Have you ever had to clean your WordPress website from a malware infection? Do you know how to find out which code was compromised? Do you know if your developers or agency left files on your website? Unsure if these files could leave you exposed?
Today, we’re talking about how File integrity monitoring (FIM) helps you answer these questions. After all, detecting issues at an early stage is super important. It allows you to mitigate and limit potential damage caused by an issue with your files. To that end, we’ll also show you how a file integrity monitor plugin can help. And we’ll show you how it’s instrumental in managing your WordPress site’s files.
Note: File integrity monitoring is a technical term. It’s more commonly known as a WordPress integrity check.
Table of contents
- What is file integrity monitoring and scanning?
- How file integrity monitoring works
- Why do you need WordPress integrity checks?
- Proactive and reactive file integrity monitoring and scanning
- Which WordPress files do you need to keep an eye on?
- How do I monitor my WordPress site for file changes?
- What if I already use a WordPress security plugin?
- File integrity monitoring for WordPress
What is file integrity monitoring and scanning?
File integrity scanning refers to the process of comparing a file’s current state against a known baseline. This often takes the form of cryptographic hashes (or fingerprints) to determine if the file has been altered.
The software or tools that perform these checks create a cryptographic hash of the files on a system. This hash serves as a unique fingerprint for the file. When the contents of a file change, its fingerprint also changes. The file integrity scanner detects this change by comparing the current hash against the baseline. Then it notifies the administrator if any discrepancies are found.
How file integrity monitoring works
File Integrity Monitoring (FIM) is a security technology, as we’ve already established. It helps detect unauthorized changes to files and directories on a system. And it operates by creating a baseline of “known good” states for files. Then it continuously or periodically compares the current state of those files against this baseline.
Let’s explore some of the ways FIM works now:
1: Baseline creation
When FIM is first implemented, it generates a baseline. It does this by calculating cryptographic hashes like MD5, SHA-1, or SHA-256. It does this for critical files and directories. These hashes serve as unique fingerprints. They represent the contents of the files at that specific moment in time.
2: Continuous or scheduled monitoring
Depending on the configuration, FIM can work in two ways. It can continuously monitor files in real time. Or, it can perform scheduled scans at specific intervals. Each time a scan is run, the FIM system recalculates the hash for each file. Then it compares this against the original baseline.
3: Detection of changes
If a file has been altered the hash will differ from the baseline. This applies whether it was due to an update, accidental change, or malicious activity. The FIM system detects this discrepancy and flags it as a potential security issue.
4: Alerting and reporting
When a change is detected, the FIM system generates an alert. This is usually sent to the system administrator or security team. When using WordPress, this will be sent to the WordPress administrator.
The alert typically includes various details. For example, which file was changed. Or the nature of the change like content modification, file creation, or deletion. And even the timestamp for when the change was made.
5: Response and investigation
Upon receiving an alert, the administrator can investigate the change. They’ll then determine whether it was authorized or if it represents a security threat. The FIM tool often provides detailed logs and reports to assist in this investigation. This helps administrators quickly identify and respond to potential breaches.
Why do you need WordPress integrity checks?
Changes to files happen frequently on busy WordPress websites. Of course, most of these changes are desired. Here are a few common examples of wanted changes:
- When you add new media files
- Installing or updating a plugin
- Purposely modifying a theme’s code
Other changes, however, can be far from benign or even done by mistake.
A file integrity scanner helps you keep track of the integrity of your WordPress website. In other words, it helps you guarantee that the new plugin or theme you installed hasn’t modified your site’s files in ways that you didn’t approve of.
Let’s spell out the benefits a bit more. WordPress integrity checks provide:
- Early detection: FIM allows for the early detection of unauthorized changes. This works wonders for preventing data breaches and mitigating the impact of an attack.
- Compliance: Many regulatory frameworks, like PCI DSS, require FIM as part of their security standards.
- Forensic analysis: If there is a security incident, FIM logs provide valuable information. It helps to determine the scope and impact of the breach after the fact
Now you hopefully have a clear idea of what file integrity monitoring is and why it’s important. So let’s talk about the ways you can use it effectively.
Proactive and reactive file integrity monitoring and scanning
There are two primary ways to use File Integrity Monitoring (FIM) and scanning: proactively and reactively. Both methods are essential for maintaining the security of your WordPress site.
Proactive security actions
When file integrity scanning is used proactively, it can detect changes on your site that could indicate there are vulnerabilities present or authorized actions taking place. You’ll be able to detect issues before they lead to significant problems or exploitation.
The following are a few scenarios worth examining. Here, you’ll see where proactive file integrity monitoring detects and notifies you when issues arise. This gives you time to fix the issues before anything happens or before damage is done.
1: Accidental exposure of sensitive information
In this situation, a developer mistakenly uploads a file containing sensitive information. Think of things like configuration details or personal data. Bad actors could then discover and download these files if left unprotected.
Proactive monitoring would alert you to the presence of such files. This gives you time to secure or remove them promptly.
2: Unsecured database backups
Let’s say a database administrator leaves a MySQL database backup (.sql file) in a public directory. This could allow a bad actor to download your entire WordPress database.
File integrity scanning would detect this new file and notify you, making it possible for you to take action.
3: Misnamed backup files
Here’s another example. A developer creates a backup of the wp-config.php file but mistakenly names it wp-config.bak. Because it’s no longer recognized as a PHP file, it could be downloaded by a bad actor. But thanks to proactive scanning, you’ll be notified of this change as soon as it happens.
4: Residual files from text editors
Someone edits a PHP file on the server using a text editor but doesn’t exit properly. This would leave a .swp file behind. Such files can be downloaded by bad actors since the web server doesn’t treat them as PHP code. Monitoring would alert you to these residual files, giving you a chance to delete them.
Reactive security actions
Now that we’ve covered proactive measures, let’s turn our attention to reactive security measures. There’s often this misconception that reactive measures are always too late, but that’s simply not true. They actually play a critical role in mitigating the impact of an attack. Quick, reactive responses can stop an ongoing attack and prevent further damage.
Here are some scenarios where reactive file integrity scanning can be critical:
Scenario 1: Suspicious file detection
A file integrity monitor plugin detects a new PHP file. It has an obscure name in the /wp-content/uploads directory. The WordPress admin is unable to attribute this file to any legit change. So they inspect it and find obfuscated code. This indicates a web shell.
The administrator quickly copies the file for further analysis. They also delete it to cut off the attacker’s access. Then, they investigate the server logs to discover an attacker exploited a vulnerability. Guided by this information, the admin works with developers to patch the issue.
Scenario 2: Core file modification
A WordPress file monitoring plugin alerts the administrator to unexpected changes in WordPress core files. This is something that should only occur during official updates. However, this happened right after another WordPress admin installed a new plugin.
After investigating, the developer found others experiencing similar problems and reported the plugin. As it turns out, this plugin is designed to steal WordPress credentials and send them to the bad actor when someone logs in.
The admin removes the plugin, restores the tampered files, and resets all WordPress user passwords. They also install a security plugin like Melapress Login Security for added assurance.
Scenario 3: Unauthorized file upload in a protected directory
A file integrity monitor plugin notifies the admin of an obscure file in a password-protected directory in the WordPress root. The directory stores static files with sensitive information. And it’s protected with a strong password using HTTP authentication.
The developer realizes the file was uploaded via a misconfigured FTP server. It allows for anonymous write access, which is a no-no. The admin fixes the FTP server’s configuration and disables anonymous authentication.
Scenario 4: Unauthorized code injection via theme files
A file integrity monitor plugin alerts the administrator to a recent change in a theme file. This occurred in the functions.php file of the active theme. The admin knows that no updates or changes were made to the theme recently.
So upon further inspection, the admin discovers the file contains new, suspicious code that wasn’t there before. This code is designed to execute a backdoor. This would allow the bad actor to gain unauthorized access to the WordPress admin.
The administrator removes the injected code and restores the original functions.php file from a clean backup. To prevent future attacks, the admin reviews the theme’s codebase for other vulnerabilities. Then they tighten file permissions to reduce the risk of further unauthorized changes.
Which WordPress files do you need to keep an eye on?
Similar to WordPress activity logs, you need to know what to look for for file monitoring to be effective. If you track every file change, you’ll have a never-ending stream of alerts. Track too little, and you’ll lose all the benefits of the file integrity monitor plugin.
Another important factor is that not all file changes indicate malicious or problematic activities. There are no issues when WordPress updates core files or when plugin updates introduce minor changes to their own directories. Knowing these distinctions helps you avoid unnecessary alerts. So knowing these distinctions matters a lot.
The following are some pointers to differentiate between benign and malicious changes in WordPress directories. We’ve categorized it by directory for easier browsing:
/wp-content/uploads/ WordPress directory
WordPress websites tend to be very active. So monitoring every single created or modified file will likely result in an endless stream of alerts. In almost all cases, it makes sense to exclude static files from the /wp-content/uploads/ directory.
Static files include media files like images, videos, and audio. It also includes documents like presentations, spreadsheets, and PDFs. It’s generally safe to ignore such files, but not the uploads directory as a whole. What you’re looking for here is if unauthorized executable files like PHP files are uploaded in this directory.
/wp-content/cache/ WordPress directory
This directory is a tricky one. It’s used by WordPress caching plugins so it gets updated frequently. Depending on how your caching plugin is set up, you may see a variety of files in the sub-directories of /wp-content/cache/. This includes legitimate PHP files. These are added by your caching plugins, especially if you enable object caching.
If this is the case, study the behavior of your caching plugins and what files they store. Then configure the file integrity scanner according to your findings. If you don’t use any caching plugins then it’s much easier to monitor this directory.
/wp-content/plugins and /wp-content/themes/ WordPress Directory
When you add, delete, or update a plugin you’ll see changes in the /wp-content/plugins/ WordPress directory. If you make changes to a theme you’ll notice file changes in the /wp-content/themes/ directory.
This doesn’t mean that all changes that occur in these directories are good though. But in general, changes within these directories should only occur due to administrative actions. That is, you should expect to see changes when someone updates a plugin or theme.
Note: Our Website File Changes Monitor plugin for WordPress has a unique feature. It recognizes WordPress core, plugin, and theme changes. This means it doesn’t send out false alarms about hundreds of file changes. Instead, it alerts you that the file changes were a result of a change in the site, allowing you to review the change.
The WordPress root directory
The WordPress root directory is the actual WordPress installation on the web server. This is an important location to pay attention to. More often than not, file changes done here provide a good signal for you to investigate. That is unless you know the changes were made by you.
WordPress Core files
WordPress Core files are the actual files that make up WordPress itself. Modification in core files should only ever occur as a result of a WordPress update. They should never occur under any other condition. So if you get an alert about a change made here, it’s time to investigate. Immediately.
How do I monitor my WordPress site for file changes?
While file integrity scanning can be achieved by many non-WordPress-specific tools, many require a learning curve to run.
A simpler approach would be to use the free Melapress File Monitor plugin. This plugin recognizes when legitimate changes are made to the WordPress core, plugins, and themes. It can also detect legitimate installations and deletions. So it doesn’t report as many false positives as other solutions might. And that means less unnecessary panic for you!
The plugin primarily recognizes site structure changes. So when there’s a change, the plugin notifies you of it. But it doesn’t notify you about every single file update or modification. It automates the job for you, doesn’t raise any false alarms, and you don’t have to manually filter the results.
To begin using this free plugin, install it from the WordPress plugin directory as you would any other.
Once installed, go to your WordPress dashboard. Then File Monitoring > Settings.
Once there, you can select the Scan Frequency and the Scan Time.
You can also decide if you’d like to exclude any files or directories from your scans.
Next, select specific file types you’d like excluded. Often, files that make up the media content of your site can be left out here.
Finish making your selections then you can conduct your first scan.
Go to File Monitoring then make sure you’re on the Recent Events tab. From here, you can click the Start file scan button.
A blue banner will then appear that indicates that the scan has begun.
The scan can take a few minutes to complete. You can navigate away from the page while the process wraps up.
The results will show you any file changes that have been made since the last scan. Scans will run automatically according to the schedule you previously set.
On this same page, you can click through the tabs at the top to view different types of site changes. These include when files have been modified, when files have been added, and when files have been removed.
Setting up this plugin and reacting to alerts when they occur helps to keep your site safe.
What if I already use a WordPress security plugin?
If you already make use of a WordPress security plugin, that’s great. Keep doing that. However, file integrity monitoring is not what security plugins focus on. So using a WordPress plugin designed for file integrity monitoring will offer unique features. Those that your standard security plugin doesn’t cover.
If you’re not yet using a security plugin, be sure to get one added to your plugin stack. Melapress Login Security, WP 2FA, and WP Activity Log offer a comprehensive set of features. And they all help boost your site’s security. Use them with a file monitoring plugin to get a full picture of your site’s security health.
File integrity monitoring for WordPress
WordPress file integrity monitoring is a key part of maintaining site security and stability. And by keeping tabs on your files’ integrity, you can quickly detect and respond to unauthorized changes. This ensures your site remains secure against potential threats.
Whether you’re taking proactive measures to prevent issues or reacting swiftly to unexpected changes, a thorough integrity monitoring system can save you a lot of headaches.
Ready to enhance your site’s security? Try the Melapress File Monitor plugin today and take control of your WordPress file integrity with ease.
I would also recommend using OSSEC to monitor changes directly on the server: https://blog.wpsec.com/using-ossec-to-monitor-directory-and-file-changes-in-wordpress/
Good point Jonas, however not every one have access to the server or have a private server. The majority use managed WordPress hosting or something similar. So in such case the best and easiest option is to install the Website File Changes Monitor plugin for WordPress.