Suspicious site activity?

Auto-drafts are automatically deleted after 7 days of going unused. They’re self-cleaning, basically. No need to worry about them. [1]

WordPress automatically saves your post while you are editing it, an action that they call “auto-draft”. If you don’t hit the publish or update button, then the post will be saved as an “auto-draft” and any modification to your will not be visible in your public site. Once you publish the post WordPress automatically deletes the “auto-draft” entries from the database, since this is an operation performed by your website itself it makes sense that the IP address is the same as the one used by your web server.

If you don’t want your website to create drafts automatically while you edit a post you can add this code [2] to your configuration file to increase the interval of the automatic saves. However, some people suggest that you should keep the auto-draft function enabled:

Auto-drafts exist because of the fact that multiple users can create new posts at the same time. If two people enter post-new at roughly the same moment, then have their first autosaves occur nearly simultaneously, then there is a race condition that can cause one of them to get back the wrong post ID, which will cause a post to be overwritten/lost when they then continue editing the post.

The auto-draft creates the post and gets the ID of the new post before the editing screen is displayed, thus preventing two simultaneous authors from accidentally having the same post ID in the data in their browser. [3]

[1] https://wordpress-hackers.1065353.n5.nabble.com/a-tp914p923.html
[2] define('AUTOSAVE_INTERVAL', 3600);
[3] https://wordpress-hackers.1065353.n5.nabble.com/a-td914.html#a917

Hey,

Thanks for your clearing the situation. I also have similar logs: https://imgur.com/a/qAcYv

Can you confirm me that the first line (Post status has been changed (details) is also not suspicifous ?
It’s my IP but I did nothing on the website.

Thanks

The log in the screenshot [1] is suspicious, that’s why the plugin has included it in there. It is up to the administrator of the website to determine if the event was triggered via a legitimate action or by a person/system trying to exploit a vulnerability.

Considering what I previously mentioned about WordPress deleting drafts automatically, if you agree with my statement there, we could assume that this log is referring to one of those automatic cleanups performed by the website via a scheduled task. A good way to be sure that this is true is to reverse the IP address that you marked as “Unknown IP” and check if the host corresponds to the network that you are using to serve the website.

Here are two tools [2][3] that you can use to execute an IP Lookup.

Here is an example, if you reverse this IP address [4] you will get something like [5] and so you will know that the IP corresponds to Google’s network. The majority of big hosting providers have their own network, others outsource the infrastructure. If you are lucky, you will be able to find enough information using one of these tools to determine the origin of that post deletion action.

Let me know if you need more information.

[1] https://i.imgur.com/Lc0IXXn.jpg
[2] https://mxtoolbox.com/ReverseLookup.aspx
[3] https://remote.12dt.com
[4] 8.8.8.8 — OR — 8.8.4.4
[5] google-public-dns-a.google.com

Hi Yorman,

Thanks for clarifying that up.
As I can see you have good knowledge and you give great support to your plugin.

I checked the unkown IP and it match up with the IP address of my site so you’re 100% right.

I recently added your plugin (about one month) and this is the first time it happened so I was a little stressed about this.

Thanks again

@ohute — I am glad you were able to verify the origin of the IP address. Don’t hesitate to open a new ticket if you have additional questions and/or have suggestions about the plugin. Merry Christmas (???)