I get this question quite often after repairing a hacked website and correcting a client’s Google reputation.
“Now that my website is free of malware, how can I monitor my website for file changes as well?”
Well, this is a bit of a delicate subject. Monitoring for file changes is a great idea. Only one problem—most folks simply won’t be able to implement file monitoring.
Have you read the Aesop’s Fables story, “The Boy Who Cried Wolf!”
Even the tamest WordPress blogs have daily file changes. Cache files, plugin updates, and the like may generate frequent file change alerts. And like that boy who cried wolf once too often, many of us will simply begin ignoring those file change notices within the first few weeks of receiving them.
So what is the solution to file monitoring for hacker files and malware?
I like to keep it simple and start by setting up two external content monitors for each of my websites.
- ChangeDetection dot com is one of my favorites. See my other article for more details, “Free Website Monitoring Services—well, mostly free…“
- Google Webmaster Tools may provide helpful alerts as well, though only as a backup. Waiting for Google to alert you of serious issues can be a tragic error. Lesson learned…
For internal monitoring, there are two WordPress file monitoring plugins discussed on, “Free Website Monitoring Services—well, mostly free…” Both are worth checking out.
Now let’s say you are not a fan of the WordPress plugins mentioned in the link above, or you don’t use WordPress at all. That’s fine, I have a little trick for you.
How to set and monitor your website’s file changes with a cron job command (in less than five minutes!)1
Most of us have the option to set a cron job within our web hosting company’s control panel. A cron job is composed of two parts, a command and a time to run the command.
On a cPanel server, setup is as quick as clicking the “Cron Jobs” button in cPanel, copy / pasting the text below, then clicking “Add New Cron Job.”
This part means run once per night at midnight:
0 0 * * *
And this part is the command.
The “-ctime -1” text shown below tells the web server to report file changes made in the past 24 hours:
find /home/USERNAME/public_html -type f -ctime -1 -exec ls -ls {} \; | mail -E -s "File Changes, Past 24 Hours" me@my_domain.com
You certainly don’t need a computer science degree to copy / paste the text above, and cron jobs can be added, edited or removed in seconds. For example, set up the cron job then try changing the subject from “File Changes, Past 24 Hours” to “my_domain Files Changed”
After testing the cron job, I recommend setting an email filter or rule within my email software to redirect the email alerts to a custom folder, like this example at right, “my_domain.com File Changes.”
Yes, I know, earlier I said, “…many of us will simply begin ignoring those file change notices within the first few weeks of receiving them.” Well, again, monitoring for file changes can be helpful, particularly if you have a suspicion files are being changed and you’d like proof.
For example, theme files are the files hackers tend to edit first, so instead of receiving alerts for your entire website (/public_html), just monitor your theme’s directory instead (/public_html/wp-content/themes), like this:
find /home/USERNAME/public_html/wp-content/themes/MYTHEME -type f -ctime -1 -exec ls -ls {} \; | mail -E -s “File Changes, Past 24 Hours” me@my_domain.com
How Do I Monitor For File Changes Within My Website or Blog?
I hope that by now I’ve given you some nice food for thought. That said, now that you have external monitoring in place, and possibly internal monitoring using the cron job technique above, you may be asking, “What else can I do to better secure my website or WordPress blog?”
I’ve posted a few basic article links below. Likewise, if you ever have questions just pick up the phone and call me anytime, Jim Walker, The Hack Repair Guy, (619) 479-6637
- How to Block Bots from Seeing your Website – Bad Bots and Drive-by Hacks Explained
- Protecting WordPress Against Brute Force and Denial of Service Attacks
- WordPress Security Plugins Revealed
Notes:
1 If you make a change to your site and do not receive an email, it may be because your web host is using older software that does not support the -E tag. If so, try removing the -E from the command. The caveat is that you may receive a blank email every day respectively.
5 Comments
Phill Healey says
Hi,
Great info, could you give a little more info on building the cron job? It’d be useful for example to change it to show changes made over the last 72 hours etc.
Plus, i’d also be a lot happier knowing exactly what each part of the command does.
Thanks.
Jim Walker says
These sorts of things really are trial and error. The command I provided works well for my setup. Some Googling may be necessary on this topic (said with a positive affirmation of your wonderful question). Thank you!
Roberto Fiore says
I fully agree with the proposed solution to monitor website files. But unfortunately on my cheap hosting I can’t schedule a cron job that uses commands like find. Fortunately I found monitorwebsitefilechanges dot cloud that does the same thing and also work on my hosting.
Hrncek says
You can use for such monitoring http://www.wachete.com
It can watch whole web page with subpages.
Guys are pretty friendly and responsive, so if you need new features can be added fast.
[email protected]
Jim Walker says
Wachete.com is currently limited to text-only notification, which is “really” limited.