Plugins I use to secure my WordPress install

12 Jan
12/01/2013

A couple of my posts have reached thousands of users. Lately, my iPhone 5 to Nexus 4 switch got republished by GIZMODO, picked up by ReadWriteWeb and CNET News.

With increased popularity comes increased risk.

Sucuri SiteCheck - Free Website Malware Scannerrottmann.net, formerly 24100.net, runs on the most current version of WordPress. However, it’s not a fresh install. Instead, I started the site quite a few years ago, so the current version is one of many updates I’ve applied over those years.

Recently, some of my audience over on Google+ pointed out, that their AVG ThreatLab based anti virus tool flagged rottmann.net as potentially infected with a backdoor virus. Interestingly, though Google’s Safe Browsing diagnostic page did not indicate any issues (and still does not), they were right. My in-depth checks with Sucuri’s SiteCheck indicated quite a couple of JavaScript and PHP files, that had been altered.

It turned out, that over all these years, attackers had used some of the now fixed vulnerabilities in either WordPress’ core or some of the Plugins I’m using here.

While none of the stuff that I found could directly harm any of rottmann.net’s visitors, I started to worry and seriously invested some time to fix all issues.

AVG ThreatLabs still shows the cached results, but rottmann.net has been completely cleaned and all lights are green again.

In case, you’ve been running a WordPress install for a while, you might find the following tips valuable:

  • By far the most helpful plugin during my quest was GOTMLS.NET‘s Anti-Malware (Get Off Malicious Script). It allows you to scan your entire WordPress folder structure for altered files and those that look suspicious. It requires you to register with GOTMLS but it’s well worth the extra steps. Be aware though, in my case the plugin yielded a couple of false positives, primarily because it tends to always flag files, that contain the eval PHP statement.
  • Look-See Security Scanner is a plugin that helps you clean up your WordPress installation and checks whether your current configuration is safe. It does so, by downloading the latest list of standard WordPress files and folders and comparing it with the ones on your web server. In my case, I could get rid of hundreds of orphaned files from previous WordPress installations and identified a couple of PHP scripts, that were modified by attackers.
  • The Ultimate Security Checker for WordPress provided additional insight, however, it yielded way too many false positives for my taste. A security tool, that makes you wrongly feel insecure in the majority of cases is probably not a good idea. Unfortunately, the File Analysis module did not work at all.
  • In case you decide to leverage Sucuri’s paid services, they’ve got a WordPress plugin, too. It frequently auto-checks your installation and notifies with email alerts, in case anything needs your attention. I’ve subscribed to their somewhat pricy services for rottmann.net.

For quickly checking whether you need to take action, check your site via the following services:

  • http://www.avgthreatlabs.com/sitereports/domain/<your domain here>
  • http://sitecheck.sucuri.net/results/<your domain here>
  • http://www.google.com/safebrowsing/diagnostic?site=<your domain here>
  • Reader Stephan Hochhaus pointed me to the free Detectify, which allows for scheduled scans.

Should you run into infected files, there are a couple of alternatives, depending on your skills and how much effort you plan to put into it:

  • Sucuri has a paid services. You provide them with temporary FTP or SSH level access and they make sure your install gets completely cleaned within 48 hours.
  • I downloaded the latest version of WordPress from wordpress.org and just replaced most of the files on my server with fresh, 100% clean copies. This fixed all of the JavaScript related issues. I did the same with the plugins that were reported to causing problems.
  • You might want to start over with a clean WordPress install and use one of the export / import plugins, to move all of your settings and content over.

Last but not least, this October 2012 article in Smashing Magazine provides an in-depth technical overview of WordPress vulnerabilities and measures to protect against them.

Hope this helps. For questions and comments, hop over to Google+. Would love to hear from you.


Tags: ,
1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© Copyright 2013 by Ralf Rottmann. rottmann.net is a work in progress by Ralf Rottmann. This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.
If you would like to make use of any of the content you see here, please contact the author.