How to secure a WordPress site: auditing and monitoring tools

ispmanager.com - May 31 - - Dev Community

WordPress is the most popular content management system, so it also suffers the most attacks. In this article, we’ll analyze the security tools for monitoring and protecting your WordPress site.

Tools to monitor changes to your Linux file system

You can detect unauthorized or suspicious activity in your Linux file system by monitoring changes to files and directories.

The tools you need:

AIDE (Advanced Intrusion Detection Environment) is an open-source tool for intrusion detection. The program creates a database of file hash sums and attributes, and then regularly checks the file system against that database.

AIDE

Tripwire is a popular intrusion detection tool. It works similarly to AIDE, by creating a database of file and directory characteristics and then checking them for changes.

Auditd (Linux Audit System) tracks and records security events and changes to the file system. The program provides detailed logs for you to analyze to identify suspicious actions.

Inotify is a Linux kernel mechanism for checking for changes in real-time. The program is used to monitor, create, delete, and modify files and directories. Inotify is often used by applications and scripts to automate tasks related to file changes.

The programs above are similar but have different functionality. For example, Auditd and Inotify are great for monitoring system activity, while AIDE and Tripwire are more for intrusion detection.

Here are the main differences between AIDE and Tripwire.

Tripwire. Developed in the early 1990s and was originally open source software, but later closed features were added, plus support, so it became a commercial product. Advanced management capabilities, integrated with different platforms, comes with professional support. Easy to set up and use with its simple interface and support.
Requires more knowledge, better for advanced users.

AIDE. Created as a free alternative to Tripwire, completely free and open source. Basic detection of changes; requires manual configuration. Requires more knowledge, better for advanced users.

Wazuh and Lynis: tools for security monitoring

There are many security scanning programs on the market. For example, Nessus scans for vulnerabilities, Suricata is an intrusion detection system, and Fail2ban prevents brute-force attacks and attempts to break in by mining keys or encryption passwords. Let me tell you which ones I would choose and why.

Wazuh and Lynis:
▪️ Designed specifically for system security and auditing. Wazuh transmits real-time data, detects intrusions, and manages logs and configuration. Lynis scans for OS vulnerabilities.
▪️ Open source code, you can fix bugs and improve functionality yourself.
▪️ Flexible customization. Both can easily be customized for different operating systems and environments. They are suitable for different IT structures, from small businesses to large corporations.
▪️ They are compliant with PCI DSS, HIPAA, NIST, and other security standards.

To use Wazuh and Lynis, you must:
▪️ Understand bug management systems and package change logs.
▪️ Properly integrate data from different sources to establish a holistic picture.
▪️ Understand cybersecurity and compliance standards.
▪️ Update them regularly: keep track of new patches and fixes.

Let's break down the differences between Wazuh and Lynis in more detail.

Lynis is a scanning tool for Unix-like operating systems including Linux and macOS. Lynis analyzes your system configuration, installed software, and any weaknesses. It then gives security recommendations.
It looks like this:

Lynis

To better understand how to work with Lynis, see the official documentation.

Wazuh is a user-friendly option that manages incidents and monitors threats in real-time. Wazuh integrates various tools: log analysis, intrusion detection, security auditing, and system health monitoring.

Wazuh

I configured Debian 11 based on a security audit from Lynis. Testing showed that a decent level of security was achieved:

security audit

An overall security audit. You can get to 98%-100%, but it may affect system functionality, e.g., cron will stop working

For a more in-depth analysis, view the detailed results by scrolling up in the terminal.

Lynis is a console utility, while Wazuh has a broader feature set thanks to its modular architecture. Therefore, with Wazuh, it's easier to customize and scale your security, install modules for specific tasks, and integrate them into your existing infrastructure. That's why I use Wazuh.

What modular architecture offers:

Install only the modules you need. Make your system meet your own security requirements and monitoring standards.

Ease of integration with SIEM systems and other platforms, for example, to extend Wazuh’s functionality.

Independent upgrades simplify maintenance and reduce the risks of system-wide upgrades. New features can be implemented locally and patched without disrupting your business.

Specialization. For example, one module analyzes logs, another module monitors file integrity, and a third module detects intrusions and collects and processes data.

System load control means you can load only the required modules.

Malware scanning services

Dr.Web is an integrated antivirus solution for protecting websites and mailboxes on hosting servers managed with the ispmanager panel.

It offers:
Automatic scanning of files and emails for malicious code in PHP, JS,

  • HTML, and system files;
  • fixing of infected files.

You can learn more about how to set up and use Dr.Web in the ispmanager documentation →

ImunifyAV (formerly Revisium) is an antivirus program for detecting malware on websites and removing it. ImunifyAV automatically scans files for known threats and helps recover infected files.

Since the sanctions were imposed, the paid version of ImunifyAV is no longer available in the ispmanager control panel and only the malware search mode remains. Detailed information on configuring and using ImunifyAV can be found in the official ispmanager documentation →

WPScan: check your site for vulnerabilities

WPScan checks your site for problems such as weak passwords or insecure plugins and themes. WPScan relies on a database of known vulnerabilities and will automatically detect WordPress versions with potential problems.

WPScan

With WPScan, site admins can identify and remediate vulnerabilities before attackers exploit them.

How to scan a WordPress site with WPScan:

  1. Install Ruby: it’s almost always in your Linux distro’s repositories.
    sudo apt install ruby

  2. Install the dependencies to build extensions:
    sudo apt install build-essential libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev libgmp-dev zlib1g-dev

  3. Install WPScan:
    sudo gem install wpscan

For more information on installing WPScan, see the official documentation →.

Examples of commands for different types of scanning:

  • Basic Scan: the team runs a scan of example.com to determine whether there are any known vulnerabilities in WordPress, plugins, and themes:
    wpscan --url https://example.com

  • Lists and checks installed plugins for known vulnerabilities:
    wpscan --url https://example.com --enumerate p

  • Lists installed themes:
    wpscan --url https://example.com --enumerate t

  • Get a list of WordPress users:
    wpscan --url https://example.com --enumerate u

  • Check for configuration files and backups:
    wpscan --url https://example.com --enumerate ap,at,ab,ar,au

  • Full scan: check for vulnerabilities in vp (plugins), vt (themes), u (users) and m (media files):
    wpscan --url https://example.com -e vp,vt,u,m

Important: Active site scanning may be perceived as malicious activity. Before running WPScan, make sure you have permission to scan the site.

Wordfence plugin: WordPress protection

Wordfence is one of the most powerful tools for protecting WordPress websites. I recommend it because the plugin’s signature database is constantly updated meaning Wordfence promptly recognizes and blocks malware.

Here are a few more reasons why I like Wordfence:
Its large set of security features: an application-level firewall, a security scanner, intrusion detection, and prevention tools. It protects against malicious bots, viruses, SQL injection, cross-site scripting, and XSS.

Its firewall rules are updated in real-time. As soon as the plug-in finds a threat, info about it is immediately distributed to all Wordfence users. This feature comes with the Premium version.

It’s easy to use: the interface and setup are so intuitive that even a novice can handle it.

Offers detailed access and attack logs: site admins can track suspicious activity and respond quickly.

Regular system updates

Commands for upgrading Debian:

Updating the package list:
sudo apt update

Update installed packages:
sudo apt upgrade

System Upgrade:
sudo apt full-upgrade

Clearing unused packages:
sudo apt autoremove

System reboot:
sudo reboot
sudo shutdown -r now

How to automatically update packages in ispmanager

Automatic software updates are a useful feature, but not in every situation.

Pros:
▪️ Linux distro and server software security. Updates often include patches that are vital for the OS, server, or anti-virus software.
▪️ Stable software.
▪️ Bug fixes in service packs.
▪️ Quickly update Linux distro packages and server software.

Cons:
▪️ Incompatibility: an update may contain changes that do not work with specific programs or custom settings. Crashes or difficulty accessing sites may result.
▪️ Degraded performance. When updates are applied to multiple servers at once, network congestion or slowdowns can occur.
▪️ Errors and bugs. New software versions may contain hidden bugs, which we discover only after the update.

Important: If you use automatic software updates on large hosting platforms or servers, unexpected failures can happen during a sudden spike in load.

Recommended:
Test all managed and controlled upgrade processes: run them in a controlled environment before applying them to production servers. This keeps all servers protected and up to date.

What is the difference between managed and controlled renewal processes:
Managed updates run automatically on a schedule, without administrator intervention. The human factor plays no role, so it is less customizable.

Controlled updates are run, monitored, and verified by an administrator. This lets you control the process and consequences of the updates but requires more experience.

Here's how to configure automatic updates in ispmanager:
Go to Settings → System Settings.
Find the "Update software automatically" option.
Select "Update all system packages" from the drop-down list.
Click "Save".

Image description

How to protect a WordPress site and what tools to use in brief

  • Check for changes in the Linux file system. AIDE, Tripwire, Auditd, and Inotify can do this. AIDE and Tripwire are for detecting unauthorized changes, Auditd and Inotify are for monitoring and auditing system activity.
  • The Wordfence plugin is one of the most powerful tools for protecting WordPress sites. It promptly recognizes and reports SQL injections, XSS attacks, and malware.
  • Wazuh and Lynis are great for security monitoring: Wazuh provides intrusion detection and log and configuration management. Lynis is a tool for auditing Linux distros and server software.
  • Check your site for malware with Dr.Web or ImunifyAV.
  • WPScan detects vulnerable WordPress versions and plugins with potential issues and notifies the site admin.
  • Update your system, server software, kernel, and site plugins regularly. Test your upgrade processes before applying them to production servers: perform each upgrade in a controlled environment. Of course, these are not the only ways to secure a WordPress site. In a previous article, I described how to secure server software or an internet project using AppArmor.

The next articles are on:

  • Configuring Nginx ModSecurity (WAF).
  • BitNinja customization. The platform's modules include a WAF and AI scanner. It specializes in protection against SQL injection, XSS, viruses, DoS, and the use of web forms for spam attacks.
  • Customizing your system as per a Lynis audit.
  • Finalizing your security settings using whitelists.

Want more articles like this? Subscribe to our newsletter

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .