File Integrity Monitoring (FIM) is a security technology that monitors and detects changes to critical system files, configuration files, and content files. It is used to detect unauthorized changes to files, detect malicious activity, and ensure the integrity of the system. FIM works by comparing the current state of the system to a known baseline, and alerting administrators when any changes are detected. FIM can also be used to detect malicious activity, such as malware, by monitoring for changes to system files that are not part of the baseline. FIM is an important security tool for organizations, as it helps to ensure the integrity of the system and detect malicious activity.
A default and up-to-date WordPress installation with a strong password is quite secure. However, to survive on the internet that is not enough.
That’s where File Integrity Monitoring (FIM) comes into play. A File Integrity Monitoring tool or plugin monitors your site’s files and alerts you for any changes like file uploads, edits, removals, and so on.
File integrity monitoring helps you stay ahead of security breaches and identify errors that could leave your website exposed to hack attacks.
In this post, we’ll provide you with a thorough introduction to file integrity monitoring and explain how it can improve your site’s security. We’ll also share a few different tools and plugins you can use to implement this security solution on your WordPress site.
Let’s get started!
An Introduction to File Integrity Monitoring
When it comes to protecting and maintaining infrastructures such as websites and servers, File Integrity Monitoring is key. This solution validates the integrity of a given environment, namely, it checks to see whether the contents of your site’s files have changed unexpectedly.
You can use File Integrity Monitoring to detect file changes in operating systems, web servers, and web applications such as WordPress. It can even prove useful for monitoring file-based software solutions such as databases and configuration files.
Organizations that use a file integrity monitoring solution are more likely to detect security breaches early on, giving them a better chance of staying online and deterring any major damage. For this reason, File Integrity Monitoring is primarily considered to be a security solution.
However, this solution can achieve other goals as well. In some cases, it can monitor software and operating systems configuration changes in:
- Open ports configuration on a server.
- Webserver and network services configuration.
- Running or stopped services (daemons) on a server.
Even planned file changes can sometimes cause problems to your WordPress site. By keeping track of all your modifications with File Integrity Monitoring, you can easily pin down possible causes for errors that are related to changes in your files.
This makes troubleshooting faster, so you can get your site back up and running right away.
How File Integrity Monitoring Works
File Integrity Monitoring works by taking “fingerprints” of your site’s files and then comparing them one another. If the fingerprints differ, it means the files have changed.
To create a fingerprint, the File Integrity Monitor (also known as a File Integrity Scanner) scans a single file and creates a “checksum’ — a unique string of data associated with that file — by running a cryptographic hash function on the file.
File Integrity Monitoring can become useful to check other file properties as well, such as permissions and the modification date. These checks are crucial as even a simple change in a file’s permissions could leave the system open to attacks.
Why File Integrity Monitoring Is Important
One of the aspects that make File Integrity Monitoring a must-have security solution is its twofold strength both a reactive and proactive security solution.
File Integrity Monitoring as Proactive Security
An example of proactive security is identifying mistakes done by your developers while working on your website that might leave your site exposed. Wrong file permissions, left-over files containing sensitive information, such as a backup of a database or a source code file, are good examples of security threats that File Integrity Monitoring can proactively identify.
File Integrity Monitoring as Reactive Security
File Integrity Monitoring solution can also point out what’s been changed on your site after a hack attack or in which files the malware was injected.
In addition to that, it can even check for changes in your website’s setup by monitoring crucial WordPress site files, such as the wp-config.php and .htaccess files.
Thanks to this key information, you could revert your site to its previous (clean) state and clean up any types of malware or “bad code” left in the shortest time possible.
Compliance requirement
For some, File Integrity Monitoring may also be required by law. The Payment Card Industry Data Security Standard (PCI DSS) requires compliant sites to:
“Deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modification.”
Managing your website visitors’ sensitive information is a serious responsibility. If you store any type of customer data on your website, especially cardholder data, having File Integrity Monitoring enabled helps you ensure such data has not been tampered by anyone and keep you on the right side of the law.
Why You Need File Integrity Monitoring for Your WordPress Site
WordPress is a web application and it is made up of two types of files: non-executable and executable files.
The former are mostly logs and media files. Logs are typically generated by plugins and themes, while media files are those you upload to your website, such as images, videos, PDFs, and so on. They are non-executable because the web server does not execute them but just serves them.
Most of the non-executable files are stored in the /wp-content/uploads/ directory in WordPress. Changes to non-executable files do not have an impact on the security, performance, or functionality of your website. In fact, most File Integrity Monitoring solutions exclude these files from their scans by default.
On the other hand, executable files include the PHP, JavaScript, and other files that contain your site’s source code like WordPress core, plugins, themes, and any custom web application you might have. Changes in executable files can occur, but only when you:
Any other changes to your WordPress site’s executable files could be a sign of an intrusion, malware injection, or a developer mistake. Running a File Integrity Monitoring plugin on your WordPress site can help you easily spot these issues before they become a real threat to the security or functionality of your website.
As a quick recap: File Integrity Monitoring can help you identify test files that should have been removed, most malware injections (suggested: our in-depth guide to SQL injections) – including backdoors, redirects, and Trojans and any other harming file changes.
When used in combination with an activity log, File Integrity Monitoring gives you a complete view of what’s happening on your site at all times. You can carry out post-hack forensics to determine which files were targeted and by whom, and also enhance security around them to prevent future attacks.
Two Different Types of File Integrity Monitoring Methods
The basis of file integrity monitoring is always the same: comparing the fingerprints of a single file taken at different points in time. There are several ways this can be accomplished.
1. Comparing Files to a Central Repository
A commonly-used method is comparing a fingerprint to a central repository through the use of a WordPress plugin (more on plugins below). In this case, the plugin compares the fingerprint of your site’s index.php file to the fingerprint of the latest index.php file released by WordPress.
The advantage of using this method is that you can easily confirm if your files are identical to the original ones. Since you’re comparing data to a central repository, though, there are a few shortcomings:
- The solution cannot identify changes in distributed configuration files such as .htaccess and wp-config.php.
- You’ll be flagged with false positives if you customize your website’s code.
- The plugin can only compare files of known applications (WordPress core) and sometimes of popular plugins.
- These solutions cannot detect changes in custom applications or plugins because there’s nothing to compare them to.
- The security of your website depends on how quickly the vendor updates the original fingerprints or on the availability of the central repository.
2. Comparing Files to Self-Generated Data
Because of the limitations the central repository-based method has, comparing two sets of self-generated data is the preferred method and what best practices suggest. This type of solution detects file changes by comparing fingerprints with their own previous scans.
This means the plugin generates the first fingerprints upon installation. Then, when it scans the files again, it’ll compare the new fingerprints with those from the original scan. And whenever there a file change is recorded, you can configure the plugin to either accept that change automatically or send you an alert.
This method is preferred over the previous one because of the following advantages:
- It can detect changes in custom code.
- The system adapts to your website (you can validate changes and update the fingerprints, thus supporting continuous customizations).
- It reports significantly fewer false positives.
For these reasons, when looking for a file integrity monitoring tool or plugin, you’d want to pick one that is based on self-generated data.
3 Types of File Integrity Monitoring Tools You Can Use to Protect Your Site
There are several different File Integrity Monitoring solutions available. We’ve broken them down into three basic categories below. Let’s start from the top!
1. Server-Level Software Solutions
These solutions are installed on the webserver’s operating system and check all the files on the webserver. This means you can only use them if you have your own web server or VPS.
There are several options available on the market, such as:
As server-level solutions, these are not specifically targeting WordPress-powered sites. So they might generate a lot of false positives. On top of that, they are quite expensive and require advanced knowledge to set up and manage.
2. WordPress Plugins
If you want a file integrity monitor solution that’s more specific to WordPress, there are various plugins available for this task.
Website File Changes Monitor
Website File Changes Monitor is a dedicated file integrity monitoring plugin for WordPress. It is available for free and when it detects file changes it alerts you via email.
This plugin uses self-generated data for file comparisons and you can launch on-demand scans. It is a fully configurable file integrity monitoring solution for WordPress and you can exclude files and directories, configure the schedule of the scans, and much more.
What really sets this plugin apart from all the others is that it is the only WordPress plugin that is fully aware of WordPress core, plugins and themes changes.
WordPress File Monitor
WordPress File Monitor is also a dedicated file integrity monitoring plugin that uses self-generated data for comparisons. However, it is not aware of WordPress core, plugins, and theme changes and you might get many false-positive alerts about file changes.
False-positive alerts can have a very negative impact on the website because non-security savvy users cannot verify whether alerts are generated from something critical or just a safe file change.
Other Plugin Options
The above are the only file integrity monitoring plugins for WordPress. Other plugins with file integrity monitoring capabilities are part of all-in-one security solutions such as Sucuri Security, iThemes security, and Wordfence.
Both these plugins use the method that compares files to a central repository and is not aware of site structure changes, i.e they only identify changes in WordPress core and some popular plugins.
3. Open Source File Integrity Monitoring Tools
If plugins aren’t your thing, you might want to consider one of the many open source tools available for monitoring your files. For instance, Tripwire provides an open source version of its platform that offers free security features, including file monitoring. With that said, this version isn’t as effective as its paid counterpart.
Another open source platform to consider is OSSEC:
This a popular free security solution and it’s capable of carrying out file monitoring tasks. However, like many of the other tools we’ve mentioned, it works at the server level. While it can be used with WordPress, it can only work if you have a dedicated server or VPS.
Also, if you opt for OSSEC, you’ll need to do some advanced configuring but it still may not be the most accurate solution for your site.
The most interesting aspect of open source security platforms is that, if you know your stuff around code, you can adapt these tools to include extended functionality and fit your preferences and needs.
Summary
WordPress security is a serious thing. Taking preventative measures to protect your website, content, business and users’ data is key. File integrity monitoring is only one part of the game. It’s also important to have a WordPress backup system in place for recovering your files, in the event an attack does occur.
In this post, we’ve demonstrated how file integrity monitoring can address both of these needs, and shared three types of File Integrity Monitoring solutions you can use on your WordPress site:
- Server-level software solutions such as Tripwire (which are effective, but can be very expensive).
- Free WordPress plugins like Website File Changes Monitor.
- Open-source tools such as OSSEC.
Do you have any questions about file integrity monitoring? Let us know in the comments section below!