[wp-hackers] A tool to check whether the core files were tampered?

J.D. Grimes jdg at codesymphony.co
Fri Nov 15 17:07:27 UTC 2013


On Nov 15, 2013, at 11:42 AM, David Anderson <david at wordshell.net> wrote:

> 
> Hi,
> 
> Since I sell a solution in this area, I'm biased...
> 
> ... but, as a long-time security pro, I'd say that a plugin which offers to check that your website hasn't been tampered with fails at the conceptual level. Useless. It's only good as long as you're sure that the plugin itself is intact. Altering the plugin is trivially easy (e.g. 1 line to short-circuit the tamper check, and 'return true;'). It's like asking your young son "you would tell me if you were lying, wouldn't you?". "Yeah dad, sure". "Thanks - I was almost worried for a moment there."
> 
> Why would someone who tampers with your website *not* tamper with the security check? Basically, you're relying on the hacker being incompetent. Wordfence (for example), has had over 1 million downloads. Why would someone trying to break into WordPress sites have to be to not have "short-circuit WordFence's tamper checks" in his toolkit?
> 
> Unless you're happy assuming that hackers will continue ignoring WordFence (etc.) so that their hacks can get cleaned up quicker, then the only way to verify your files is off-site, i.e. externally. Anything (not just a plugin) that you run within the same web-space could itself be tampered with. A service which has pristine versions of your plugins, and can compare them in a 'clean room' with what's installed. <Advert>I do this with my own tool (from the command line: "wordshell all --everything --checkmodifications"). It avoids this issue because it does not run any code on the webserver for that operation</Advert>. I'm sure there must be other functional solutions as well.
> 
> Best wishes,
> David

Agreed that its usefulness in that regard is limited. But it is more useful in this case, when checking if a site has been previously tampered with before the plugin was installed.




More information about the wp-hackers mailing list