Automatically monitor malicious file changes on your WordPress blog

May 23, 2010

Sherlock Holmes with magnifying glass

During the the latest spree of hacks in April and May, hackers dropped a malicious .PHP script on the root directory of selfhosted blogs.
The script changed all .PHP files, adding one line of code which redirected visitors to a virus-infested site, and then deleted itself. There was anything between a day and an hour between the drop of the hacking .PHP file, and its self-deletion.

In my frantic search to close the security holes on my blogs, I came across a WordPress plugin called WordPress File Monitor by Matt Walters.

The plugin monitors your WordPress installation for any file changes incurred by scanning your directories from the root down. The plugin detects changes based on the files’ hash (a number that uniquely identifies each file based on content, name and timestamp) or on the timestamp of the files only. Of course the “hash” method is more secure, but takes more computing time from your server.

“Changes” could be an upload of a file, the deletion of a file, or changes made inside a file.

You can configure the scan to happen between 1 minute and an indefinite interval. Or you can decide to only scan your files manually from the dashboard.

When a change is detected, a notification appears on your WordPress dashboard:

WordPress File Monitor Dashboard warning

Clicking on “View changes” gives you more details. In our case a file called “try.php.jpg” was dropped at the root directory level:

WordPress File Monitor Alert Notification

Based on the alert, you can take the appropriate action, or just clear the alert.

You can also configure the plugin to send an email alert to a specified address. As a test, I set the scan interval to one minute and edited the .htaccess file on my root directory. The warning email was sent immediately:

This email is to alert you of the following changes to the file system of your website at http://www.haveimpact.org
Timestamp: Sun, 23 May 2010 00:11:54 +0200

Changed:
.htaccess

As some directories, such as cache directories, change their information on the fly, you can exclude them from the scan.

This plugin is highly recommended to help you secure your selfhosted WordPress blog!

Read more about blog security in these posts.

Picture courtesy Discoveries in Medecine

Related Posts with Thumbnails
Share and Enjoy:
  • email
  • Print
  • Twitter
  • Facebook
  • LinkedIn
  • del.icio.us
  • Digg
  • Reddit
  • StumbleUpon
  • FriendFeed
  • Google Bookmarks
  • Yahoo! Buzz

Tagged as: hackers, security, tips, tools, WordPress

{ 2 comments… read them below or add one }

Roy May 27, 2010 at 02:08

This plugin definitely rocks. I loaded-up my blog with all kinds of security-related plugins when the php exploit started, but this one is the only one I’m still using.

Reply

Klaus Ikenmeyer October 27, 2010 at 00:49

Geht so was ? Gibt besseres aber auch schlechteres

Reply

Leave a Comment

CAPTCHA Image
*

{ 1 trackback }

Previous post:

Next post: