After my most recent Review of the WordPress WordFence Plugin post I felt it was only fair that I take time to review the effectiveness of other similar security focused plugins in the WordPress.org repository.
It’s important to understand that while I work for an InfoSec company my focus is not on whether its a competitive product, but rather how useful it is to end-users and how effective it is at detecting malware. The goal is to establish an unbiased review, leveraging the large repository of web-based malware variants I have at my disposal.
I stumbled on the AntiVirus plugin while crawling the repository and was naturally curious. The plugin repository description is not very exhaustive, but appears to succinctly articulate what it was designed to do.
Scan & Notify
AntiVirus for WordPress is a easy and safe tool to protect your blog install against exploits, malware and spam injections. Scan your templates now!
- Virus alert in the admin bar
- Cleaning up after plugin removal
- Translations into many languages
- Daily scan with email notifications
- Database tables and theme templates checks
- WordPress 3.x ready: both visually and technically
- Whitelist solution: Mark suspected cases as “no virus”
- Manual check of template files with alerts on suspected cases
Unlike WordFence however, this plugin appears to focus only on the theme templates. This is going to be an important distinction as it’ll define what and how its measured.
At first glance, the plugin appears to lack a lot of luster on the user experience front. But that’s cool, I’m looking for its effectiveness as a security plugin.
After installing I was a bit lost. I kept looking on the sidebar menus for an AntiVirus option and couldn’t find it. Turns out its nestled under the settings menu.
Pretty doesn’t always mean good, so I am keeping an open mind.
I like that its nice and simple, difficult to get lost in the configuration, which is always good when you think of the end-user. My only concern is that for the unsuspecting user, one that doesn’t understand that the templates are but one piece of the puzzle, this could be devastating and could provide a false sense of comfort / security.
In this review I’ll focus specifically on the manual scan. There aren’t any other real features of interest that would talk to its effectiveness at detecting malware so it’ll have to do.
It’s always important to understand the environment, here it is:
- Working off a sandbox environment
- Running WordPress 3.4
- Barebone installation
- Strategically placed payloads nothing fancy
- Running the WordFence Premium – Pro version
- Running Twenty Eleven Theme
- Backdoor was dropped in the root of the themes directory – toolspack.php
- Backdoor was dropped in the root of a custom directory in themes – a.php
- Conditional redirect was placed in the root index file of the Theme directory – index.php
The Manual Scan
Not much to describer here. There is one button and its function is very clear. Once you hit the button, it will find the active theme and identify the PHP files in the theme directory.
Once I better understood how the plugin works I had to update my environment configuration where all payloads were dropped inside the theme directory.
Based on the original payload configuration the results were as follows:
As you can see, it flags the create_function function in the functions.php file. Nothing to be concerned with there in this specific instance.
None of the infections were found.
To test further, I moved the payloads into the theme directory. That generated the following results:
As you can see, when the payloads were moved directly into the theme directory its detection rate improved drastically. :)
What I don’t like is perhaps the presentation of the information, you see the good and bad mixed together. The challenge here also comes with the fact that its focusing on keywords more so than signatures and anomalies, at least from what I can see.
I tested on a very small theme, and with my payloads you are looking at 5 PHP files. Based on this detection I’d imagine that for larger themes the results would be overwhelming to the user.
After modifying the payload configuration I was very happy to see how effective it was at identifying potential problems in PHP files. The challenge comes with how limited it is. It seems to focus solely on PHP files and that’s an issue. Although not excellent, if conditions are met, it’s ok.
That being said, the question now becomes, is it something I would recommend to endusers. The answer is simple, No.
It’s just not practical.
If you recall the review above, the site was configured in such a way that it more realistically represented a real-wold infection. In that configuration it failed miserably. where if finally worked was when it was configured how the plugin required it.
In order for this plugin to work the conditions would have to be perfect. These are the rules the malware would have to follow:
- Be in the active Theme
- Inject itself in the Theme PHP files
Both these conditions are just not good assumptions, making it highly unrealistic.
In real scenarios you will find malware sprinkled across all file types, ranging from PHP, JS, CSS, .HTACCESS, and others. They will also not be isolated to the active theme directory.
I also didn’t see any API or authentication mechanism that would lead me to believe it was connecting to any malware database for signatures or instructions and that is concerning. Malware variants evolve and adapt every day, multiple times a day, they need to be maintained and the scanners have to be updated. I fail to see how the plugin supports this.
I commend the authors on the development though and thank them for their efforts. :)