In the Feature Spotlight posts, we will highlight a feature in the iThemes Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover File Change Detection, a great way to keep track of changes made on your WordPress website.
Why We Developed File Change Detection: Malware
Even if you follow the WordPress security best practices, there is still a chance for your site to become compromised. A compromise means that a hacker breached your website and infected it with malware.
What is Malware?
Malware is a catch-all term for any malicious software designed to harm or exploit any programmable device, service, or network. After breaching your website, hackers will use malware to steal your data, redirect your traffic to malicious websites, or take control of your website and demand a ransom for its release.
What is a Security Breach?
A security breach is when a cybercriminal is able to gain unauthorized access to your website or server.
The average time it takes to discover a website breach is 200 days! The longer it takes you to notice a breach, the more damage a hacker can do to your website, your customers, and you. And a piece of malware can cause a staggering amount of damage in 200 days.
The average time it takes to discover a breach is 200 days! The longer it takes you to notice a breach, the more damage a hacker can do to your website. And a piece of malware can cause a staggering amount of damage in 200 days.
The cleanup and downtime you will need to clean your website after 200 days worth of damage is also staggering. The time to investigate everything the malware touched and which customer’s data was stolen only increases while the breach remains undetected. Not to mention the time you will have to spend informing customers that they need to cancel their credit cards because a hacker logged all of their keystrokes while they visited your website.
The cost of getting hacked is great. You have to pay someone to investigate the breach and clean your website. The hack repair specialist will have to take your website down while they work, and people won’t be able to make new purchases while your website is down. After losing your customer’s trust, you will likely lose any future purchases they would have given you.
The cost of a hack is why it is crucial to notice a breach as soon as possible. The faster you discover the breach, the quicker you can stop any further damage being done, and the faster you can get your website and business back online.
Are Malware Scanners Enough?
In a word, no. Don’t think that you can rely solely on your Malware Scanner to check if your website is infected. No malware scanner can identify every piece of malware that exists. If you come across a malware scanner that claims it is 100% accurate, you should run because scans that make claims like this are often the least accurate out there.
Signature vs. Behavioral Malware Detection
The majority of malware scans and antivirus software use malware signatures to detect malware. More advanced malware scans will use a combination of signature detection and behavioral analysis.
Malware Signatures
A malware signature is a series of bytes that are used to identify known pieces of malware. Some malware scanners are powered by a database filled with the malware signatures of millions of known viruses.
Signature-based malware scanning is fast, simple, and will detect 100% of known and well-understood pieces of malware. All of that is great and will catch malware added by low-level hackers.
However, skilled hackers know that malware scanners check for signatures of known malware. These hackers have the ability to obfuscate malware signatures to remain undetected by your average scanner.
New malware is released at a rate that malware scanners can’t keep their database updated with all of the latest signatures. So a signature-based scanner won’t be able to tell the difference between a new bit of malware and a plugin’s readme.txt file.
Behavioral Analysis
Behavioral analysis checks a software’s actions to determine if it is malicious. There is a ton of different types of behaviors that can be deemed suspicious or malicious. For example, the iThemes Security Pro Site Scan leverages the Google Safe Browsing API to help keep websites safe. Google Safe Browsing will check to see if a piece of software is redirecting traffic to a known malicious site.
Again, there is no foolproof method of malware detection. But a combination of behavioral and signature checks will significantly increase your chances of being alerted to evidence of a security breach.
What Behavior Does All Malware Share?
We know how crucial it is to detect a security breach as soon as possible, and that relying solely on malware detection isn’t enough. So we wondered how iThemes Security Pro could reduce the time it takes for people to detect security breaches on their websites?
While the type of damage malware causes on your website varies greatly, what it does can be boiled down to one or a combination of the following three things.
- Add Files – Malware in the form of spyware could add a malicious file that will record your customer’s keystrokes as they enter their credit card information.
- Remove Files – Some malware will remove a legitimate file and replace it with a malicious file of the same name.
- Modify Files – Malware will try to hide its malicious code by hiding it in an existing file that it modifies.
Wouldn’t it be nice to be alerted to unexpected changes to your website so you can inspect them for signs of a security breach?
What is File Change Detection?
File Change detection will scan your files and alert you to changes that occur on your website. There are several legitimate reasons you would see new file change activity in your logs, but if the changes made were unexpected, you should take the time to ensure the changes were not malicious. For example, if you see a change made to a plugin on the same date and time you updated the plugin, there would be no reason to investigate.
How to Use File Change Detection in iThemes Security Pro
To start monitoring file changes, enable File Change Detection on the main page of the security settings.
Once File Change Detection is enabled iThemes Security Pro will start scanning all of your website’s files in chunks. Scanning your files in chunks will help to reduce the resources required to monitor file changes.
The initial file change scan will create an index of your website’s files and their file hashes. A file hash is a shortened, nonhuman readable version of the content of the file.
After the initial scan completes, iThemes Security Pro will continue to scan your file in chunks. If a file hash changes on one of the subsequent scans, that means the contents of the file have changed.
You can also run a manual file change by clicking the Scan Files Now button in the File Change Detection settings
File Change Notifications
You can enable the File Change notification from the iThemes Security Pro Notification Center.
File changes happen all the time, and getting an alert for every change would quickly become overwhelming. And before you know it, it becomes a boy who cried wolf situation, and you start ignoring the file change alerts altogether.
Let’s take a look at how iThemes Security Pro intelligently identifies legitimated changes to reduce notifications and how you can mute notifications for files that are expected to update frequently.
How iThemes Security Pro Identifies Legitimate Changes
There are a couple of ways that iThemes Security Pro can detect if a change made to a file was legitimate and not a cause for concern. iThemes Security Pro will not create a File Change notification for changes it can verify.
1. Version Management Integration
The Version Management feature in iThemes Security Pro allows you to auto-update WordPress, plugins, and themes.
If an update is completed by Version Management, iThemes Security Pro will know the source of the update and won’t trigger an alert.
2. iThemes Online Comparison
Check the Compare Files Online box in the File Change Detection settings to enable online file comparison.
Any time a file on your website belonging to an iThemes plugin or theme is changed, it will get compared to a file on the iThemes server. If the hash to the version of the file on your website matches the hash to version on the iThemes server, it will be a legitimate change, and you will not receive an alert.
3. WordPress.org Online Comparison
If a WordPress core file or a plugin installed from the WordPress.org repository is changed, the file will be compared with the version on WordPress.org. If the hashes match, the changes are not malicious, and you won’t receive an alert.
4. Manual Exclusions
You can exclude files, directories, and file types from File Change Detection in the File Change Detection settings.
The general rule is it’s okay to exclude files that you know are going to be regularly updating. Backup and cache files are a perfect example of this. Excluding these types of files will calm a lot of the extra noise.
Wrapping Up
It’s crucial to detect a security breach as soon as possible. Relying solely on malware scanners to alert to security breaches isn’t enough. You need to also be on the lookout for suspicious behavior like malicious file changes.
File Change Detection can help you detect breaches sooner and greatly reduce the damage done by a successful hack.
A WordPress Security Plugin Can Help Secure Your Website
Themes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Get iThemes Security Pro Now
The post iThemes Security Pro Feature Spotlight – File Change Detection appeared first on iThemes.
Source: Security Feed