How to eliminate false positives in file integrity monitoring on WordPress

https://www.wpwhitesecurity.com/eliminate-false-positives-file-integrity-monitoring-wordpress/

File integrity monitoring (FIM) allows you to quickly detect file changes on your WordPress site. It is an important part of securing a WordPress site and the way it works is very simple: it compares baseline cryptographic hashes to the current hash of the monitored files. When a change happens, you get an alert.

However, there is a major problem with unsophisticated approaches to file integrity monitoring: false positives (aka false alarms). Not all file changes on a WordPress website are harmful, or a sign of an attack. Many are harmless and expected parts of maintenance. So false positives lead to a number of problems:

• administrators might potentially ignore malicious file changes (a cry wolf situation),
• not all WordPress website administrators can identify a legit from a non legit alert, thus leading to false alarms.

In this article we will explain how file integrity monitoring works, the file and directory structure of WordPress, and how you can properly configure the WordPress file changes monitoring plugin.

File integrity monitoring & file hashing 101

Understanding file hashes and checksums can help you understand how FIM works. Simply put, cryptographic hashing produces a specific output based on a specific input. Hash functions are one-way non-reversible functions. That is, just knowing the result will not enable you to work backwards to the input.

For example, we can use an MD5 hash to check the integrity of text. In the below example we use a MD5 checksum generator to create hash of the sentence The quick brown fox.

We can input the same text multiple times and get the same result, as shown in the below screenshot:

However, add or take away a single character, and the hash we get completely changes, though it’s still the same number of characters long. In the below example we changed the source text to The quick brown foxes.

So, why does this matter for WordPress file changes monitoring? Simple: the output of a hash function is used to determine if a file has changed. If even a slight change is made to a file, the file hash will be different. File integrity monitoring plugins make these comparisons simple.

NOTE: to learn in more detail about FIM, read file integrity monitoring for WordPress websites.

Why do false positives occur?

However, it’s not enough to blindly accept the results of our monitoring tools. We must be able to interpret what they mean and rule out potential false negatives and false positives. In security a false positive is a false alarm, where our tools detect something that ends up being a dud. This is akin to burning toast in the kitchen, setting off the fire alarm, and waking everyone else up. A false negative would be the opposite, where there is malicious activity, but it goes undetected by our tools. Generally speaking, because of how file integrity monitoring works, false positives are a more common problem.

False alarms occur when plugins monitor file changes without context. Not all file changes are bad. For example, if you update WordPress or a plugin some files will change. In this case file changes are necessary and it is not an alarm.

Understanding the WordPress directory structure

So how do you know which file changes you should care about? It starts with understanding the WordPress directory structure and the scenarios changes are likely to occur. The most important files directories to monitor include:

• /wp-content/uploads/– Uploads of static files (images, videos, documents, etc.) are common in this directory and ok to exclude from alerts. Executable files, like PHP files are what you need to be on the lookout for here.
• /wp-content/cache/– If you are using a caching plugin, monitoring this directory becomes difficult. This is because caching plugins may legitimately use executable files. If you’re not using caching plugins, monitoring this directory for changes is more straightforward.
• /wp-content/plugins– Changes in this directory only happen when installing, updating or uninstalling a plugin. It’s worth noting plugins should generally only change files in their own directories (or in cache in case of a caching plugin, or in the uploads directory in case it stores some data).
• /wp-content/themes/– The same as with the previous directory, changes here should only occur when installing, updating, modifying or uninstalling a theme.
• WordPress root- As such there should not be any changes in this directory, unless you have some custom solution or code.
• WordPress Core files– WordPress updates are the only reason these files should change.

With the information above, you should now be able to determine whether file changes are benign vs when they may be a concern. For example, if you update a plugin, it’s within expectation to see a plugin file in that plugin’s folder change. However, it would not be within expectation to see a core file change, or another plugin’s folder change. Similarly, you should not see plugin, core, or other file changes when you have not initiated any updates. Those sort of unexpected file changes could indicate malware or website compromise.

Using the right tool can go a long way in minimizing false positives without sacrificing security. For example, one of the benefits of the Website File Changes Monitor Plugin for WordPress is the ability to detect WordPress, plugin, and theme updates to avoid false positives and nuisance alarms.

Real-world examples of WordPress file changes monitoring

Now that you understand how file integrity monitoring works, and what file changes to expect, let’s check out Website File Changes Monitor in action. To begin, the plugin automatically does an initial baseline scan once you activate it.

Reporting file changes due to plugins & themes installs, updated and uninstalls

If we install a new plugin, the Website File Changes Monitor plugin clearly reports the changes in the file system as a new plugin install. It also reports the path where the new files where detected, and also the plugin’s name. This helps those who are not familiar with the inner workings of WordPress better understand the reported file change, thus reducing false alarms.

You can also click the Information icon to To see the complete list of files that were added during the new plugin install. The plugin also reports the number of files associated with this update.

The plugin reports all the other plugins and themes updates in the same way. This means that the plugin clearly marks a plugin or theme install, update or deletion allowing you to make an informed decision on whether the file changes are legit or not.

Reporting file changes due to a WordPress core update

Now let’s update the WordPress core. When updating WordPress we expect file changes, especially in the root directory. After running a WordPress update, we see the following in the Added files section:

1. A number of files were added in the /wp-content/themes/twentytwenty/ folder. This means that the update included a new theme. The plugin did not report this as a theme install because the files were copied directly to the file system via the update.
2. A number of new WordPress core files in the wp-admin and wp-includes folders (marked in green). You can see the complete list of files by clicking on the information icon.

Looking at modified files during the update, we see only changes to Core Update type files. Again, expected behavior for a WordPress update.

The takeaway here? Normal behavior. The changes are clearly marked by the Website File Changes Monitor plugin, there are no false alarms. If on the other hand, the plugin reports a list of file changes without any indication of why they happened, the user will get alarmed.

Fine tuning the Website File Changes Monitor plugin

WordPress is used in a variety of applications with a wide range of plugins and modifications. As a result, file integrity monitoring plugin solutions should also be flexible enough to accommodate custom changes and needs. For example, scan frequency preferences may be different for a personal blog and large ecommerce site. Additionally, you may need to include or exclude a specific set of custom files and folders.

A configurable yet easy to use WordPress file changes plugin

A good plugin guides the users and helps them better understand the results. For example by default the plugin should exclude non-executable files from the scan. Files such as log files, text files and media files are not dangerous and administrators do not need to know if they change, because changes in a text file can never be malicious. So there is no need for the plugin to alert a user when a log file changes as it only raises questions and false alarms.

This is what makes the Website File Changes Monitor plugin stand out from the rest. It was developed for all levels of users. You do not need to know the technicalities and which file changes are malicious or not to benefit from this plugin. Anyone can benefit from this plugin and understand the results. On top of that, the plugin is fully customizable. You can:

• configure the scan schedule and frequency,
• select which directories the plugin should scan,
• exclude files in a specific directory or by extension.

Effective file integrity monitoring is an important aspect of WordPress security

An effective WordPress security solution is a solution that does not report false positives and it’s reports can be easily understood by users of any level. This is why the Website File Changes Monitor plugin stands out from all other FIM plugins; it is easy to use and clearly highlights the different types of file changes to assist the users understand the reports. On top of that, it does not report false positives.

Download the Website File Changes Monitor plugin now to get alerted of file changes on your WordPress website.

File integrity monitoring is just a piece of the security puzzle

As with many other things, one plugin by itself does not make up all of your WordPress security toolkit. File integrity monitoring should also be supplemented by:

• WordPress activity logs,
• Strong password policies for WordPress users,
• Two-factor authentication on WordPress,
• WordPress firewall (refer to the guide to WordPress firewalls for more information on the different types of firewalls etc)
• Last but not least, a good WordPress backup solution.

If you do end up being compromised, our file integrity tool can help you find where changes occurred. This in turn enables effective incident response, remediation, and documentation.

The post How to eliminate false positives in file integrity monitoring on WordPress appeared first on WP White Security.

Source: Security Feed