Plugin - Security

Plugin - Security


The Definitive Guide to WordPress Security Plugins

5+ Best WordPress Security Plugins 2015- Genesis Themes 15 Best WordPress Security Plugins For 2015 7 Best WordPress Security Plugins 11 Best WordPress Plugins To Improve the Security of your Blog | Youngblah

Read comments: How to Find Hacked WordPress Files and Protect Against Intrusions Important comment: http://wptavern.com/how-to-find-hacked-wordpress-files#comment-48986

My order:

Wordfence Security

Reviewed plugins

Features I need:

  • Watch over files (everything) and tells you when changes happen, specially with .php extension. WordPress Sentinel was unmaintained plugin that was doing exactly that.

  • Log 404’s: I have achieved that with Redirection plugin, that we need for other things, mostly 301 redirections.

Nice to have:

WP Performance & Security Security by Supsystic Asgard Security Scanner Sucuri Security - Auditing, Malware Scanner and Security Hardening VaultPress

Theme Authenticity Checker (TAC) Sucuri Security - Auditing, Malware Scanner and Security Hardening Acunetix WP Security All In One WP Security & Firewall Wordfence Security

https://wordpress.org/plugins/search.php?q=malware+scanner

Plugins to consider:

  • Code Analyzer Adds Analyze code option on existing Installed Plugins page. Beautiful plugin, but only for testing other plugin’s code and to find unwanted code in those plugins.

  • VIP Scanner
    As an offical Automattic/vip-scanner plugin it should be trusted. Used for checking Theme compatibility; some sort of combination of what used to be the Theme Checker and the Exploit Scanner, exclusively for theme.

  • Quttera Web Malware Scanner Will call Quttera external and free scan. Scanning malware, trojans, backdoors, worms, viruses, spywares and other threats as well as JavaScript code obfuscation, exploits, malicious iframes, malicious code injection, malicious code obfuscation, auto-generated malicious content, redirects, hidden eval code and more. Also, it will check whether your website is blacklisted by Google and other blacklisting authorities.

Forget about these plugins:

Didn’t bother to do a detailed analysis:

  • Acunetix WP Security simply has too much bad reviews, specifically about being too slow. It has file scan and couple of configuration directives.

WordPress File Permissions


Local malware and exploit scan

I need a plugin that scans files for suspicious patterns (base64_decode, eval, uudecode, etc) and database for posts and comments with suspicious text (iframe, noscript, etc).

I am testing these plugins on real infected site where there was script WSO Web Shell exploit in file cache.php seeded inside uploads folder.

  • Exploit Scanner
    Author donncha works for Automattic so this plugin is really safe, but not up-to-date.

    Warning: It needs to have Wordress core hashes. If not, when I tested, it found 550 matches and in that way effectively has hide the real threat. Simpy too much information and false positives specifying a lot of regular WP files.

    How to obtain core hashes if they are nonexistant:

    • must enable allow_url_fopen or it won’t be possible to generate Wordpress core hashes if they are missing
    • Run /wp-content/plugins/exploit-scanner/hashes-generator.php to generate hashes for latest Wordpress, and manually upload a file to plugin dir.
    • You will usually find those hashes already created in philipjohn/exploit-scanner-hashes repository, but don’t forget to look in pull requests that are not merged yet.

    Even with valid hashes, it had too much warnings to be really useful. Found my malware, along with the dozen of others.

  • Wemahu is beautiful idea, but they decided to discontinue it. Didn’t found my malware.

  • AntiVirus is checking only themes directory. No feedback and therefore not very usable.

  • WP Doctor seems little amateur-ish, and it didn’t detect my exploit.

Sources:

date 01. Jan 0001 | modified 28. May 2021
filename: Wordpress Plugin » Security