I. Background
Recent attacks against the WordPress Content Management System have prompted reminders of the recommendation that you should make sure you are running the newest version of the WordPress system. When you download WordPress, you can also download the WordPress MD5 signature so that you can double check that the downloaded file has not been damaged during the download.
There are many algorithms available that can compute a file’s signature. The signature is generated by reading the file and running the data in the file through an algorithm. If even one character in a file is changed, such as a space added, or a comma replaced with a period, the signature will change to a radically different string. So, if the signature you generate on your computer after downloading a file is different from the signature that the vendor provides, that likely means the file has been corrupted during the download. A common time this is seen is when you upload a compressed file (.zip or .gz) to a web server in ascii (text) mode instead of in binary mode.
So, let’s say you’re upgrading or installing WordPress on your server. You compare the MD5 signature provided by WordPress (for 2.5.1 the MD5 signature is b1a40387006e54dcbd963d0cb5da0df4). What you would do under Linux is type the command md5sum wordpress-2.5.1.tar.gz and you should get that random-looking sequence of characters. If you don’t get b1a40387006e54dcbd963d0cb5da0df4, there is a problem.
But what happens after you uncompress and install the software? What if a cracker gets in and messes with your system? This is where file integrity comes into play. Historically (like the 1980’s and 1990’s) computer viruses would attach themselves to applications and documents on your computer, so there were two steps of protection: (1) a virus scanner which looked for actual code in files on the system; and (2) a file scanner to see if files has been changed.
Today that second form of scanning has fallen out of favor. But with the increasing number and complexity of WordPress attacks, I think having a fingerprint of the more than 500 files that are a part of WordPress is a valid security method. Fingerprinting WordPress can also help protect you against hardware failure.
I’ve written a set of scripts that can be run on a Linux system. (You could also add the WordPress files to your TripWire settings or other file integrity tool.) You simply provide the full directory path to the base of your WordPress install, and then two files will be generated in the correct format: a MD5 and a SHA fingerprints of the “official” WordPress files downloaded from WordPress.org.
Then you regularly run the check program. Suggestion: add the check program to a cron schedule so it will run automatically.
This is version 1.0 of this system. Definitely let me know if you find any problems or have any suggestions with this.
II. Installation
This system has only been tested on Linux (specifically CentOS 4.6). Please let me know if your system works or not. It only requires md5sum and shasum. This tool requires a familiarity with the Linux shell.
- Download the software.
- Generate the md5sum and shasum fingerprints for the .gz file. The MD5 fingerprint is “1bc778dc72741dbaa942b9fcd81e832b” and the sha fingerprint is “e4f1ef0f53397d820d8c07fee1786823d6a70cb2” Important: If you are unable to verify the fingerprints for the download, don’t continue! You will just be frustrated!
- Create a new directory on the web server.
- Unzip the software in that directory.
- Make sure that both version-check-251.sh and wordpress-check.sh are able to be executed. (chmod 700 or 755).
- Find the full path to your WordPress installation. This will vary based on each server setup. If you go to the folder that has your wp-config.php file and type the “pwd” command, that is probably the directory information you need. Common directories are /var/www/html/www.example.com/ or /var/www/docs/www.example.com/ or /var/htdocs/www.example.com/. The version-check-251.sh script will tell you if it can’t find the WordPress files.
- Change to the directory that you installed the scripts in.
- Type: “./version-check-251.sh (the full path found in step 4)”.
- Then type “./wordpress-check.sh” to check the fingerprints with the actual files in your installation. If there are any problems, it will be very obvious. Hopefully you will only see status messages.
- If you want to have the check script run by cron, use the wordpress-check-cron.sh script. The only difference in the two scripts is the cron script doesn’t print status messages.
III. Common Causes of Fingerprint Failures
If you’ve made any changes to any of the files, you will get an error. Simply update the domain-name.md5sum.txt and domain-name.shasum.txt files. The command to generate the new fingerprint is:
md5sum full-path-to-the-file
or
shasum full-path-to-the-file
Another common problem is not updating the default and classic themes (/wp-content/themes/) when updating WordPress.
And lastly, it is possible that Akismet may release a newer version of the plugin before WordPress itself is updated. Simply generate a new fingerprint of the new version of the plugin.
Updates
When WordPress gets updated, I will release a new version of the fingerprints. To stay informed about updates, subscribe to my RSS feed.
Comment Spam Increase This Week
Has anyone else noticed a large increase in the amount of comment spam that Akismet is missing this week? I’ve tagged and deleted more comment spam in the past week than I have in the past 6 months. I would guess across all of my WordPress sites, I’m manually tagging 10 messages a day. That is a huge increase. Are the spammers simply attacking at a higher rate? Or is Akismet not as effective as it used to be?
And why can’t Akismet learn that a comment in the format of: “eight words, all lowercase, all at least 7 letters long, a link inside an anchor tag, then the close tag, then a URL” is spam?
A setting you can make to help under WordPress 2.5: Go to the Settings tab, then the Discussion sub-tab. Under “Comment Moderation” have a “1” for “Hold a comment in the queue if it contains __ or more links.”