What is BlogSafe Scanner?
BlogSafe Scanner Plus is a WordPress plugin that’s designed to be an extremely fast and lightweight checksum scanner that will help you detect potentially malicious files.
How does it work?
BlogSafe Scanner relies on checksums to validate your files. Checksums are short strings of data that are designed to uniquely identify a file. For example, the MD5 checksum for the xmlrpc.php file that comes with WordPress looks like this:
If we add even one period to the contents of that file, the new checksum looks like this:
Whenever WordPress.org releases a new version they also create a list of these checksums for all of the files in that release. You can see what that file looks like here:
By comparing the checksums of the files on your website to the known good checksums released by WordPress.org, BlogSafe Scanner can determine if any files have been modified from their original.
WordPress.org also provides a list of checksums for all plugins downloaded from the WordPress.org website.
While WordPress.org does not yet provide a list of checksums for themes, BlogSafe Scanner is still able to verify them by temporarily downloading them from the official WordPress website and creating a set of known good checksums.
So, by using lists and files provided by WordPress.org, BlogSafe Scanner is able to compare official files, plugins and themes on your sever to their originals and look for modifications.
What about premium themes and plugins?
Because there is no list of checksums for non-official files, BlogSafe Scanner relies on the initial conditions of the file to determine if it’s been modified. When BlogSafe Scanner first scans your web server, it records the checksums of any files it finds that are not an official file from the WordPress.org site. From that point on, if the file is modified, BlogSafe Scanner will detect that modification and alert you.
What about new files?
BlogSafe scanner also looks for any new files that have been uploaded to your web server and alerts you to their existence.
How does BlogSafe Scanner differ from signature scanners.
Signature scanners detect malware based on what it ‘looks’ like. While they are a valuable first line of defense against malware attacks, signature scanners look for either common methods or specific methods used by hackers. This means, that in order to create a signature to detect the malware, the creator of the scanner needs to see a copy of the malware in order to create the signature.
Because there are thousands of new pieces of malware created daily, creating signature files for all of them is a daunting task. Furthermore, there are ways in php, the programming language used by WordPress, for malware to successfully obscure attempts to detect them.
BlogSafe Scanner doesn’t look for specific signatures. Instead, it looks for any change to a file or any new files that have been uploaded to the web server.
How is BlogSafe Scanner different from other checksum scanners?
BlogSafe Scanner uses the same technology as other checksum scanners, creating checksums of your servers files and making comparisons. What’s different with BlogSafe scanner is that it also compares checksums with official WordPress checksums and files. By accessing the WordPress API and WordPress site, BlogSafe scanner ensures that the checksums it uses for themes, plugins and the WordPress master files are all official checksums.
How does BlogSafe Scanner protect against malware?
There are literally hundreds of things that a hacker can do with your website that makes it an attractive target. In almost every single case of website hacking the perpetrator needs to upload and/or make changes to the files on your website in order to make use of it.
By detecting new files and changes to existing files on your web server and by alerting you to those changes, BlogSafe Scanner is a solid last line of defense that alerts you to these intrusions.
Is BlogSafe Scanner multi-site ready?
Yes! However, it should only be activated on the parent site. From there, it will be able to scan the other multi-site folders.