Your WordPress website is made up of files, and it’s important that you know all of the changes that happen to those files as an administrator. Unauthorized file changes can break your website, change its behavior, or be a sign of a hack.
By keeping yourself informed of file changes on your WordPress website, you can easily:
- Keep track of changes developers make on your website
- Ease troubleshooting should problems arise
- Identify leftover database and source code files that could expose sensitive data to malicious hackers
- Know exactly which files were changed and where malware was injected in case of a website hack
To keep yourself informed of all file changes that happen on your WordPress website you need File Integrity Monitoring. In this article we will explain:
- How file integrity monitoring works
- Why it is important
- How to use a file integrity monitoring plugin
How does file integrity monitoring work?
File integrity monitoring is a method used to determine if changes have been made to files within a system. The process works by creating a hash value from every individual file and then comparing two different hashes of the same file taken at different times. Think of it like a fingerprint.
If the hashes match, the file did not change. Otherwise, the file has changed. When the system has new hashes, it means that files have been added to the system.
The process of running file integrity monitoring checks is also commonly referred to as file changes scanning or file changes monitoring.
The Importance Of File Integrity Monitoring For WordPress websites
File integrity monitoring is important for WordPress websites; it enables you to respond rapidly to file changes, malicious or otherwise. With file integrity monitoring you can, for example, ensure a newly installed plugin or theme does not make unexpected file changes and identify the source of a problem easily.
While it is easy to think that a single security and firewall plugin is all you need, that oversimplifies the process of keeping a WordPress website secure. You should take a holistic approach to WordPress security. At least, you should:
- Install a WordPress firewall to block attacks
- Always use the latest software, plugins, themes and WordPress core
- Keep a record of all user changes that happen on your website (WordPress activity logs)
- Ensure users use strong passwords and enable two-factor authentication
- Install a WordPress file integrity monitor plugin
Knowing where and what file changes to look for
The files are organized in several subdirectories on a WordPress website. There are some file changes that are expected, however, some others aren’t. Let’s run through some examples.
/wp-content/uploads/– WordPress saves non-executable files in this directory, such as the images media files. Therefore changes in the /wp-content/uploads/ directory are usually nothing to worry about. Alerting for every change in this directory is likely overkill and leads to false alarms. In fact, most file integrity monitoring plugins ignore media files such as jpg, jpeg, png, pdf etc.
/wp–content/cache/ (varies depending on-site configuration)- If you use a caching plugin, expect to see activity in the /wp-content/cache/ folder and its sub-directories. Some of the files may even be legitimate executable files. Good file changes plugins exclude the subfolder /wp-content/cache/ by default. If yours does not, consider excluding the directory from the file changes scans.
/wp-content/plugins/– This is where the files of the installed plugins are saved. If you are installing, updating, or deleting a plugin expect changes here. Otherwise, it should remain unchanged.
/wp-content/themes/– This directory is similar to the /plugins/ directory, except that it is for themes. There should not be any file changes in this directory unless you’ve made changes to your site’s theme(s).
The WordPress root– This is a very important directory. Unless you or the server administrator made modifications (you should never modify WordPress core code), any file changes here should be scrutinized. Generally, the WordPress root directory should remain unchanged unless you update WordPress core.
WordPress core files– You shouldn’t manually edit WordPress core files unless you’re an advanced user with a very specific purpose and good reason. For everyone else, WordPress core files should change ONLY when you update WordPress.
What does a file change on a WordPress website mean?
So what constitutes a file change on a WordPress website? A change could be any of the following:
- Modification of existing files
- Deletion of existing files
- Creation or addition of new files
Once you detect a file change, how do you know what caused it, and if it was legit or not? There is no one-size-fits-all answer, but here are a few common reasons for file changes:
Benign actions and common development & administrative activity– WordPress updates, plugin changes, theme changes, content uploads, and development work can all result in file changes. So if you are aware that these changes are happening, you can easily review the file changes scan results.
Plugin activity– Some plugins create file changes. Typically, caching and backup plugins create their own files on the website. Some security plugins also modify configuration files, such as .htaccess. Familiarize yourself with the behavior of your plugins, so you can easily determine which changes are legit and which are not.
Developer or administrator error– A developer or administrator may leave behind source code, backup or other types of files that contain sensitive information. These files can be a source of data leaks, which attackers use to learn about a website’s setup and possible security flaws.
Malicious activity– Once attackers gain access to a WordPress website, they will likely change files by injecting them with malware, and upload or create executables to carry our malicious activity.
How file integrity monitoring improves WordPress security
With file integrity monitoring you address two types of WordPress security: proactive and reactive security. Proactive security entails addressing a potential issue before it becomes a breach. Reactive security entails responding to hack attack.
While reactive may have negative connotations to some, the reality is effective reactive security can go a long way in mitigating the extent of a security breach.
Examples of proactive security with file integrity monitoring
Suppose a developer edits a PHP file without properly exiting their text editor. This leaves a swap file (.swp extension) behind. Similarly, suppose they save an old PHP file as a .bak file. In both cases, a hacker could download the files as they are not executed like PHP files. File integrity monitoring enables you to proactively detect these type of issues.
If a database admin leaves a .sql database backup in an insecure location on the site, an attacker could find it and download it. This also happens when using backup plugins- some backup plugins keep the backups local, on the site. Attackers use tools to automatically guess the paths of the backup files and download them.
When you use a file integrity monitoring solution you are alerted of such issues. Therefore in order to be proactive and take the files offline, reconfigure the servers, and write up new policies for your team so they do not put your website at risk (even if it was not intentional).
Examples of reactive security with file integrity monitoring
An administrator receives an alert about file changes in their WordPress website, despite there being no recent updates. Upon investigation, the admins find a malicious script in the header.php file. They also notice anonymous FTP write access is enabled. The admins delete the compromised file, restore the original theme file and correct the FTP server configuration.
The file integrity monitoring plugin alerts the administrators that the 404.php file in the themes directory has changed, even though there have been no recent theme changes. During forensics, an admin identifies a backdoor script in the 404.php file. By analyzing the web server logs and WordPress audit logs the administrator notices that a new user was created on WordPress so the attackers could retain access and that a vulnerability was exploited in an outdated plugin.
By studying the alerts and logs the administrator knows the source of the hack, allowing them to fully recover from the hack and fix the security flaws.
File integrity monitor plugin for WordPress websites
Now that you know that file integrity monitoring helps you improve the administration, troubleshooting, and security of your WordPress websites, you want to know how to implement it on your website.
You can do so by installing a WordPress file integrity monitoring plugin. Most WordPress security plugins do file integrity monitoring, however, their main focus is security hardening, like firewalls. For file integrity monitoring, go for a specialized plugin that does just that.
We recommend Website File Changes Monitor. Since it is a specialized single scope plugin, it is very lightweight, easy to configure and has some unique features. For example:
Smart technology that reports no false positives – You do not want your administrators flooded with false-positive notifications when you install a new plugin or update WordPress core. This can easily lead to a cry wolf situation. The Website File Changes Monitor plugin uniquely identifies changes made by plugins and themes installs, updates and uninstalls, and WordPress core updates mitigating the likelihood of false alarms.
Self-generated source hashes – Unlike other plugins, the Website File Changes Monitor plugin generates its own hashes. Therefore it can detect file changes on all your installed themes and plugins, even custom ones and any custom code you might have. Also, you do not depend on the vendor to update the source hashes used for comparisons when a new WordPress update is released.
On top of the above, the plugin is multisite compatible, fully configurable and sends email notifications when it detects file changes on your WordPress website.