MonitorHackdFiles Tool Helps Fight Site Hackers

Don’t wait for Google to ban your site to find out you’ve been hacked. You might use several tools to prevent your site from being hacked, but if they fail, you want to know right away – long before Google bans your site for hidden links and malicious scripts. That’s what MonitorHackdFiles does – it is a sentry for your site. It watches your site, and when it detects a file has changed (or been added), it notifies you via email and tells you which file(s) was changed. When other security measures fail, MonitorHackdFiles makes sure you know about it.

I have a friend whose blog gets hacked and removed from Google’s search results every couple of months or so. It seems like every time I start to forget about the irritating hackers* out there, another friend cries on my virtual shoulder because their site has been hacked. It’s a constant stream, and I’ve been looking for ways to help everyone stop it for a while now.

Today, I’m giving everyone a free tool to add to your “anti-hacked sites” arsenal. (Download link near the end of this post). It’s ONLY ONE TOOL and only does ONE FUNCTION. You need other tools as well, and I’ll list some that I use and recommend, and I’ll continue to search for more. But this is one I haven’t seen released yet, so I decided it was time to make one (with a little help).

Let’s start with the problem. There are many different ways that your site can be hacked. This post deals with one of those ways – a file or files are added to your site, or a file(s) that already exists on your site is changed – by someone with evil intentions – and without your knowledge. These changed files cause something bad to happen with your site – what that “something” is could be different for everyone. You may get links to unsavory sites injected in your pages, like my friend did. Here’s a pic of what that looks like.

Text-only version of Googles cache of Smackdowns homepage

Unfortunately, he didn’t know those links were there. Why not? Because they were INVISIBLE to him and to any other human visitor. He only found out about them because he wondered (weeks later) why he suddenly disappeared from Google’s search results, and a kind Google employee told him that he was linking to some bad sites – but only search engines could see the links.

There are many other things that might happen, including having links placed on your site that redirect users to another site – and that site may infect your users with malware. Whatever the end result is, it began in a similar way. And you had no idea your files were tampered with.

THAT’S THE PROBLEM. Site’s have files changed and site owners have no idea that anything has happened. Visibly, they see nothing changed. It’s only after time has passed do they notice that they’ve been banned from appearing in Google’s search results and wonder why. Eventually, with enough effort, and some luck, they may realize that their site has been hacked. And even then, they have no idea how, or which files might have changed!

The tool I am giving to everyone will NOT prevent files from being changed without your knowledge. Sorry. However, if a file *is* added or changed, this tool will alert you by sending you an email, and it will tell you which file(s) changed. That quick knowledge could be enough to stop the hacker in his tracks, and prevent more damage being done. You may never have to wake up to wonder why you’ve lost all your search engine rankings. And by knowing exactly what files were changed, you have a little more knowledge so that you may even figure out how the hacker managed to find his way in.

This tool can be used by just about everyone (assuming your site is hosted on a Linux server, capable of running PHP). It’s not JUST for WordPress blogs, although they are often hit with this issue. I didn’t want to restrict this tool to blogs. It’s useful to the broader web site community, whether you run blogs or any other type of site. And in most cases, it’s a 5 minute install. Set it and forget it.

It’s completely free (as in beer and as in freedom) and I encourage you to let everyone know about it. I would appreciate linking to this post, rather than the download itself, so that everyone gets the benefit of knowing what they are downloading. I’ve licensed it as GPL, so that others can modify and distribute as needed, while making sure it always stays GPL. Download the zip file below. Unzip it, read the readme.txt instructions, and install it to harden your site’s security just a little bit more. (Current version is 1.1. View changes here.).

Download MonitorHackdFiles (MHF) Here

Other Site Security Tools I Recommend: (most for WordPress)

  • Install the Login Lockdown WordPress plugin. This will prevent brute force attempts at grabbing your admin password and is the first line of defense. (WordPress only)
  • Install the WordPress Firewall plugin. This is great at stopping most intrusion attempts and is the second line of defense. If this plugin fails to catch an intruder, however, MonitorHackdFiles will be the next line of defense, which will be a sort of “after-intrusion” defense mechanism.
  • Install the WordPress Database Backup plugin. You can set this plugin to automatically backup your blog’s database every night and email it to you, so you never have to remember to backup. This is essential for being able to revert back to a known-good state. Once installed, test it, and make sure you get a good backup right now. (WordPress only)
  • Install the Content WP Backup plugin, which automatically backs up and optionally emails your plugins, themes, and uploads (like your post’s images). (WordPress only)
  • Backup your site’s files now while you know they are clean. You can grab a backup from CPanel if your host uses that, or you can just FTP all the files down. (For Everyone)

I can’t stress enough the importance of regular backups. If you do get hacked, you can always retrieve a known-good backup and be back in business fairly quickly. And because this tool will alert you quickly to problems, if you can revert your site to its original state quickly as well, then you may avoid getting dumped from search engines completely. And that can mean the difference between being a victim and being a warrior!

Who To Contact Once You’ve Been Attacked

As I mentioned, MonitorHackdFiles is just one tool in your arsenal. Once you’ve been alerted to a problem, you need to deal with it. Most often, you should get help from experts. I’m not going to recommend any particular company or service, because I don’t have any experience with any of them to rate them. However, here are a few that might be useful to contact if you need help finding out how the intruders got in. What is most important is finding the vulnerability so that you can secure that hole.

If after all of that, you’re still not sure what the heck this tool is for, I suggest reading another post I wrote about it over on the DazzlinDonna blog. I explain it in a slightly different way, so maybe it will make more sense. :)

Note: This script works best if it is automated via cron. If your host doesn’t allow cron jobs, you can still use this script, but you’ll have to manually run a file periodically. If your host doesn’t allow cron jobs, you might want to consider a better host. I recommend HostMonster.

*Note: Yes, I know the real term is crackers and not hackers, but like it or not, the word “hackers” has become the standard use and is even used by Google themselves in the various posts they’ve made about this problem. So don’t even try to start a word-war here about it. I don’t care about semantics. I care about solving more important problems.

Download MonitorHackdFiles (MHF) Here

Find this post ueseful? Consider adding to my coffee fund...

Your Email Address :

Be Sociable, Share!

bookmark digg this reddit this stumble this bookmark bookmark bookmark bookmark fave this furl this fark this sphinn this tweet this bookmark mixx this


  1. matt Says:

    … the install script seems to ask users to make their site root writeable. That doesn’t seem very secure.

    Cool script idea, but might want to change it so it only asks them to make a specific directory writeable for it to store its configuration stuff.

  2. WebChicklet Says:

    Matt, it very likely doesn’t need 777 permissions. It will probably work fine with permissions set to 755, and many hosts are set to that by default. Everyone’s host is unique, however, so I can’t say for sure about everyone’s configuration. In any case, it’s only two files that need to be writable, so I’ll make sure the instructions note that. But I like your idea, so I’ll add that to the next version to-do list.

  3. matt Says:

    Agreed, and in a suexec environment they probably don’t need to do anything. But if your average joe sees the warning, they might just 777 their root, and that’d be counter productive to your effort.

    Like I said though, great idea for the script, definitely will be a service to the community.

  4. WebChicklet Says:

    Good point and I’ve added the appropriate instructions. Thanks.

  5. webwzrd Says:

    Thank you for the very useful script!

    I am continuing to be notified of a new script even though I’m already using 1.1. I’m afraid crying wolf like this will end up having me ignore a valid update notice. How can I fix?

  6. This is a great help and much appreciated. Thank you!

  7. Hey thanks for this useful script.

  8. Diego Says:

    Thank you! save me a couple of times..
    Nice script

  9. This is very important script.
    Thank you friend.

  10. Adam Says:

    Does this script need to be updated every time a new version of WP is released?

  11. Adam, this works fine on any version of WP.

  12. WayneM Says:

    webwzrd Says: “I am continuing to be notified of a new script even though I’m already using 1.1”

    I’ll second that. I’ve been getting that email message every other day since I installed the script.

    If you are going to offer new version, I have some suggestions for improvements and at least one bug to report.

    Let me know if you want to know about them.

  13. Wayne,

    The developer of this script is Donna Fontenot (aka DazzlinDonna). You should leave your feedback on her site Here’s a link to the scripts page:

  14. effrit Says:


    if you dont want receive wrong “new version available” message every 48 hour just replace in monhf.php (or another name, if you rename this file)




  1. Fight back against hackers! - Wildfire Marketing Group
  2. Speed linking, 8th of April 2009 | Mellow Business
  3. Official ‘Blog Spring Cleaning Day’ May 1st - 10 Blog Spring Cleaning Tasks | Search Engine People | Toronto
  4. WordPress Hacked? Total Security Lockdown
  5. WordPress Hacked? Total Security Lockdown | My Blog
  6. Stray Leftover Hacked Wordpress Database Entry: rzf.php | Smackdown!
  7. Hacking for SEO – BEWARE of the Crap Hats | SEO Bullshit

RSS feed for comments on this post. TrackBack URL

Leave a comment