WordPress Hardening

WordPress Hardening

Listed below are many changes that can be implemented on any host and will greatly increase the security of your WordPress installations.

  If your WordPress is already hacked 

Enable WordPress auto updating

In order to stay secure, you should always use the latest version of WordPress. You can enable auto-updates by adding or changing a line in your wp-config.php file. Add or change to match the following line:

define( ‘WP_AUTO_UPDATE_CORE’, true );

Limit Read Access with SuPHP

SuPHP allows you to run your processes as your User ID, which restricts access to files that only you should normally be able to access. This means that on a shared server, you can protect other sites under different users by locking down the permissions for each user’s directory.

find ./ -iname “*.php” -exec chmod 600 {} \; find ./ -type d -exec chmod 711 {} \;.htaccess Rules xmlrpc and wp-config are two vulnerabilities that can be safely locked down. Add the following to your .htaccess file in your WebRoot. Note that this file may be hidden because if begins with a . so you may need to work with your Administrator for help with modifying this file.

<files wp-config.php> order allow,deny allow from deny from all </files> <files xmlrpc.php> order allow,deny allow from deny from all </files>

Another vulnerability is the WordPress Heartbeat. This is the script that automatically refreshes your dashboard while you are logged in. Unfortunately, this script will use up extra resources and open a vulnerability to some attack types. You can restrict access to this file by adding a rule to your .htaccess files as follows:

<files admin-ajax.php> order allow,deny allow from deny from all </files>

Additionally, you can prevent people from snooping through your files by adding another rule to the .htaccess file:

Options -Indexes

Finally, you can prevent attackers from being able to see author information (which could be used to find out your identity) by adding the following:

RewriteCond %{QUERY_STRING} author=\d RewriteRule ^ /? [L,R=301]

Plugins for WordPress

The Wordfence plugin can be installed from the inside of WordPress and has a very small memory footprint. It will scan your installation and any files in your webroot (if you set it to do that) to look for malware kits that are used to infect your files.

Additionally, it will check your core WordPress files against the public repositories to make sure that your files have not been modified. Plugins For Better Security: WP DB Backup WP DB Backup is an easy-to-use plugin that lets you backup your core WordPress database tables with just a few clicks. Besides it is so easy, it has also been one of the most used plugins to secure your WP-powered website. 

WP Security Scan

With this plugin, scanning your WordPress-powered site will be a simple task. It finds the vulnerabilities in your site and offers useful tips on removing them. 

Ask Apache Password Protect

This plugin doesn’t control WordPress or mess with your database, instead, it utilizes fast, tried-and-true built-in security features to add multiple layers of security to your blog. 

Stealth Login

The Stealth Login plugin will help you to create custom URL addresses for login, registering, and logout of WordPress. 

Login Lockdown

Login Lockdown will help you to lock attempts for a period of time on logging in to your admin panel after a number of attempts. 

WP-DB Manager

This is another great plugin that allows you to manage your WP database. It could be used as an alternative to the WordPress Backup Manager. 

User Locker

If you want to avoid brute-force hacking your site, then the User Locker plugin is right for you. It works on the same system as Login Lockdown, however, it’s a 5-stars rated WP plugin that has great fame among its users. 

Admin SSL Secure Plugin

Another plugin for keeping your admin panel secure. It acts on SSL encryption and is really useful against hackers or people trying to get unallowed access to your panel. It is the rival for the Chap Secure Login plugin. 

Limit Login Attempts

Limit Login Attempts block the internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. 

Login Encryption

Login Encrypt is a security plugin. It uses a complex combination of DES and RSA to encrypt and secure the login process to the admin panel. 

One Time Password

This unique plugin will help you to set a one-time password for your login, in order to prevent the logging of unwanted users from internet cafes or such. 


Antivirus is a quite popular security plugin that will help you to keep your blog secured against bots, viruses, and malware. 

Bad Behavior

Bad Behavior is the plugin that helps you fight those annoying spammers. The plugin will not only help you prevent spam messages on your blog, but also will try to limit access to your blog, so they won’t be able even to read it. 

Exploit Scanner

Search the files and database of your WordPress install for signs that may indicate that the files or the database have fallen victim to malicious hackers. Even if it’s another scan plugin, it’s worth a try. 

User Spam Remover

The plugin’s name tells its functions, a popular plugin that will help you prevent and remove unwanted spam messages. 

Block Bad Queries

This plugin attempts to block away all malicious queries attempted on your server and WordPress blog. It works in the background, checking for excessively long request strings (i.e., greater than 255 chars), as well as the presence of either “eval(” or “base64” in the request URI.

Eight Essential Tips
1)  Changing default “wp_” Prefixes

Your website might be at stake if you are using the predictable wp_ prefixes in your database. The following tutorial teaches you how to get them changed via phpMyAdmin in 5 simple steps. You can also get this done with WP Security Scan plugin. 

2)  Hide login error messages

Error login messages may expose and give hackers an idea if they’ve gotten username correct/incorrect, vice versa. It is wise to hide it from unauthorized login. To hide login error messages, simply put the following code in functions.php add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

3)  Keep wp-admin Directory Protected

Keeping the “wp-admin” folder protected adds an extra layer of protection. Whoever attempts to access files or directory after “wp-admin” will be prompt to log in. Protecting your “wp-admin” folder with login and password can be done in several ways: 

4)  WordPress plugin
Using the WordPress AskApache Password Protect plugin.  

5)  cPanel 

If your hosting supports cPanel admin login, you can set protection easily on any folder via cPanel’s Password Protect Directoriesgraphical user interface. Find out more from this tutorial.6)  .htaccess + htpasswd

Creating a password-protected folder can also be done easily by setting the folders you want to protect inside .htaccess and users allowed to access inside .htpasswd. The following tutorial shows you how to do it in 7 steps.7)  Maintaining backups

Keeping backup copies of your entire WordPress blog is as important as keeping the site safe from hackers. If the latter fail, at least you still have the clean backup files to revert. We’ve previously covered a list of solutions to backup your WordPress files and database, including both useful plugins and backup services.8)  Prevent directory browsing

Another big security loophole is having your directories (and all their files) exposed and accessible to the public. Here’s a simple test to check if your WordPress directories are well protected: Enter the following URL in the browser, without the quotes. “http://www.domain.com/wp-includes/”   If it shows blank or redirects you back to the home page, you are safe. However, if you see screen similar to the image below, you are not.   To prevent access to all directories, place this code inside your .htaccess file.

# Prevent folder browsing Options All -IndexesKeep WordPress core files & Plugins updated

One of the safest ways to keep your WordPress site safe is to make sure your files are always updated to the latest release. Here are a couple of ways (practices) you can do: Log in to Dashboard often

A yellow notification will appear at the top of the Dashboard if an update is available. Log in often and keep yourself updated to the latest copy of WordPress core files.
Deactivate and remove unused plugins – Unused plugins will eventually get outdated and may pose a security risk. If you are not using it, delete it. Subscribe to WordPress Releases RSS.

Pick a Strong Password

Is your password safe? A strong and safe password is more than just something memorable with numbers (e.g., john123). For starters, it should consist of more than 12 characters with the combination of numbers and alphabets in lower and uppercases. Here are some applications that allow you to generate strong passwords:

  •  GoodPassword
  • Multicians
  •  KeePass
  • LastPass
  •  PcTools
  •  1Password

Alternatively, you can also check how strong (and safe) your current password is with howsecureismypassword.net.

Remove admin user

A typical installation of WordPress comes with a default user named “admin”. If that’s the username to your WordPress site, you are already making a hacker’s life 50% easier. Using user “admin” should be avoided at all times.
A safer approach to logging into your admin securely is to create a new administrator and have “admin” removed. And here’s how you do it:

  1. Login to WordPress admin panel
  2. Go to Users -> Add New
  3. Add a new user with Administrator role, make sure you use a strong password.
  4. Log out of WordPress, re-login with your new admin user.
  5. Go to Users
  6. Remove “admin” user
  7. If “admin” have posts, remember to attribute all posts and links back to the new user.

What is Security?

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.

Website Hosts

Often, a good place to start when it comes to website security is your hosting environment. Today, there are a number of options available to you, and while hosts offer security to a certain level, it’s important to understand where their responsibility ends and yours ends. Here is a good article explaining the complicated dynamic between web hosts and the security of your website. A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.

Qualities of a trusted web host might include:

  • Readily discusses your security concerns and which security features and processes they offer with their hosting.
  • Provides the most recent stable versions of all server software.
  • Provides reliable methods for backup and recovery.

Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.

Website Applications

It’s easy to look at web hosts and pass the responsibility of security to them, but there is a tremendous amount of security that lies on the website owner as well. Web hosts are often responsible for the infrastructure on which your website sits, they are not responsible for the application you choose to install.
To understand where and why this is important you must understand how websites get hacked, Rarely is it attributed to the infrastructure, and most often attributed to the application itself (i.e., the environment you are responsible for).

Security Themes

Keep in mind some general ideas while considering security for each aspect of your system:

Limiting access

Making smart choices that reduce possible entry points available to a malicious person.


Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.

Preparation and knowledge

Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.

Trusted Sources

Do not get plugins/themes from untrusted sources. Restrict yourself to the WordPress.org repository or well-known companies. Trying to get plugins/themes from the outside may lead to issues.

Vulnerabilities on Your Computer

Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.
Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities. If you are browsing untrusted sites, we also recommend using tools like no-script (or disabling javascript/flash/java) in your browser.

Vulnerabilities in WordPress

Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end, you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.

Updating WordPress

Main article: Updating WordPress.
The latest version of WordPress is always available from the main WordPress website at https://wordpress.org. Official releases are not available from other sites — never download or install WordPress from any website other than https://wordpress.org.
Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates. Read the entry in the Dashboard or the WordPress Developer Blog to determine what steps you must take to update and remain secure.
If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack and is one of the primary reasons you should always keep WordPress up to date.
If you are an administrator in charge of more than one WordPress installation, consider using Subversion to make management easier.

Reporting Security Issues

If you think you have found a security flaw in WordPress, you can help by reporting the issue. See the Security FAQ for information on how to report security issues.
If you think you have found a bug, report it. See Submitting Bugs for how to do this. You might have uncovered a vulnerability or a bug that could lead to one.

Web Server Vulnerabilities

The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you.
If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.

Network Vulnerabilities

The network on both ends — the WordPress server-side and the client network side — should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network.
Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted.


Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.
The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.
WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.
Things to avoid when choosing a password:

  • Any permutation of your own real name, username, company name, or name of your website.
  • A word from a dictionary, in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.
In addition to using a strong password, it’s a good idea to enable two-step authentication as an additional security measure.


When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.

File Permissions

Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.
It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with fewer restrictions for the purpose of doing things like uploading files.
Here is one possible permission scheme.
All files should be owned by your user account and should be writable by you. Any file that needs write access from WordPress should be writable by the webserver, if your hosting setup requires it, that may mean those files need to be group-owned by the user account used by the webserver process.

/The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/The WordPress administration area: all files should be writable only by your user account.

/wp-includes/The bulk of WordPress application logic: all files should be writable only by your user account.

/wp-content/User-supplied content: intended to be writable by your user account and the webserver process. Within /wp-content/ you will find:

/wp-content/themes/Theme files. If you want to use the built-in theme editor, all files need to be writable by the webserver process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.

/wp-content/plugins/Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Changing file permissions

If you have shell access to your server, you can change file permissions recursively with the following command:
For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Regarding Automatic Updates

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the webserver.

Database Security

If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one WordPress installation, this makes it that much harder to alter your other blogs.
If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled. See Secure MySQL Database Design for a nice introduction. Restricting Database User Privileges

For normal WordPress operations, such as posting blog posts, uploading media files, posting comments, creating new WordPress users and installing WordPress plugins, the MySQL database user only needs data read and data write privileges to the MySQL database; SELECT, INSERT, UPDATE, and DELETE.< br /> Therefore any other database structure and administration privileges, such as DROP, ALTER, and GRANT can be revoked. By revoking such privileges you are also improving the containment policies.


Some plugins, themes, and major WordPress updates might require to make database structural changes, such as add new tables or change the schema. In such a case, before installing the plugin or updating software, you will need to temporarily allow the database user the required privileges.

WARNING: Attempting updates without having these privileges can cause problems when database schema changes occur. Thus, it is NOT recommended to revoke these privileges. If you do feel the need to do this for security reasons, then please make sure that you have a solid backup plan in place first, with regular whole database backups which you have tested are valid and that can be easily restored. A failed database upgrade can usually be solved by restoring the database back to an old version, granting the proper permissions, and then letting WordPress try the database update again. Restoring the database will return it back to that old version and the WordPress administration screens will then detect the old version and allow you to run the necessary SQL commands on it. Most WordPress upgrades do not change the schema, but some do. Only major point upgrades (3.7 to 3.8, for example) will alter the schema. Minor upgrades (3.8 to 3.8.1) will generally not. Nevertheless, 

Keep a regular backup. Securing wp-admin

Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. Many WordPress attacks are carried out autonomously by malicious software bots.
Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php. See the Resources section for more documentation on how to password protect your wp-admin/ directory properly.

The most common attacks against a WordPress blog usually fall into two categories.

  1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
  2. Attempting to gain access to your blog by using “brute-force” password guessing.

The ultimate implementation of this “second layer” password protection is to require an HTTPS SSL encrypted connection for administration so that all communication and sensitive data is encrypted. See Administration Over SSL.

Securing wp-includes

The second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
# Block the include-only files. <IfModule mod_rewrite.c>
RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule> # BEGIN WordPress
Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

Securing wp-config.php

You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.
Note: Some people assert that moving wp-config.php has minimal security benefits and, if not done carefully, may actually introduce serious vulnerabilities. Others disagree.
Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the webserver) can read this file (it generally means a 400 or 440 permission).
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
<files wp-config.php> order allow,deny deny from all </files>Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to log in since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’, and ‘edit_files’ capabilities of all users:
define(‘DISALLOW_FILE_EDIT’, true); This will not prevent an attacker from uploading malicious files to your site but might stop some attacks.


First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system.


There are many plugins and services that can act as a firewall for your website. Some of them work by modifying your .htaccess file and restricting some access at the Apache level before it is processed by WordPress. A good example is iThemes Security or All in One WP Security. Some firewall plugins act at the WordPress level, like WordFence, and try to filter attacks as WordPress is loading, but before it is fully processed.
Besides plugins, you can also install a WAF (web firewall) at your webserver to filter content before it is processed by WordPress. The most popular open-source WAF is ModSecurity.
A firewall can also be added between your hosting company and the Internet (security in the middle), by modifying your DNS records to pass through the firewall. That causes all traffic to be filtered by the firewall before reaching your site. A few companies offer such services, like Cloudflare, Sucuri, and Incapsula.
Plugins that need write access

If a plugin wants to write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. Possible places to check are the Support Forums and IRC Channel.
Code execution plugins

As we said, part of the goal of hardening WordPress is containing the damage done if there is a successful attack. Plugins that allow arbitrary PHP or other code to execute from entries in a database effectively magnify the possibility of damage in the event of a successful attack.
A way to avoid using such a plugin is to use custom page templates that call the function. Part of the security this affords is active only when you disallow file editing within WordPress.Security through obscurity

Security through obscurity is generally an unsound primary strategy. However, there are areas in WordPress where obscuring information might help with security:

  1. Rename the administrative account: When creating an administrative account, avoid easily guessed terms such as admin or webmaster as usernames because they are typically subject to attacks first. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’;, or by using a MySQL frontend like phpMyAdmin.
  2. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks.

Data Backups

Back up your data regularly, including your MySQL databases. See the main article: Backing Up Your Database.
Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media increases your confidence that your data has not been tampered with.
A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have pre-compromise backups that can help in rebuilding the site and possibly even post-compromise backups which will aid in determining how the site was compromised.


Forensics logs are your best friend when it comes to understanding your site. Contrary to popular beliefs, logs allow you to see what was done and by who and when. Unfortunately, the logs will not tell you who, username, logged in, but it will allow you to identify the IP and time. Additionally, you will be able to see any of these attacks via the logs – Cross-Site Scripting (XSS), Remote File Inclusion (RFI), Local File Inclusion (LFI), and Directory Traversal attempts. You will also be able to see brute force attempts.
If you get more comfortable with your logs you’ll be able to see things like, when the theme and plugin editors are being used, when someone updates your widgets, and when posts and pages are added. All key elements when doing forensic work on your web server.
There are two key open-source solutions you’ll want on your web server from a security perspective, this is a layered approach to security.
OSSEC can run on any NIX distribution and will also run on Windows. When configured correctly it’s very powerful. The idea is to correlate and aggregate all the logs. You have to be sure to configure it to capture all access_logs and error_logs and if you have multiple websites on the server account for that. You’ll also want to be sure to filter out the noise. By default, you’ll see a lot of noise and you’ll want to configure it to be really effective.


Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened, and recover your site.

Monitoring your logs

If you are on a dedicated or virtual private server, in which you have the luxury of root access, you have the ability to easily configure things so that you can see what’s going on. OSSEC easily facilitates this and here is a little write-up that might help you out OSSEC for Website Security – Part I.

Monitoring your files for changes

When an attack happens, it always leaves traces. Either on the logs or on the file system (new files, modified files, etc). If you are using OSSEC for example, it will monitor your files and alert you when they change.


The goals of file system tracking include:

  • Monitor changed and added files
  • Log changes and additions
  • Ability to revert granular changes
  • Automated alerts

General approaches Administrators can monitor file systems via general technologies such as:

  • System utilities
  • Revision control
  • OS/kernel level monitoring

Specific tools
Options for file system monitoring include:

  • diff – build clean test copy of your site and compare against production
  • Git – source code management
  • inotify and incron – OS kernel level file monitoring service that can run commands on filesystem events
  • Watcher – Python inotify library
  • OSSEC – Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

When configuring a file-based monitoring strategy, there are many considerations, including the following. Run the monitoring script/service as root. This would make it hard for attackers to disable or modify your file system monitoring solution.

Disable monitoring during scheduled maintenance/upgrades

This would prevent unnecessary notifications when you are performing regular maintenance on the site.

Monitor only executable filetypes

It may be reasonably safe to monitor only executable file types, such as .php files, etc.. Filtering out non-executable files may reduce unnecessary log entries and alerts.
Use strict file system permissions
Read about securing file permissions and ownership. In general, avoid allowing execute and write permissions to the extent possible.

Monitoring your web server externally

If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution. This comes in many forms today, use your favorite search engine and look for Web Malware Detection and Remediation and you’ll likely get a long list of service providers.