This plugin acts as a sentinel that watches over your core WordPress programs (plus installed themes and plugins) and tells you when changes happen.
As WordPress grows in popularity, it also becomes a bigger target for the hacking community. It is hard to think of anything more frustrating than finding that your site is redirecting or displaying content which is not your own.
If you are hacked, there are four questions that you have to address:
The purpose of this plugin is to alert you when you have been hacked and to address questions 2 & 3. WordPress Sentinel acts as a watchdog that knows how your install is supposed to look and then alert you when something gets changed.
First, install the plugin and go to the WordPress Sentinel option under Settings. It should list content under WordPress, Themes and Plugins.
Second, click the Snapshot Everything New button, and every file in your WordPress install, as well as installed Themes and Plugins will be catalogued.
Periodically, the plugin will check a portion of the items for which snapshots have been taken. If any changes are detected, an administrative message will be displayed in WordPress Admin. If this happens, go back to the WordPress Sentinel option under Settings. The offending item will be marked as Changed. If you click details, you can see what files have been changed and you can determine if this was a valid change or an intrusion and take the appropriate action.
Obviously, the plugin cannot differentiate between a good change and a bad change, so if you make changes to a Theme or install a new Plugin, or even Upgrade WordPress to a newer version, it is simply going to notice the change and let you know. When this happens (and it will happen), just go to the WordPress Sentinel option, find the item that you changed or added, and Refresh the Snapshot. (The Snapshot Everything New button is a handy way to create initial snapshots after installing new themes and plugins. It does not touch items which have previously been catalogued.)
Checksums are a way of looking at the contents of a file and building a hash. If the file changes in any way, even if the size remains the same, the checksum will be different. Enabling checksums adds extra security however, however this comes at a cost. The added overhead can slow down a site if there are an inordinate number of files or if there are extremely large files that have to be processed. The basic file checks compare the modification date and the file size. This should provide adequate protection in most situations.
To stop watching your sitemap files, do the following:
The same process can be used to ignore changes for any file.
To stop watching a specific plugin or theme, do the following:
The first thing to do is to look at the WordPress Sentinel page and figure out what items have been changed. Take a screenshot and then look at the details of those items to see what files have been affected. If WordPress is changed, you need to replace every file that is changed, although usually removing the existing install and replacing it with a clean install is the best course.
If a plugin has been corrupted, it needs to be completely removed and reinstalled. Just updating over the existing install is not advised, as any malicious files that have been added would remain.
If a theme has been corrupted, then things may get complicated. If it is a stock theme that can be removed and reinstalled, then do that. If it is a custom theme, then every modified file needs to be carefully examined and cleaned up. You may need someone with advanced skills in site development to help separate the template content from the injected code.
That is really beyond the scope of this plugin. The best course of action is to keep WordPress as well as all plugins and themes up to date. If you know the time the hack occurred (and this plugin helps you determine that) then it is also a good idea to have an Analyst look through your server logs and try to isolate the entry point.