Monitor malicious file changes on your WordPress blog
During the the latest spree of hacks in April and May, hackers dropped a malicious .PHP script on the root directory of selfhosted blogs.
The script changed all .PHP files, adding one line of code which redirected visitors to a virus-infested site, and then deleted itself. There was anything between a day and an hour between the drop of the hacking .PHP file, and its self-deletion.
The plugin monitors your WordPress installation for any file changes incurred by scanning your directories from the root down. The plugin detects changes based on the files’ hash (a number that uniquely identifies each file based on content, name and timestamp) or on the timestamp of the files only. Of course the “hash” method is more secure, but takes more computing time from your server.
“Changes” could be an upload of a file, the deletion of a file, or changes made inside a file.
You can configure the scan to happen between 1 minute and an indefinite interval. Or you can decide to only scan your files manually from the dashboard.
When a change is detected, a notification appears on your WordPress dashboard:
Clicking on “View changes” gives you more details. In our case a file called “try.php.jpg” was dropped at the root directory level:
Based on the alert, you can take the appropriate action, or just clear the alert.
You can also configure the plugin to send an email alert to a specified address. As a test, I set the scan interval to one minute and edited the .htaccess file on my root directory. The warning email was sent immediately:
This email is to alert you of the following changes to the file system of your website at http://www.haveimpact.org
Timestamp: Sun, 23 May 2010 00:11:54 +0200
As some directories, such as cache directories, change their information on the fly, you can exclude them from the scan.
This plugin is highly recommended to help you secure your selfhosted WordPress blog!
Read more about blog security in these posts.
Picture courtesy Discoveries in Medecine