There are 1001 ways to hack a WordPress site and Shield Security eliminates a massive chunk of them.
The Shield Security plugin for WordPress is introducing a new file security bouncer – it will detect, and automatically eliminate, any files on your WordPress site that don’t belong.
This article will discuss what this new feature gives you, how it does it, and how you can better protect your site with the latest Shield Security plugin.
Remember the trusty Core File Scanner?
Some time ago we introduced the Core File scanner that detects & repairs WordPress core files on your site.
It ensures that your core files are legitimate. That is, if we were to download the WordPress files from WordPress.org again, they would be identical in every way to what’s sitting on your web server.
This is an absolutely critical tool in the mitigation of WordPress security threats. Many hacks take the form of code injected into existing, legitimate files e.g. WordPress Core Files. Just looking at these files in a file manager isn’t enough to know that they’ve been altered in any way. You need to examine the contents of the files.
This is what the core file scanner protects against. It ensures that none of your core files contain code that shouldn’t be there.
This is great for files that we “know” about. But what about files that aren’t part of your WordPress installation?
The ‘Unrecognised File Scanner’ – Deletes Files That Shouldn’t Be There
Until now we didn’t have a way to account for these. The new ‘Unrecognised File Scanner‘ handles this. (yea, we know, it isn’t the most glamorous name ever 😉 )
Using the same list of official files (as from the Core File Scanner) we identify files that aren’t on the list. Any non-standard files stored inside the WordPress core installation are simply in the wrong place.
Stop: Never store files in the core WordPress directories ‘wp-admin’ and ‘wp-includes’. Ever.
Assuming you keep to the rule above, you can safely delete anything that doesn’t belong there.
This scanner eliminates a whole swath of threats that sneak onto your website and sit there silently, undetected for months and maybe even years.
No Escape. No Exceptions. (well, except for a few)
The rule is: if the file isn’t part of WordPress core, it will be deleted.
But there are a couple of files you might have there which don’t ship with WordPress, namely:
We may extend this list as we receive feedback from clients, but for now those are the only non-standard files that will be permitted to stick around.
Not All Core Folders Are Scanned?
The scanner will only scan the full contents of the following directories:
It will not scan
wp-content since this is where all custom code and plugins/themes ought to go. And, it will not scan the top-level of your WordPress installation folder.
Why the top-level WordPress installation folder is excluded from the scan (for now)
We are huge advocates of running WordPress installations within their own directory. If you remain unconvinced, then we recommend doing it to keep things organised and tidy, at the very least.
Since most admins don’t do this, we can’t allow the scanner to run on the top-level WordPress installation folder as this would also be the public HTML document root. If we did, it would likely delete many files that admins have placed there which are critical to the normal running of the site.
But, if you do keep WordPress in its own directory, we’ll be releasing a patch upgrade to handle this scenario shortly after our v5.12.0 release. We also suggest you leave a comment below about typical files you might like to see excluded – we will of course only include exclusions that make sense for everyone.
How to get the new scanner on your WordPress sites
As with all our core security features, this is a free feature on the Shield Security plugin, v5.12.0 onward.
The feature is disabled by default due to its potentially disruptive nature i.e. if you have a bad habit of storing custom files in your WordPress directories. Naughty!
It is part of the Hack Guard module, and runs automatically in the background using the WordPress cron system, and you have 4 main options for how the scanner behaves:
– do not run the scanner ever
- Email Report Only
– run the scanner as normal and an email report detailing any unrecognised files that are discovered
- Automatically Delete Files only
– run the scanner as normal and silently delete any unrecognised files that are discovered
Shield Central – Turn On The Scanner For All Sites In Seconds
If you have more than a few sites to maintain, you can use Shield Central to switch on this feature across all your sites at once. The best way to achieve this is to update one of your Security Profiles and then push it out to your network.
Shield Central is built specially for cases just like this where you need to roll out new features quickly, and with no hassle.
Question and Comments?
This is a new feature and there’s every chance we’ve overlooked something, so please leave us your comments below and we’ll address all questions and concerns.
Thank you all, as always, for your support!