Herself's Webtools

Scripts, HowTos, Templates, Plugins, Widgets, Tips and Useful Information

WordPress plugin ‘Tripwire’ 3rd of three part security plugin set

with 12 comments

The final plugin of the three part TTC ( TimesToCome ) WordPress security set is ready. This one acts as a tripwire. If a file is changed by you or more importantly someone other than you you’ll know.

Simply install and activate the plugin. Once activated go to the plugin management page and tell it you want a list of all files changed in the last 0-99 days ( pick your day ) and it will bring up a list of altered files for you.

If your WordPress install is in the top directory of your website this will check all the directories on your website. If you are down one level ( http://yoursite.com/wordpress/ ) then you can change this line:

$directories_to_read[$dir_count] = “../”; // plugins run from wp-admin so bounce up a directory

to this:

$directories_to_read[$dir_count] = “../../”; // plugins run from wp-admin so bounce up a directory

And it will check all the directories not just your WordPress directories.

Download

Part 1: WP plugin to prevent bot registrations

Part 2: WP Security Plugin: block bots, scrapers, cross-script attacks and more

Part 3: Tripwire

Install them all for best results!

Written by timestocome

June 16th, 2008 at 1:00 am

Posted in security,tools,wordpress

Digg this

Twitter this

Stumble it!

Email this page

«
»

12 Responses to 'WordPress plugin ‘Tripwire’ 3rd of three part security plugin set'

Subscribe to comments with RSS

  1. hello
    thanks for yourplugins
    great job
    i would bejust happy to know it is helpfullif i inform the hosting companies of those IPadresses
    really thanks a lot
    wangjel

    wangjel

    16 Jun 08 at 8:00 am

  2. Thank you!

    Not usually. I tried a few times in the past and they just bury you with forms to fill out.

    Also I’m finding most of the trouble now is coming from other countries so it is less likely you’ll get any help.

    ljmacphee

    16 Jun 08 at 9:01 am

  3. I have recently exchanged several emails with the person claiming to be the author of BadBehavior. He has some disagreements with the way I coded the plugin and I thought I’d make our conversations available to you so that you can all decide

    They follow in the next comment

    ljmacphee

    31 Aug 08 at 6:25 pm

  4. Michael Hampton
    to me

    show details 5:59 AM (12 hours ago)

    Reply

    This plugin seems to have a problem. It won’t detect changed files if
    the file was altered and the modification time restored (e.g. with
    touch). The mtine and atime can be modified at will to say anything,
    thus defeating your script as is. You probably want to use filectime()
    rather than filemtime() to determine if a file has really been changed;
    the ctime can’t be changed by a user program.

    P.S. What false positives in Bad Behavior?

    Homeland Stupidity

    ljmacphee

    31 Aug 08 at 6:25 pm

  5. Linda MacPhee
    to Michael

    show details 9:40 AM (8 hours ago)

    Reply

    Thank you I’ll look at that.
    - Show quoted text -

    ljmacphee

    31 Aug 08 at 6:26 pm

  6. Linda MacPhee
    to Michael

    show details 9:56 AM (8 hours ago)

    Reply

    Hi,

    Thank you, no file time stamp system is perfect. Truth is if people
    can get far enough into your webserver to change the file time stamps
    it is out of this plugin’s league anyhow. See article on Webmaster
    World of fileatime/ctime/mtime. The notes are taken from the php.net
    website.

    http://www.webmasterworld.com/forum88/2070.htm

    Plugins for WordPress run on many systems and I must try to use what
    will reach them all. But feel free to alter your copy of the plugin.
    All my plugins are things I write for me and hope that others will
    feel free to use and change. I try very hard to make the code both
    easy to read and alter.

    There is extensive discussion on the Bad Behavior website, and several
    forums about false positives. I still use it on my Coppermine sites
    where I am less concerned with false positives than I am with keeping
    out trouble. It is an excellent plugin and worth trying out if you
    are experimenting w/ various security tools for your site.

    All the security plugins have their strengths and weaknesses. It is
    my hope that mine is easily alterable by people so that they alter it
    and pick and choose the best options for themselves. Several people
    have done so and there are several posts on my website explaining how
    to do various hacks to the main plugin.

    If you wish to comment explaining why filectime is better and a put a
    link to a copy of the plugin using that on the website, it would be
    welcome. I encourage people to hack the code.

    Linda

    ljmacphee

    31 Aug 08 at 6:26 pm

  7. Michael Hampton
    to me

    show details 3:48 PM (2 hours ago)

    Reply

    Thanks for your response.

    I am well aware of the difference between mtime and ctime, perhaps more
    than you realize. This is why I pointed it out to you! The mtime is not
    reliable since it is so easily changed. Anyone who can modify a file can
    also modify the modification time.

    If the purpose of your plugin is really to let people know if a file is
    changed by “someone other than you,” as it says on your web site, then
    it seems that the plugin should make an effort to actually do so. This
    means using the ctime.

    I sent you this email first privately so that you would have an
    opportunity to fix the problem before it becomes public knowledge. This
    is common and accepted practice in the computer security field.

    Without a fix forthcoming, my next step will be to release a
    demonstration script which changes a WordPress file without your plugin
    noticing.

    P.S. The reason I mentioned Bad Behavior is that I am the author, and I
    don’t remember ever hearing from you about false positives. I like to
    fix these, but I can’t do so if they aren’t brought to my attention.
    - Show quoted text -

    ljmacphee

    31 Aug 08 at 6:26 pm

  8. I asked you first thing this morning to leave a comment here, state your case and offer up something better. I encourage public comment.

    You didn’t have to threaten, I encouraged you to go public several hours ago. Which you chose not to do. I even offered to link to a better plugin or what ever you had to offer.

    It is in all of our best interests to keep the internet safe.

    It is my understanding that ctime is not available on all systems. Also if someone can get into your file system, changed files are the least of your concerns. This program will list all files changed by datestamp. I think I’ve made that obvious.

    It is well known that timestamps can be changed. This is not news. This is however something the average script kiddie will be able to pull off.

    If you are really concerned you will need to go far beyond ctime and run diff or something similar as well. But always there are tradeoffs. Diff would not be available to everyone and much more time consuming, not to mention you’d need to cache copies of the files somewhere.

    Please, we would all love for you to update Bad Behavior and write a better tripwire program. I write plugins to do what I need that has not yet been done. It is not my main interest. I would much rather just download what I need and not have to write everything myself.

    So quit your bloody whining and do something constructive.

    ljmacphee

    31 Aug 08 at 6:31 pm

  9. thanks for releasing the plugin. My sites are getting hacked and this looks useful.

    But if the WordPress site gets hacked (iframe, gumblar), wouldn’t the site not load making the plugin ineffective?

    Maybe have a mini script outside of the WordPress framework and have a cron job running every few hours checking the files. Would that make sense.. Not a programmer.

    Thanks, Mike

    gariben

    29 Aug 09 at 11:42 am

  10. Absolutely, running your security scripts outside of WP is always a better option.

    However that option isn’t available to a lot of bloggers, hence the scripts.

    The 3 security plugins are intended for bloggers who don’t have access or knowledge to run scripts outside of WP.

    If you do have access to running scripts on your server a cron job to check the files and using .htaccess to ban problem ips/bots is a better way to go.

    timestocome

    7 Sep 09 at 8:01 pm

  11. Kudos, great little tool. I have a quick question for you … is there an export button/function that will allow me to grab the output? I would like to use gawk to parse. Right now, I am copying and pasting from the webpage but that tends to get a little klunky.

    Many thanks!

    dsilvera

    16 Apr 10 at 8:35 am

  12. No, but there is a non-WordPress version you can just visit the php page and it’ll mail you the information.

    Check for altered files

    timestocome

    17 Apr 10 at 9:18 am

Leave a Reply

You must be logged in to post a comment.