Have you ever had to clean your WordPress website from a malware infection? Do you know how to find out which code was compromised? Do you know if your developers or agency left backup and leftover files on your website that can leave you exposed?
This post explains how File integrity monitoring (FIM) helps you answer such questions. We will see how a file integrity monitor plugin is instrumental in helping you better manage your WordPress site’s files. Detecting issues at an early stage is very important – it allows you to mitigate and limit the attack’s or problem’s damage.
Note: File integrity monitoring is the technical term for what is more commonly known as file changes scanning, file changes monitor and similar terms.
What is file integrity monitoring & scanning?
File integrity scanning or monitor refers the process that compares a file’s fingerprints to figure out if it has changed. File Integrity checking software works by creating a cryptographic hash, or a fingerprint of the files on a system. When the contents of a file changes, so does its fingerprint. Upon noticing the change in the file’s fingerprint the file integrity scanner notifies the administrator.
Why you need file integrity checks on WordPress sites?
Changes to files happen frequently on busy WordPress websites. Of course, most of these changes are desired. For example when you add new media files, install or update a plugin, and purposely modify the code of the theme. Other changes however, can be far from benign or done by mistake.
A file integrity scanner helps you keep track of the integrity of your WordPress website. In other words, it helps you guarantee that the new plugin or theme you installed has not modified your site’s files.
Proactive and Reactive File Integrity Monitoring & Scanning
Primary there are two primary ways how File Integrity Monitoring (FIM) and scanning is used: proactively and reactively. Both of these methods are explained in this post.
Proactive Security Actions
When File integrity scanning is used proactively it prevents bad things from happening. The following are a few scenarios in which proactive file integrity monitoring detects and notifies you of mistakes. This enables to you fix the issues before attackers identify the vulnerability, or there is a problem with the site.
- A developer accidentally copies a text or another type of file which contains sensitive information. These type of files can be easily found and downloaded by malicious hackers.
- A database administrator leaves a MySQL database backup (.sql) on the website. This would allow an attacker to download your entire WordPress database.
- A webmaster makes a copy of wp-config.php and names it wp-config.bak. Since it is not a PHP file anymore this would allow an attacker to download the backup file.
- Someone edits a PHP file directly on the server with the Vim editor and does not exit the editor properly. This leaves a .swp file behind. An attacker can download such file since the web server does not treat it as PHP code.
Reactive Security Actions
Many associate reactive security measures with being too late. However, in reality timely reactive security actions are crucial towards mitigating an attack. They also help stopping the damage before things get worse.
The following are a few scenarios where a file integrity scanner can be used to quickly drill-down into suspicious activity, and act upon attacks during or after they happen.
WordPress Attack Scenario 1
A file integrity monitor plugin detects a new PHP file. It has an obscure name and is stored in the /wp-content/uploads directory. Upon inspection, the WordPress administrator cannot attribute this file to a change he or the team made. The file contains obfuscated code, which results to be a web shell. The administrator needs to act quickly.
First he makes a copy of the file for further analysis. Then deletes it to cut off the attacker’s access to the WordPress site. After investigating the web server logs the admin realizes that this file was uploaded by an attacker who abused a vulnerability in a file upload form on their site. With all information in hand the admin can speak to the developers to fix the issue.
WordPress Attack Scenario 2
A WordPress file changes monitor plugin alerts the administrator of WordPress core files changes. This should never occur except during WordPress updates. However this happened right after another WordPress admin installed a new plugin.
After investigating, the webmaster finds out that others experienced similar behaviour and reported the malicious plugin: it is designed to steal WordPress credentials and send them to the attacker when a user logs in.
The webmaster immediately removes the rouge plugin and restores the tampered files. He also resets the passwords of all WordPress users with a plugin for piece of mind.
WordPress Attack Scenario 3
A file integrity monitor plugin notifies the admin of an obscure file in password protected directory in the WordPress root. The directory stores static files with sensitive information and is protected with a strong password using HTTP authentication.
After some investigation the webmaster realizes that the file was uploaded via a misconfigured FTP server which allows anonymous write access. The administrator immediately fixes the FTP server’s configuration and disables anonymous authentication.
Which WordPress files you need to keep an eye on?
Similar to WordPres activity logs, with file integrity scanning plugins you need to know what to look for in order for it to be effective. Track every file change and you’ll have a never ending stream of alerts. Track too little and you’ll lose all the benefits of the file changes monitor plugin.
Another important factor to bear in mind is that not all file changes are indicators of malicious or problematic activities. For example there are no problems if a backup plugin writes SQL files to a directory prohibited to unauthorized users. The following are some pointers to differentiate between benign and malicious changes in WordPress directories.
/wp-content/uploads/ WordPress directory
WordPress websites tend to be very active. So by monitoring every single created or modified file will likely result in an endless stream of alerts. In almost all cases, it makes sense to exclude static files from the /wp-content/uploads/ directory.
Static files include media files such as images, videos, and audio, and also documents such as presentations, spreadsheets and PDFs. It is safe to ignore such files, but not the uploads directory. You really want to know if executable files such as PHP files are uploaded in this directory.
/wp-content/cache/ WordPress directory
This directory is a tricky one. It is used by WordPress caching plugins. Depending on the configuration of your caching plugin you may see a variety of files in sub directories of /wp-content/cache/, including legitimate PHP files. These are added by your caching plugins, especially if you enable object caching. If this is the case study the behaviour or your caching plugins and what files they store and configure the file integrity scanner according to your findings. If you do not use any caching plugins, or your plugins do not store PHP and other source code files, then it is much easier to monitor this directory.
/wp-content/plugins and /wp-content/themes/ WordPress Directory
When you add, delete or update a plugin you will see changes in the /wp-content/plugins/ WordPress directory. If you make changes to a team you will notice file changes in the /wp-content/themes/ directory.
This does not mean that all changes that occur in these directories are always benign. However, as a general rule of thumb file changes within these two directories should only occur as a result to some administrative actions with WordPress.
Note: Our Website File Changes Monitor plugin for WordPress has a unique feature. It recognizes WordPress core, plugins and themes changes. Therefore it does not send false alarms about hundreds of file changes. It alerts you that the file changes were a result of a change in the site, allowing you to review the change.
The WordPress root directory
The WordPress root directory is the actual WordPress installation on the web server. This is an important location to pay attention to. More often than not, file changes done here provide a good signal for you to investigate, unless the changes were done by you.
WordPress Core files
WordPress Core files are the actual files that make up the WordPress web application. Modification in core files should only ever occur as a result of a WordPress update. They should never occur under any other condition.
Therefore, unless you manually edited a WordPress Core file (avoid doing this, there are better ways to customize WordPress), this should be a high-quality signal that something fishy is up.
How do I Monitor My WordPress Site for File Changes?
While file integrity scanning can be achieved by a number of non-WordPress specific tools, many usually require quite a learning curve to run, configure and operate.
Instead, a simpler approach, if not better with finer-tuned results would be to use the Website File Changes Monitor plugin for WordPress. This plugin has exclusive smart technology that recognizes WordPress core, plugins and themes updates, installs and deletions. So it does not report false positives raising false alarms! Refer to false positives in file integrity monitoring for more information on false positives and our smart technology.
The plugin recognizes site structure changes. So when there is a change the plugin notifies you of the site structure change, and not of the hundreds of files that has been added or modified on your WordPress site. It automates the job for you, doesn’t raise any false alarms and you do not have to manually filter the results.
Download the Free Website File Changes Monitor for WordPress today to better manage and improve the security of your sites.
What if I already use a WordPress security plugin?
If you already make use of a WordPress security plugin, that’s great, keep doing that. However, file integrity monitoring is not a security plugin’s focus. By using a WordPress plugin that is specifically designed for file integrity monitoring with performance in mind, you can still reap all the benefits of using generic WordPress security plugins, with the addition of all the valuable insights file integrity monitoring provides you with.