tags:

views:

164

answers:

5
+7  Q: 

Intrusion Detection System for WordPress sites

With the current issues with Network Solutions sites being hacked, I'm in need of a tool (preferably freeware) that I can install into my site and it will email me the second a file change/update occurs.

Any recommendations welcome :)

This site is on a shared server hosting package.

A: 

http://www.la-samhna.de/samhain/

However this won't work on shared hosting, so you'll need either a vps or a dedicated server

Mark  2010-04-20 20:25:37
Site is on shared hosting package unfortunately. Thanks for the input though.
Scott B  2010-04-20 20:39:31
+1  A: 

I've used Tripwire before. It worked really well. ...its not freeware. You could find some good options by searching the term "IDS" or "Intrusion Detection System"

tgolisch  2010-04-20 20:29:39
Good suggestion. Thanks!
Scott B  2010-04-20 20:38:52
A: 

The best free and open source Intrusion Prevention System (IPS) for web application (as in a Web Application Firewall WAF) is Mod_Security. But no system will stop it all. Espically with Wordpress because it won a pwnie award for being so insecure. I would think seriously about ditching Wodrpess for any other blog engine.

Another option which is best suited if you are in a shared hosting enviroment is to use PHP-IDS. The name is a bit deceptive, its actually a regular expression based IPS. All of the regular expressions used by PHP-IDS have been ported to Mod_Security. Mod_Security provides a much better level of protection(ips) and logging(ids).

Rook  2010-04-20 20:52:44
WordPress can be safe and secure. WordPress.com serves as an example of a site that's certainly large enough to be a target and yet does fine. Being careful about which plugins you install, and patching when patches are available, gets you 99% there.
ceejayoz  2010-04-20 20:54:49
@ceejayoz the only thing to make wordpress secure would be a complete rewrite. I have reported vulnerabilities in their software and the "wordpress hackers" group responsible for wordpress security was unable to grasp even simple concepts of security. Wodpress is without a doubt the most insecure PHP project ever written and will continue to be very insecure due to architectural flaws.
Rook  2010-04-20 21:01:14
How do WordPress.com and a wide variety of heavily trafficked self-hosted WordPress blogs survive without regular hacking incidents, then? If WordPress is so insecure, why are hackers passing on the opportunity to inject their spam and malware in the WordPress installs serving billions of pageviews?
ceejayoz  2010-04-20 21:04:10
Incidentally, hyperbole doesn't really help your case. Calling it "the most insecure PHP project ever written" makes anyone who remembers PHP-Nuke and scripts like it giggle.
ceejayoz  2010-04-20 21:13:14
Aaaand a final note: the WP-Hackers group has **nothing** to do with WP security, it's for folks interested in extending WP via plugins or core updates. [email protected] is the contact for security issues.
ceejayoz  2010-04-20 21:14:51
@ceejayoz when i reported a vulnerability that i found wp-hackers where the ones that responded on bugtraq. Maybe if you try auditing software you will see what I see. But until you write you first exploit (http://milw0rm.com/author/677). Your opinion means **nothing** to me.
Rook  2010-04-20 21:17:23
@ceejayoz on a side note you are correct in that PHP-Nuke is horrible when it comes to security.
Rook  2010-04-20 21:21:54
I see no WordPress exploits there, and finding SQL injection vulnerabilities is hardly something to toot one's horn about. No worries regarding your thoughts on my opinion - others can see the hyperbole and dodging the question regarding WordPress.com and come to their own conclusions.
ceejayoz  2010-04-21 00:58:44
@ceejayoz I have also spoken at Defcon and Blackhat multiple times (i know you don't care). You should check out the "Stats" tab under security... I don't seem to see your name anywhere.
Rook  2010-04-21 16:51:17
@The Rook That's great and all, but I remain curious as to how your (apparently *massive*) e-peen answers the question about how all these large WordPress-powered sites survive what must be constant hacking attempts.
ceejayoz  2010-04-21 17:11:53
@ceejayoz nice loop, I'll have call a break;
Rook  2010-04-21 19:31:03
@ceejayoz Who said they've never been hacked? while(true){...}
Rook  2010-04-21 19:32:50
excuse the nobody here. isnt how insecure a system is perceived to be positively correlated with how popular it is? the more people use it, the bigger the reward. the bigger the reward, the more vulnerabilities are found. the more vulnerabilities are found, the more "insecure" it is. an up to date wordpress install without plugins is as secure as any other web application. patches for vulnerabilities that target WP's core are available even before the vulnerability hits the CVE list."How do [they] survive without regular hacking incidents" is indeed a very valid question...
Gaia  2010-05-06 22:56:00
...and don't forget to regularly update your mod_security ruleset.
Gaia  2010-05-06 22:58:06
@Gaia that is a valid point and due to WP's popularity it gets hunted more than others. However the WP team has made some unforgivable secuirty mistakes. For instance they where using the plain md5() password hash as an authenticated cookie. This means that you could use sqli to obtain the password hash and login immediately without needing to break the hash. This tells me that **NO ONE** on the team understands why passwords should be hashed, which is terrifying to say the least.
Rook  2010-05-06 23:12:28
A: 

You can't install a true IDS on shared hosting, this is the host's responsibility.

An hack-ish solution:

You could create a script that ran periodically (using cron or some other mechanism), that would checksum all files, and compare the checksums with a previously stored record, then notify you if there are differences.

To find out if your script itself was deleted by the attack (1), you must also create a script sitting on a remote server (something like Google App Engine, perhaps), that pings your shared-server-script, and checks if it gets an expected result (a hash based on given time, perhaps) – if not, it emails you.

(1) This is actually quite unlikely, most attacks don't delete files

Joel L  2010-04-21 09:27:47
A: 

i originally wrote this in a comment on the rook's answer, but it might get lost in all that noise;

phpids indeed looks interesting as it can be used in a shared server hosting environment, which in general will not be the case for tripwire or mod_security.

interestingly, there is a wordpress plugin which nicely integrates (an older version of) phpids in wordpress, so that might be worth looking into.

futtta  2010-04-22 10:47:33

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases