 |
What WordPress needsApril 16th, 2008 |
A plugin that
- Greps every file in your public web directory, recursively, looking for “base64″ and tells you about them. The default WP install has none of these.
- Warns you on modification date of any file in the install, plus in any themes.
- Checks header and footer for unusual size changes.
- Warns you on any files added to install directories that are not something in the vanilla install — e.g., any new php files in wp-admin that aren’t part of the install.
- Warns you on any .htaccess redirects.
- Pulls out the list of administrators by querying in wp_usermeta for wp_metavalue containing %administrator% — not whatever the dashboard uses, which appears to correlate to other tables and therefore misses hacked accounts.
- Generates a table of everything in wp_options that is not a part of the vanilla WP install, so you can check it. Sure, a whole bunch of plugins will show up, but maybe you can check that manually.
Doing all this by hand is getting old. 
The saga continues at the other post, which continues to get updates.
You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.
Art
Game talk
Gamemaking
Mailbag
Misc
Music
Open thread
Reading
The Sunday Poem
Watching
Writing
Possibly. But my list was aimed at cleaning out stuff that is there after they are already in, not blocking it in the first place.
Wouldn’t such a plugin just become one more thing the attack would target?
I think a plugin writer could do all of that. But I emailed it to Matt Mullenweg while I was at it.
Would it be possible for a programmer with some time to build all that stuff, or would it require more work to WP itself? I don’t know much about how the system works.
I am on shared hosting, so I have kind of the worst of both worlds — I don’t have full control over my environment, but I do have to do things like clean files myself.
That said, the WP-specific stuff would really be nice.
Sounds bad, I’m at least glad it wasn’t more malicious or data destructive.
It also reminds me I should do more regular backups since I don’t run my own webserver directly, which means it’s a bit painful to do proper file backups and “state saves”, although db backups are fast. I need some automation I think, heh.
Hope you do get it sorted!
Look into a tool like tripwire (that can be run on demand… I believe tripwire by default is a daemon) that watches for file changes. In general, what it does is creates a hash for every file in a directory, and can alert you if a file changed.
You could actually use svn or something to do this too. Check everything in to a repo – run a process that does an `svn st` on the directory to see which files changed. If there were changes, you can do an `svn diff` to see what changed.
That’ll track your files. As for the db, do a dump (mysqldump or whatever) of the tables you want to watch, to a file, and treat as above.
If you control the server you’re on, seriously consider using mod_security in apache – there are some great pre-built configs that will catch pretty much anything you can throw at it – and there are scripts that’ll help you keep it up to date. I did this when all of those PHPBB exploits were going around, and it blocked every one of the attempts.