In this blog post we are going to cover the basics of the security audit for Joomla and WordPress sites using the unique tools found in our inhouse website security scanning system.
Once your site is connected to the 1 For Websites maintenance service, we automatically run a daily security scan check at 5.00 am as new vulnerabilities come out pretty much every day and sometimes it can take as little as an hour to be exploited if updates are not performed right away.
Other services claim to have an “audit” tool. Most of the time they mean they have implemented the Sucuri SiteCheck API, which only “scans” your site as a visiting browser would, it doesn’t check the files in your webspace, and doesn’t find anything that is hidden under the surface of your rendered web pages. Be warned. Not all “Audits” are in-depth and comprehensive!
At the start of every audit we also run our snapshot tools, capturing over 100 quick checks of your site. Added to the audit that’s even more checks! The difference between the Snapshot and the Audit checks, is that the snapshot checks can be completed within milliseconds, whereas the audit has checks that require us to look at every single line of code in every single file in your webspace, this obviously takes more time.
The daily audit first compiles a list of all the folders in your webspace – without exceptions – and then grabs a list of the files in those folders.
We then run an exhaustive process which includes:
- Identifying it the file is a core Joomla or WordPress file
- If it’s a core file, identifying if that file has been modified since release
- If the core file is modified, doing a comparison with the original file
- Storing the md5 hash of the file for future comparison
- Looping through every single line of code in every single file
- Searching every single line of code, for one of nearly 2000 patterns of previous hacks we have seen, and if found marking a file as “suspect”
- Checking the md5 hash of the file against over 14,000 specific md5 hashes of previously declared “hacked” files. There are no false positives, each of these 14,000 md5 hashes has been manually checked and confirmed to match a file which is hacked
- We check the created, modified and other metadata of each file, including the EXIF data on images (where hacks are known to reside!)
- We identify any encrypted files, PHP error logs, Archive files, files over 2mb in size, zero byte files and many other classifications
Once the audit is over 1 For Websites manually checks any notified items and reviews all the results if any changes have been advised.
Sample Hacked file advice
One of the things that sets 1 For Websites apart from every other maintenance service, is that we crowdsource data on hacks and backdoors.
In practice, this means that once a hack is discovered and confirmed on one site, patterns and regexp are created, approved, and rolled out to all sites being monitored by us the next time they are audited. Including your sites!
With this you benefit from the discovery of emerging hacks and trends we see on other sites. Our system is totally dynamic and self-improving, even without human interaction and people often find hacks on their site when they add them to 1 For Websites, that have been left dormant for years, or badly cleaned on previous clean ups.
Fully automated improvements to our detection.
Furthermore, we can manually improve the audit (and we do) multiple times a day, and with our automatic rollout/upgrade of our tools connector on your site – you get the very latest protection without having to manually make any changes at all.
If the 1 For Websites audit finds your Joomla or WordPress site is hacked, and you are unsure how to fix it yourself, or just want us to take care of everything for you, you can escalate this to us using the service at from our website for SET FEE priced hack fix.
Of course we are always here to assist if you need us so lodge a support request here if we can help in any way.