post-page

WordPress security monitoring and diagnosis

11
responses

The three components of information security are: Confidentiality, Integrity and Availability (CIA). If you’ve followed the steps my previous tutorial, you’ll have come a long way towards ensuring all three. But you’ll always need to keep an eye on things – remember, no site is hack proof. Here are some tools to verify the integrity of your data. These plugins will not protect your site from attacks, they will only help you monitor your site and diagnose problems.

I have not tested any of these with the latest WordPress 3.0 beta.

Monitoring

In my first article on WordPress security I mentioned Open Source Tripwire as an option for monitoring your WordPress install for unexpected changes. A reader pointed out that it wasn’t the best solution since it’s no longer maintained and suggested a couple other alternatives. Since then, I’ve discovered a much easier way of monitoring your WP install: WordPress File Monitor.

What it does: monitors all the files in your WordPress directory (except the ones you tell it not to) and e-mails you whenever something changes. This means nothing changes without you knowing about it. If someone edits your theme files to include spam links or uploads weird php scripts, you’ll know right away.

WordPress File Monitor Screenshot

Above is a screenshot of the settings I use.

Dashboard Alert: I had this set to yes for a while, but having clear the notification pretty much anytime I made a post (because I upload images, and the sitemap.xml changes) got tedious. Just keep up with the e-mail alerts if you turn this off.

Scan Interval: 30 minutes might be a little too often, I should probably cut this back to something more sane like 2 hours.

Detection Method: My main site is quite large and performance is a big concern for me, so I keep it set to Modification Date. If you’re really paranoid and have a small site, change this to Hash.

E-mail address fields: self explanatory.

Notification format: Detailed. Why would you want anything less?

Site Root: Theoretically, you shouldn’t have to change this.

Exclude paths: I exclude my cache folder (if you don’t use WP Supercache or something similar, you don’t need to worry about this) and error_logs that get a lot of errors. I do have it monitor my Uploads folder in case someone tries to slip an exploit disguised as an image in there somewhere.

AntiVirus for WordPress

I learned about this one from the plugin author in the comments on my original post. As far as I can tell, it scans the core WordPress files and template files for exploits.

You can also have it do a daily scan and send you the results. I don’t do this since I’m constantly monitoring my site for changes with WordPress File Monitor. If you don’t want to monitor every single change in your WP directory, this could be a good alternative.

WordPress Exploit scanner

This seems to do a more thourough scan than Antivirus for WordPress, but I always run into memory problems if I try to run it with the “Files” option checked.

What to do if you’ve been hacked

Detailed instructions will have to wait for a future post. For right now, see the WordPress Codex entry for what to do.

Bonus: greping for great justice

grep is a UNIX command for searching the entire text of a file or files on a computer. If you know the exploit you’re looking for, it’s extremely useful. To do this you’ll need SSH access to your web server, and you’ll need to be comfortable using it.

I had a nightmare of an exploit a while back that I eventually figured out: somehow someone had uploaded a copy of webadmin.php (with a different name so it would be harder to spot) to a few places on my server. They could then navigate straight to that file and change any file on my server whenever they wanted. I found one instance of it and deleted it, and thought that would be that. But I was still finding that my template files were getting edited. Here’s what I did:

1. Logged into my web server by SSH
2. Changed directory to my public directory (you may need to ask your web host where this is)
3. Ran the following command: “grep -r ‘webadmin’ *”

I was then able to locate the file because even though the file had been renamed, it still contained the text “webadmin.” I was then able to delete the file.

heading
heading
11
Responses

 

Comments

  1. quicoto (39 comments.) says:

    How many WordPress (self hosted) sites has been hacked?

    I mean… Maybe WordPress is quite safe by default.

    Regards

    • Klint Finley says:

      WordPress is quite safe by default, and yet many self-hosted WordPress sites have been hacked. All software has vulnerabilities. I don’t have any specific information, but I would guess the vast majority of cases of a hacked WordPress site are the result having an outdated version of WordPress. So staying up-to-date is the most critical thing you can do.

      However, there’s always a chance you’ll get hit some sort of exploit before WordPress has patched it, or that you’ll be out of town or away from your computer for a few days and miss an update. It pays to have some extra protection.

      The plugins I mention in this article won’t protect you from attacks, they will only help you know if your site has already been hacked.

      My previous articles on security have some plugins you can install and steps you can take to make WordPress even more secure than it already is.

  2. Andrew@BloggingGuide (90 comments.) says:

    I am using antivirus for wordpress but I guess I would have to try WordPress File Monitor and maybe wordpress exploit scanner too since us said it does a more thorough scan. Then I’ll see which will work best for me.

  3. Mihai Secasiu (12 comments.) says:

    If someone can break wordpress security it’s very likely that they will be able to check for the plugins and deactivate them.
    They might stop some stupid bots/worms but they won’t protect you against a custom attack.

    • Klint Finley says:

      I should point out that none of the plugins above will protect you against any sort of attack – they will only let you know that your site has been hacked.

      If you want to protect your site, you should install the plugins from my previous posts.

      Most of us will never have to contend with a custom attack because it’s much easier and more effective for hackers to use generic attacks that target large swaths of blogs. That said, some of the plugins I recommended before (particularly Login Lockdown and Chap Secure Login) will help protect against even a custom attack (so will changing your default admin username).

      Of course, nothing is 100% secure, which is why you should always have good backups.

  4. Alex Sysoef (8 comments.) says:

    Nicely written! I have been using and encouraging other to implement WordPress File Security for quite a bit now and glad to see other push it through! I found it absolutely invaluable for myself to monitor what is happening on my blog and help me protect it.

    Thanks!

  5. naeem (3 comments.) says:

    i had an annoying issue on my selfhosted blog. Some script used to inject about 200 hidden links to spam medical sites.

    my site was
    - self hosted on media temple
    - fairly high traffic (2000+ page impressions daily & peaks with news to about 15 000 daily)
    - ALWAYS upgraded to the latest version
    - used woothemes that was legal (ie. not torrented)

    Anyway, for nearly a month, twice a week i had to get into the editor and edit header.php to remove the links. I tried WP Antivirus & Exploit scanner but didnt work well.

    Installed
    WP Extra Security http://lelkoun.cz/wordpress-plugin-extra-security
    and
    WP Malwatch http://how-to-blog.tv/security/wp-malwatch/

    seems to have worked for me.

    (ps. i also did manual upgrades and overwrote install files)

    • Klint Finley says:

      I hadn’t heard of those two plugins, will check them out. It sounds like you had the same problem I had with webadmin.

  6. David Richards (3 comments.) says:

    Outstanding article, anything that helps the WordPress platform to become even more secure/stable gets a big thumbs up from me.

  7. bubazoo (213 comments.) says:

    is there a way to run “grep -r ‘webadmin’ *” on a server that doesn’t allow SSH access? I am finding out that more and more web hosting providers are blocking SSH access, which I think is crazy, but my host does, and several hosts I’ve been with before that all block SSH completely, not even jailed…os is there like, a plugin that I can install that would run a series of commands like this on a server for those who don’t have SSH access to their servers?

    because alot of times, I find out I can’t even change file permissions or ownership of files without SSH access, and it annoys me to no end, because not all FTP clients, or servers apparently, allow for file permissions to be set or reset in your FTP client either, I found that out the hard way a few times..

    • Klint Finley says:

      I don’t know how to do it w/o SSH – there might be a way to do it through your hosts’s control panel. But really I’d suggest getting a host with SSH access!



Obviously Powered by WordPress. © 2003-2013

page counter
css.php