version information for services like Apache and MySQL, the installed plugins and extensions, and properly configured backups.
All these items and more are continuously monitored by our Early Warning Audit along with admin user changes introduced today. The full list if items monitored by the audit can be reviewed in our documentation. Changes in any of the items, when not expected, could be the sign of a website intrusion.
Importantly, the Early Warning Audit runs automatically about every 3 hours (or once per day for Free accounts). Watchful users can also trigger a manual audit by selecting the
Refresh Data button for any site in their dashboard.
You can also run our recently updated vulnerability scan to probe for additional signs of intrusion.
8 audits per day
If you’re on a Forever Free account, the Early Warning Audit is performed once per day. Please consider upgrading. Sites in Premium accounts are scanned 8 times per day for admin user changes and other signs of website intrusion.