Malware Scanning: An Essential Layer of Website Security

Wordfence recently launched Wordfence CLI, a high performance command line malware scanner, which makes use of our extensive set of malware detection signatures to rapidly scan file systems for infections.

In recent years, the WordPress community has seen a shift in emphasis towards prevention, rather than detection, of security incidents. This reflects the increased adoption of best practices such as Multi-Factor authentication, vulnerability management, and configuration hardening.

While we agree that prevention is always better than detection or remediation, one important concept in Cybersecurity is defense-in-depth, so it’s important to have a well thought-out incident response plan and adequate security monitoring in place. No security solution provides perfect protection against zero-day vulnerabilities, and even a fully locked-down site can be compromised if it shares resources with other sites that remain vulnerable. In today’s article, we’ll discuss our philosophy for securing websites, including several key cybersecurity challenges and concepts and how they relate to the case for malware scanners.


Security Should Serve Users, Not the Other Way Around

There’s an old saying that the best camera is the one you have on you, and likewise, the best security solution is the solution you’ll actually use. Users add to the complexity of securing systems, and it is easy to secure a system that nobody wants to use because it’s locked down. Security that’s easy to use and difficult to bypass is far better than security that’s difficult to use and impossible to bypass, and one guiding philosophy to cybersecurity is that nothing is truly impossible to bypass.

That’s why Wordfence prioritizes the user experience and strives to incorporate as many layers of security as possible into a package that’s easy to use for the vast majority of WordPress site owners. Traditionally this has meant plugin-based offerings. Despite the limitations of running security as a plugin, our many features, including our Web Application Firewall, Two Factor Authentication, Real-Time IP Blocklist, and Malware and Vulnerability scanner help secure over 4 million sites, detect millions of malicious files, and block billions of attacks each year.

In our 2022 Wordfence State of WordPress Security Report, we reported that our firewall blocked more than 159 Billion credential stuffing attacks, 23 Billion configuration scans, and about 12 billion attacks against vulnerabilities. You can also get a real-time view of the volume of attacks we are blocking on the Wordfence Intelligence Dashboard.


Assume Breach Mindset

While it might seem pessimistic, “assume breach” is a critical mindset in cybersecurity that involves planning mitigations in case a site is compromised. For many sites, even the most locked down ones, compromise is a matter of when, not if, and rapid detection is key to minimizing the damage. If your site has been compromised, it is important to find out as soon as possible to prevent the attacker from gaining ground and elevating privileges throughout the system. A well thought-out incident response plan is useless if you’re unaware that an incident is occurring.

The Solarwinds breach, for instance, remained undetected for more than a year, allowing threat actors to infect thousands of critical systems via a supply-chain attack. With adequate security monitoring and detection in place, this year-long infection could have been detected much sooner and impacted far fewer systems if detected earlier. This also highlights how even those striving to put forth the best security may still have gaps in coverage where an attacker can breach defenses.


Layered Security

No single solution will ever be perfect, and it is not possible to completely eliminate risk, only manage it. One of the most effective ways to manage risk is to layer defenses so that bypassing any one layer does not allow an attacker to take complete control. This is why, for instance, it is important to use both strong passwords and multifactor authentication, and why backups are important but not a replacement for intrusion detection.

Another example of this is the contrast between Cloud-based solutions versus our Web Application Firewall – a Cloud solution would be well-suited to providing DDOS protection and blocking some generic attacks, while our WAF benefits from running with the plugin because it can block attacks specifically targeted against WordPress vulnerabilities without unnecessarily blocking legitimate administrative traffic.

Our team has deployed hundreds of firewall rules that take advantage of our Web Application Firewall’s unique capabilities. Many of the privilege escalation and authentication bypass vulnerabilities we see have parameters and values that require specialized experience and techniques to adequately block. For instance, many privilege escalation vulnerabilities, such as the one we found in the JupiterX Theme, make use of administrative functionality that has been accidentally exposed to low-level users, often via an AJAX action.

With a generic ruleset from ModSecurity, attacks of this type couldn’t be blocked without entirely breaking most site functionality. Even the most advanced cloud firewalls able to scan POST parameters by terminating TLS at the edge would still prevent administrative users from performing necessary tasks. Thanks to our custom firewall rules, the Wordfence firewall is able to easily block malicious traffic without impacting site functionality, and thanks to our in-house vulnerability research we’re often the first to release firewall rules for new critical vulnerabilities.


Trusting Trust

An often overlooked concept in cybersecurity is the problem of “trusting trust.” On any given system, an attacker that can run code can tamper with any other code running at the same privilege level. This is often used as an argument against plugin-based malware scanners and admittedly does present a challenge since any attacker able to compromise a site to the point where they can execute code can run that code at the same level as a plugin.

Many of our users install Wordfence after they have become aware of a breach and successfully use our scanner for remediation. Most malware is still not sophisticated enough to evade detection in this way, and even malware that is designed to do so often fails to fully hide its tracks from detection. Additionally, based on research our team has done on WordPress threat actors, many are unwilling or unable to develop their own evasion payloads or pay the premium for off-the-shelf solutions.

Nonetheless, such tampering is becoming more common, and no plugin-based scanner is immune to it, but our plugin-based scanner still reliably detects an enormous amount of malware and we have the telemetry to prove it – roughly 1 million sites successfully used Wordfence to clean malware in 2022, based on the total number of sites we saw infections on compared the number of sites that remained infected at the end of the year.

Fortunately, even the most cleverly designed file-based malware can’t successfully hide from a scanner it can’t tamper with, and Wordfence CLI is an effective solution for sites that need this extra layer of detection.


Responsible Remediation

When it comes to remediation, a one-size-fits-all approach simply doesn’t work. Many sites have unique needs, custom code, or technical debt. Replacing core WordPress files and plugins with known clean versions can fix many issues, and our scanner offers the option to do this, but many infections will simply reoccur if the root cause is not addressed. Tools to automate remediation can be incredibly useful, but fully automated remediation can cause more problems than it solves while providing a false sense of security – there should always be a human making final remediation decisions. This is why our Wordfence Care and Wordfence Response offerings use skilled analysts to clean your website and get it back into working order, and we highly recommend these services to less experienced site owners, or site owners who simply want to trust the experts to handle remediation.


Continuous Improvement

Our malware signatures are designed to detect not only active infections but also artifacts generated by malware and other indicators of compromise. Our team of specialists constantly monitors new malware variants and we release dozens of new signatures every month to keep up with attackers. Since our signatures use carefully crafted regular expressions, each signature can detect thousands and oftentimes even millions of unique malicious files.

In the spirit of continuous improvement, we’ve launched an additional, user-friendly layer of security with our Wordfence CLI scanner. While it is designed for power users and administrators, it unlocks new possibilities for detection that were not available with our plugin scanner.


More Flexibility with Wordfence CLI

One of the most frequent requests we’ve received over the years was the ability to run scans programmatically via the command line rather than via the plugin. Not only does this mitigate tampering concerns and result in a massive performance boost, but it also allows for extended use cases – you can use it to scan backups outside of the webroot to ensure their integrity before restoring them, or to more thoroughly scan for database infections by running it against database exports, since scanning live databases tends to be extremely resource-intensive. You can use it to quickly scan just files that were recently modified by piping the results from the Linux find command to the Wordfence cli scanner, or exclude signatures from the scan in the rare cases where your custom code is detected by one of our signatures.

Wordfence CLI is open-source and can be fully customized or forked, and while our basic Free signature set may not be used for commercial purposes, it is designed to detect the most widespread indicators of compromise found on more than 90% of all infected sites. Bear in mind that most infections involve multiple malicious components, so for more comprehensive scanning and remediation, we recommend our Commercial signature set which detects more than 18 million unique malware variants in the wild.

Conclusion

In today’s article, we discussed some key components of our strategy for securing websites, including user experience, layered security, the assumption of breach, the problem of trusting trust, responsible remediation, and our drive for continuous improvement. Our goal is to provide the best security possible for your website, and that means providing security you’ll actually use.

While no single solution offers perfect protection, Wordfence offers prevention, detection, and remediation packages that will significantly improve your security posture while remaining compatible with other solutions. With the launch of Wordfence CLI, it is now possible to scan hundreds or even thousands of sites with a single, competitively priced license, all while conserving server resources.

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

No Comments