6 Key Indicators of Compromise?
- Redirection to another site.
- URL Redirects: Look for unexpected redirects, especially to malicious or unrelated sites.
- Unauthorized and Unusual File changes.
- Modified Core Files: Check for unauthorized changes in WordPress core files or directories (
wp-admin,wp-includes). - Configuration Files: Check for unauthorized changes to
htaccessorwp-config.phpfiles, which can affect site functionality and security. - Altered Pages: Check for defaced pages, unexpected content changes, or unauthorized advertisements injected into your site’s pages.
- New Files: Look for unfamiliar files or scripts added to your WordPress installation, especially in directories where they don’t belong (e.g., PHP files in
wp-content/uploads).
- Modified Core Files: Check for unauthorized changes in WordPress core files or directories (
- Unexpected Account Activities:
- Admin Account Changes: Monitor changes to administrator accounts, such as new admin accounts added or changes to existing admin passwords.
- New User Registrations: Look for unexpected new user registrations, especially with administrator-level permissions.
- Unexplained Traffic or Performance Issues:
- Unusual Traffic Spikes: Monitor sudden spikes in traffic and that don’t correspond to normal patterns for example, you can access your server’s access logs (e.g., Apache’s
access.logor Nginx’saccess.log). Look for spikes in requests per second or unusual HTTP status codes (e.g., 404 errors, which could indicate probing for vulnerabilities). - IP Analysis: Analyze IP addresses associated with the spike. Look for patterns such as multiple requests from the same IP or IP ranges, which could indicate a botnet or malicious activity.
- Slow Performance: Investigate if your site experiences sudden slowdowns or responsiveness issues.
- Unusual Traffic Spikes: Monitor sudden spikes in traffic and that don’t correspond to normal patterns for example, you can access your server’s access logs (e.g., Apache’s
- Unusual Resource Utilization on Hosting account:
- Resource Usage Metrics: Many hosting providers offer resource usage metrics through their control panels (e.g., cPanel, Plesk). Monitor CPU usage, bandwidth usage, and server load during traffic spikes.
- Phishing or Malware Warnings:
- Browser Warnings: If visitors receive warnings in form of unusual popups about phishing or malware when accessing your site, investigate immediately.
- Website stops working:
- Exploited vulnerable CMS, Plugins, or Themes: Exploiting vulnerabilities in WordPress core, plugins, or themes can lead to unauthorized access, data manipulation, or server compromise. Depending on the severity, exploitation of these vulnerabilities can result in site stoppage due to compromised functionality or administrative control.
