Keeping on top of security with WebsiteDefender.com and Admin Tools
Acunetix’s WebsiteDefender.com (in Beta) and Nicholas Dionysopoulos’ Admin Tools (Pro version, currently 2.2 Alpha1) are two useful tools for convenient security monitoring of WordPress and Joomla sites. They can detect many common security vulnerabilities and help you keep your site secure.
The mysterious Admin Tools logo
WebsiteDefender.com
WebsiteDefender is a bit more comprehensive than Admin Tools in what it can detect in its daily scans, and it is especially tailored toward WordPress sites, but as a service separate from your site it can only recommend solutions. There is an optional WordPress plugin for WebsiteDefender, and for a while it was my pick for single best security tool for WordPress, if I had to pick just one. Today there are plenty of WP security plugins with the functions WebsiteDefender has and others its doesn’t have, but one of the good things about WebsiteDefender.com is that it can be used to monitor any type of application or website. [As of February 2012 the service is being priced at $5/site/month.]
Admin Tools
Admin Tools is just for Joomla, where it’s become the most comprehensive single security and maintenance extension. There is a free and an inexpensive “pro” version which has more features, like the firewall and file change scanner. I feel Admin Tools has eclipsed all other Joomla security extensions of its type and is really the best one available today, by far. Unlike WebsiteDefender, it does a lot less recommending and a lot more fixing since it’s installed within Joomla and can act directly on your site. Admin Tools will also let you implement a lot of standard PHP/MySQL app defenses and security hardening measures, some of which are specific to Joomla. (To get the equivalent protection on WordPress, I typically use a suite of plugins: AntiVirus, Better WP Security Scan, AskApache Password Protect, WP DB Manager, and others for anti-spam protection.) The firewall in Admin Tools (Pro) will actively head off scripted attacks, which is something else WebsiteDefender can’t do.
The problem with monitoring file changes
This is the feature that makes both WebsiteDefender and Admin Tools (Pro) worth using on a daily basis: a file system scanner that notices any and all changes to files on the server so you can check to make sure they were not made by an intruder. (WebsiteDefender can cover your whole site, but as I recall Admin Tools scans only the Joomla installation, currently.) Unfortunately this requires a lot of time spent looking at changes as you go through the scan logs weeding out false positives from any upgrades or new software you installed since the last scan.
The tedious process of reviewing changes in your file system is worse on WebsiteDefender.com than it is within Admin Tools, since WebsiteDefender suffers from a lack of intelligent filtering on top of a bad user interface for sorting, examining, and clearing changes. You have to go two levels deep to check and clear out changed file records, and you can only batch “ignore” or “resolve” them 10 at a time, page by page. The interface, not the number of changed files, is what ties up your time in the most frustrating way. Users have noted this and have made many suggestions in the WebsiteDefender forums for solutions, but the service seems to have gotten worse rather than better at the end of its beta period. This is frustrating if you are monitoring many sites or large sites that frequently undergo changes. Admin Tools gets a lot of false positives too, but it rates new and changed files by how closely they resemble common malware traits and can be quickly sorted, examined and and cleared. If you run scans frequently and save the logs, Admin Tools will tell you what files are new and what has been changed. (Deleted files do not seem to be noticed.)
The fine-tooth-comb approach is the only way to be on top of your site’s security, and software shouldn’t be put on autopilot to do all the thinking for you. Software just isn’t that smart. Nevertheless, it is also not realistic for most people to spend a lot of time going over changelogs and diff files, especially if they have a lot of sites to monitor. The human tendency will be to rapidly OK or ignore the recorded changes, even though this effectively negates the purpose of scanning for changes.
Ideally, after making core and extension/plugin updates through the backend installer on each system, both WebsiteDefender and Admin Tools would realize which file changes are likely to be associated with your actions and flag them as “probably by you” or less suspicious. Unfortunately, for the time being, this is not the case, but Admin Tools has a helpful edge over WebsiteDefender by ranking and scoring the changes that it thinks are suspicious. It’s not obvious or explained in the documentation exactly how the suspicious file rankings or “threat scores” are computed, and I often see many false positives. Nevertheless, this is a helpful step in the right direction that I hope WebsiteDefender follows too. Setting up a regular cron cycle for the Admin Tools scanner is a good idea and possible to do in Joomla 1.7 or higher. Scans are resource and storage intensive operations which may cause difficulties for large sites if your host server is not up to the task.
Conclusion & Recommendations
Website Defender had a lot of promise when it first came out, but in its present state it is not worth what Acunetix plans to charge for it unless you only need to monitor one (or a few) WordPress sites.
For Joomla users, not using Admin Tools as a standard extensions is foolish. If you value your site, you should use it, and I recommend buying the Pro version subscription.
The problem both tools create for you with their file change scanners is a good problem to have, but it is also one the developers ought to tackle creatively. The usual pattern with well-kept sites is they have a lot of file changes due to upgrades when they’re based on Joomla, WordPress, or other extensible platforms with many possible add-ons. If the scanners could weed out software upgrades as “changes you probably made,” it would go a long way toward exposing other changes that are worth looking at closely.
Perhaps WebsiteDefender.com and Admin Tools (especially when it’s combined with Akeeba Backup) could be made “aware” of when you’ve caused filesystem changes yourself. WordPress has a unified auto-update system, and it tells you when it’s time to upgrade. WebsiteDefender picks up on this and adds upgrade needs to its alerts when it scans your site. Would it be so hard to discern when an update was made and the changed files came from your own IP, or from WordPress.org or a trusted plugin vendor?
Joomla after version 1.6 has adopted an upgrade system that is similar to WordPress’s, but Joomla currently has no central, official repository. Both systems allow upgrades from HTTP, files on the server, or remote sources. According to its developer, this would make it difficult for Admin Tools to identify changes made by legitimate upgrade/install actions, but perhaps changes probably caused by upgrade action could be flagged as “Changes probably made by you during an upgrade.” Of course it would be no less important to scan them for matches with malware profiles no matter where they come from. Download repositories like WordPress.org’s have been compromised before, and you may install malware yourself without knowing it.
Posted under: 
2 Comments + Add Comment
Got anything to say? Go ahead and leave a comment!
What We Do
Our primary work is designing, building, and supporting websites tailored to the needs of our clients. Open source brands like Wordpress, Joomla, and Magento are our weapons of choice. We also provide consulting, SEO and graphic/content/print media design services. Learn More.
Thanks Dan.
You’ve both echoed my concern with WD and offered a clearer understanding than I had.:-)
@Greg I am using WebsiteDefender to monitor about 20 sites, most involving WordPress, so receiving the changes listed for every updated plugin gets pretty old. Even if you’re being as diligent as you can be, you tend to assume that any cluster of changes in a plugin’s folder has to do with an update you made, which might not be true. If you actually did make an update that affected a file that was subsequently hacked, you’d have to look at the diff to have a chance of noticing. So for proactive defense, maybe the most sensible system is to have an intelligent alert that goes out for unexpected changes. There are also some interface improvements that have been suggested to help make WD more usable.
In the bigger picture, the main line of defense is your host server. My sense is that the risk of being hacked is highest on bulk shared hosting when you are using a popular application somewhat carelessly. Those hosts tend to chronically underperform with <99.9% uptime too, and you may get hacked through no fault of your own just because someone else got hacked on the same server, depending how it's configured. Cloudflare is another way to filter scripted attacks and take some of the load off your host server, which certainly can’t hurt to add when you’re on shared hosting. There are a few specialized shared hosts (e.g. nexcess) and plenty of maturing hosted platforms (e.g. squarespace) or application cloud hosts (e.g. phpfog) that may deliver better value for a price that’s not terribly higher than the bulk hosts.
Nexcess actually does not work with WebsiteDefender due to their tight mod_security rules. Nexcess takes more responsibility for security than any other host I’ve known or heard of at their price point, and they seem to do a terrific job. I know of sites hosted with them that are enormously vulnerable, mainly due to the owners not performing any upgrades to common content management applications. Normally people like that seem to get picked off quickly on low-end shared hosting. It’s a terrible idea not to make upgrades, but it’s still to Nexcess’ credit that they’re so diligent for their customers. They are the only remaining host I’ve used for 5+ years that has never disappointed me in terms of their service. Their shared plans are good (fast with rare outages), and so are the Magento plans, and now they have a WordPress optimized plan that I’m slowly migrating a lot of sites to. They’re a privately held company with their own datacenters based in the Detroit area.