Follow BlogTips via RSS Get BlogTips updates via Email Follow @SM4NP - Social Media for NonProfit

Monitor malicious file changes on your WordPress blog

Posted on May 23rd, 2010 by

Sherlock Holmes with magnifying glass

During the the latest spree of hacks in April and May, hackers dropped a malicious .PHP script on the root directory of selfhosted blogs.
The script changed all .PHP files, adding one line of code which redirected visitors to a virus-infested site, and then deleted itself. There was anything between a day and an hour between the drop of the hacking .PHP file, and its self-deletion.

In my frantic search to close the security holes on my blogs, I came across a WordPress plugin called WordPress File Monitor by Matt Walters.

The plugin monitors your WordPress installation for any file changes incurred by scanning your directories from the root down. The plugin detects changes based on the files’ hash (a number that uniquely identifies each file based on content, name and timestamp) or on the timestamp of the files only. Of course the “hash” method is more secure, but takes more computing time from your server.

“Changes” could be an upload of a file, the deletion of a file, or changes made inside a file.

You can configure the scan to happen between 1 minute and an indefinite interval. Or you can decide to only scan your files manually from the dashboard.

When a change is detected, a notification appears on your WordPress dashboard:

WordPress File Monitor Dashboard warning

Clicking on “View changes” gives you more details. In our case a file called “try.php.jpg” was dropped at the root directory level:

WordPress File Monitor Alert Notification

Based on the alert, you can take the appropriate action, or just clear the alert.

You can also configure the plugin to send an email alert to a specified address. As a test, I set the scan interval to one minute and edited the .htaccess file on my root directory. The warning email was sent immediately:

This email is to alert you of the following changes to the file system of your website at http://www.haveimpact.org
Timestamp: Sun, 23 May 2010 00:11:54 +0200

Changed:
.htaccess

As some directories, such as cache directories, change their information on the fly, you can exclude them from the scan.

This plugin is highly recommended to help you secure your selfhosted WordPress blog!

Read more about blog security in these posts.

Picture courtesy Discoveries in Medecine




3 Comments to “Monitor malicious file changes on your WordPress blog”

  1. Roy says:

    This plugin definitely rocks. I loaded-up my blog with all kinds of security-related plugins when the php exploit started, but this one is the only one I’m still using.

  2. Geht so was ? Gibt besseres aber auch schlechteres

  3. [...] Monitor Malicious File Changes in WordPress Blog [...]

Leave a Comment

*