[wp-hackers] A tool to check whether the core files were tampered?

David Anderson david at wordshell.net
Fri Nov 15 16:42:33 UTC 2013 

Hi,

Since I sell a solution in this area, I'm biased...

... but, as a long-time security pro, I'd say that a plugin which offers 
to check that your website hasn't been tampered with fails at the 
conceptual level. Useless. It's only good as long as you're sure that 
the plugin itself is intact. Altering the plugin is trivially easy (e.g. 
1 line to short-circuit the tamper check, and 'return true;'). It's like 
asking your young son "you would tell me if you were lying, wouldn't 
you?". "Yeah dad, sure". "Thanks - I was almost worried for a moment there."

Why would someone who tampers with your website *not* tamper with the 
security check? Basically, you're relying on the hacker being 
incompetent. Wordfence (for example), has had over 1 million downloads. 
Why would someone trying to break into WordPress sites have to be to not 
have "short-circuit WordFence's tamper checks" in his toolkit?

Unless you're happy assuming that hackers will continue ignoring 
WordFence (etc.) so that their hacks can get cleaned up quicker, then 
the only way to verify your files is off-site, i.e. externally. Anything 
(not just a plugin) that you run within the same web-space could itself 
be tampered with. A service which has pristine versions of your plugins, 
and can compare them in a 'clean room' with what's installed. <Advert>I 
do this with my own tool (from the command line: "wordshell all 
--everything --checkmodifications"). It avoids this issue because it 
does not run any code on the webserver for that operation</Advert>. I'm 
sure there must be other functional solutions as well.

Best wishes,
David

On 15/11/13 16:23,Davit Barbakadze wrote:
> Hi. Do you guys have a tool to check whether the core files were
> tampered? Like a plugin that you install on the WordPress site and it
> checks all the core files, plugins and themes (taking into account the
> versions) and outputs in a user-friendly way in the backend?
>
> That might be something of immense help to an average dev.
>
> I've found this one: http://wordpress.org/plugins/hashchecker/, but it
> seems to be checking only WordPress files. I imagine something doing
> similar to plugins and themes. Also this one seems to be abandoned for
> a couple of years already.
>
> Davit Barbakadze

-- 
WordShell - WordPress fast from the CLI - www.wordshell.net

More information about the wp-hackers mailing list