WordPress Security – Detection (Monitoring)
There is perhaps no more catastrophic event in a website owner’s online existence than when they lose the fight to keep their website safe. It’s why we spend a lot of time each year traveling the world educating website owners and raising awareness to the problem.
If you are a WordPress user, then you’ve come to the right place. This will apply most to those end-users operating the free WordPress download found at WordPress.org. This likely means you are running your website on one of the 100′s of shared or dedicated hosts, not to worry though we work very well with a lot of them (i.e., GoDaddy, Site5, SiteGround, BlueHost, HostGator, etc..). You could also be leveraging any number of managed WordPress hosts like WP Engine, Page.ly, Rainmaker or any of the other variations that have come to market over the past few months / years.
If you’re thinking Monitoring, then you’re already thinking the right way about your security as it’s very critical piece of the overarching Information Security lifecycle.
When we talk about Monitoring, we are referring to Detection step in the security wheel. In this section, there are a number of things that we want to be accounting for:
- Paid Product: Monitor the security state of your WordPress website
- Free Product: Audit all the Activity on your WordPress application
Each action is very distinct and an important part of your everyday administration.
If you’re interested in completing the security wheel as described above, consider supplementing your WordPress Security plugin with Sucuri’s Website AntiVirus and Website Firewall product. Together, the three components, provide you the most comprehensive security any website owner can invest in and completes the entire security lifecycle.
1. WordPress Security Monitoring (Paid)- Monitor All Security and Malware Related Events
Comprehensive Malware and Security Scanning and Monitoring for your WordPress website
The most comprehensive monitoring you can enable for your WordPress website is to enable our Website AntiVirus product. Unlike the WordPress Security Plugin (mentioned below), the Website AntiVirus product is powered by malware / security detection engine and allows you to created scanning schedules. It provides website owners two distinct detection methods – Remote scans and Server-side scans, while providing you the peace of mind of knowing that if an event is triggered you will be notified immediately.
The value that the paid product provides, over the free WordPress Security plugin, is the comprehensive nature of the scan. Unlike the free plugin, the paid products provides for more in-depth anomaly detection, more aggressive signature identification and provides a more complete website crawl. Each aspect of the scan increasing the odds of detection.
By far it’s most effective feature though it’s ability to crawl the back-end of your environment looking for payloads that don’t present themselves on the browser. This is most common in events like Backdoors, Phishing payloads, and mailer scripts.
The paid product, Website AntiVirus, also provides you the website owner scans that monitor bot the state of your DNS and WHOIS. Two very important security scans that many forget to configure and monitor. This is important because as the website owner, you want to know immediately if your domain now belongs to someone other than the authorized person.
Additionally, you are provided with weekly reporting that shows you the overall security state of your website.
2. WordPress Security Plugin (Free) – Activity Auditing and Remote Malware Scanning
WordPress Security Plugin – Developed by Sucuri for Auditing and Scanning
To improve your security posture and help address the challenge you have keeping an eye on all the activity going on with your WordPress install we’ve developed a Free plugin specifically for this.
Disclaimer:Note that this plugin was developed for the end-user that is looking for the pieces of the security puzzle they require to address their overall security posture. It’s not designed for the Do It Yourself (DIY) WordPress user. The DIY’er is the type of user that likes to tinker, manipulate or otherwise configure or update settings in an effort to extend their security posture. For those users we recommend they supplement this tool with a security utility plugin like iThemes Security plugin.
The plugin is simple to use and removes all the confusion that you often find in most security plugins. It was built to help compliment our security services and provide you better piece of mind when administering your website. We’ve put together the simple instructions in one location to help you in the installation and configuration process. Additionally, this tool is highly effective after a compromise when performing forensics. All the auditing events are stored offsite, which means that even after an attacker breaks into your website all the logs are shipped remotely to the Sucuri Security Operation Center (SOC) making them inaccessible to the attacker. This makes it so that the attacker is unable to access the logs and erase evidence that might other wise be useful in the forensic analysis.
WordPress Sucuri Security Plugin – It’s Key Features
When designing the plugin we spent a good amount of time thinking through the existing security plugin ecosystem and identifying ways we could provide the most value. It’s through this process that we outlined the areas we felt were most relevant to website owners that depended on WordPress. Here is a breakdown of the features we felt would provide you most value:
- Activity Auditing
- Remote Malware Scanning
- File Integrity Checks
- Effective Hardening
- Post-Hack Actions
- Website Firewall Integration – Optional
- Email Notifications
This plugin was designed to complete the security package we offer our clients.
WordPress Activity Monitoring
This is something that no one has been able to do very well. We feel it’s so important that it’s front and center in your dashboard. It’s designed to allow you, the website owner, to see everything that is going on with your website. Who is logging in? What are they adjusting? What is being changed? These are all important questions that you as a website owner need to be asking yourself. No one should know about your website and it’s operations than you, it’s owner, so this tool is designed to better empower you to make decisions.
WordPress Remote Malware Scanning
As the name implies this feature is designed to crawl your website remotely. It emulates a number of user agents and referrers, in an attempt to trigger a browser event. If an event is triggered, the payload identified is used and analyzed against our very comprehensive database to identify whether it’s malicious or benign.
Understand that this is a remote scan, not a server (application level) scan. This means that the odds of it missing a server level issue, like backdoors and Phishing, is very high as those are often not linked on your website, rather injected discretely throughout your install. How the scanner works is very similar to our very popular free online security scanner, SiteCheck. We highly encourage you to take some time to read on how the engine works to avoid any misunderstandings on what it does and does not detect.
For more comprehensive scans we encourage you to visit our paid Website AntiVirus and Firewall products for the most effective, and complete, scanning and security services.
WordPress File Integrity Monitoring
The idea of File Integrity Monitoring is nothing new in the space of security. It’s also something that some of your favorite security plugins do. It’s a process that uses a verification method to compare current state of a file against a preexisting good state. There are a variety of ways of doing this, the most common being comparing the checksum of a two files – current and known good. This is not to be confused with malware scanning, but it is a highly effective method of identifying changes in files.
This feature extends beyond file changes, it will also identify the addition of files which is a bit different but very effective for you as the website owner. This will also extend beyond the core directories (i.e., wp-admin and wp-includes) and will account for all directories at the root, meaning wp-content will be covered (i.e., plugins and themes).
WordPress Security Hardening
The hardening this plugin offers is minimal, yet highly effective. This is by design. It’s not meant to account for every possible security configuration possible, for that we encourage you leverage a security utility toolbox like the one developed by iThemes Security. In our hardening we do focus on some “security through obscurity” concepts, but also focus on disabling PHP execution and reducing access in key locations. Everything else we leave to other security utility plugins to handle.
This one feature that we built into the plugin by popular demand. It’s designed to help you after a compromise. What we learned is that many website owners like you, once compromised, would continue to experience reinfections and often it came down to inappropriate post-hack actions. We felt it was prevalent enough issue that we needed to help the website owner with the process.
The three features it accounts for include:
- Resetting your Salts / Keys after a compromise – this ensures that any user that is currently logged in gets kicked out.
- Resetting Passwords for all users – this ensure that all users are forced to create new passwords
- Reset of Plugin – often it’s easy for plugins to become corrupt because of a hack, we’ve added a way to quickly reinstall plugins to avoid any possible issues.
WordPress Website Firewall – Optional
This feature is optional because it’s a paid feature, it’s an integration point for our Website Firewall product. The Website Firewall is a reverse proxy that filters all your traffic through one of various Points of Presence around the world. It allows us to see all incoming traffic, allow Sucuri to proactively defend your website from the various website attacks like Distributed Denial of Service (DDOS), Software Vulnerability Exploitation and Brute Force attacks.
The integration allows you to quickly see the various events, attacks, occurring against your website.
This feature provides for more in depth analysis and reports via your internal Sucuri Dashboard as well:
WordPress Security Notifications
All these monitoring security monitoring events would be incomplete if you didn’t know about it, and we realize it’s impossible to see it all, and that is why we also integrate email notifications. These notifications allow you to configure your notices to best meet your security needs. You can choose to know about everything, or choose to know about very few things, either way, you the website owner are empowered to choose your level of comfort.