Intrusion Detection System for WordPress sites

Question

With the current issues with Network Solutions sites being hacked, I'm in need of a tool (preferably freeware) that I can install into my site and it will email me the second a file change/update occurs.

Any recommendations welcome :)

This site is on a shared server hosting package.

Answer 1

take a look at http://www.guardio.net uptime and file integrity monitoring

Answer 2

I second the suggestion of Joel L above - usually any cron job output is emailed to the address you pick when you set up the cron job.

If you rarely change themes or plugins, then this is a good way to go.

When you do make a change, you can just update the "baseline" checksum values.

I need to check out the mute screamer plugin, though, that may be best.

Answer 3

You could version the site with subversion/git/etc - doing a simple 'svn status' or 'git status' would allow you to tell if the source files had changed - however it obviously won't catch any modifications someone may have made to the database content, and it'll get a little messy when someone updates plugins (or wordpress itself) - as so much will have changed.

Answer 4

Rook: I think it is probably because WordPress security flaws get patched quickly once discovered. This do mean that anyone running an install must watch for new releases and install them as quickly as they can.

Answer 5

i originally wrote this in a comment on the rook's answer, but it might get lost in all that noise;

phpids indeed looks interesting as it can be used in a shared server hosting environment, which in general will not be the case for tripwire or mod_security.

interestingly, there is a wordpress plugin which nicely integrates (an older version of) phpids in wordpress, so that might be worth looking into.

Answer 6

You can't install a true IDS on shared hosting, this is the host's responsibility.

An hack-ish solution:

You could create a script that ran periodically (using cron or some other mechanism), that would checksum all files, and compare the checksums with a previously stored record, then notify you if there are differences.

To find out if your script itself was deleted by the attack (1), you must also create a script sitting on a remote server (something like Google App Engine, perhaps), that pings your shared-server-script, and checks if it gets an expected result (a hash based on given time, perhaps) – if not, it emails you.

(1) This is actually quite unlikely, most attacks don't delete files

Answer 7

The best free and open source Intrusion Prevention System (IPS) for web application (as in a Web Application Firewall WAF) is Mod_Security. But no system will stop it all. Espically with Wordpress because it won a pwnie award for being so insecure. I would think seriously about ditching Wodrpess for any other blog engine.

Another option which is best suited if you are in a shared hosting enviroment is to use PHP-IDS. The name is a bit deceptive, its actually a regular expression based IPS. All of the regular expressions used by PHP-IDS have been ported to Mod_Security. Mod_Security provides a much better level of protection(ips) and logging(ids).

Answer 8

I've used Tripwire before. It worked really well. ...its not freeware. You could find some good options by searching the term "IDS" or "Intrusion Detection System"

Answer 9

http://www.la-samhna.de/samhain/

However this won't work on shared hosting, so you'll need either a vps or a dedicated server