This is exactly why (say in system and application programming) we have source code scanners, e.g., lint and its derivatives: to check for mistakes and any questionable code in the source. A program checking itself is OK for some things (sanity, pointer checks, allocation success, and so on), but to expect it to check all of it, security especially, is a bit too trusting (and trust is a huge problem and in fact that’s what IP spoofing was part of: trust relationship exploitation; say in the earlier days, the amount of stuff you could see because someone set up a hosts.equiv file. Scary reality looking back). Trusting a program to check itself is ridiculous and scary: what if IT has an issue itself? Or, say in the older days when malware was in its early life: piggy backing antivirus scanners (to those who don’t know the term: it’s when a virus would infect every program it could infect as the antivirus was opening it for them WHILE scanning it for viruses).

To expect wordpress itself to scan for issues is like expecting an antivirus to check if it itself is infected; if it’s infected, then any of the following could be true:
a) it’s terrible antivirus or it missed something obvious
b) it would likely be trapped anyway and would not detect it (the virus would realize what it’s doing and prevent it from valid results)
c) if it was infected, how can you trust it ?

This very reason is why there’s also apache modules out there like mod_security.

Security is important but unfortunately you don’t get taught it. You learn it through experience (and some don’t, but I’ll be nice on that one).

When creating a section on good security plugins to use, I wasn’t sure whether I should include scanners or file checkers, there seems to be a trend to just install a scanner and forget about the real issue at hand, which is prevention.

Still not sure if I should include scanner as a viable security measure, I guess monitoring is a decent aspect of security, I simply don’t know which ones are any good or even if they work.

Agreed. I collected a whole bunch of these files, many different patterns ranging from simple lines to large things. Would be interesting to put them somewhere to share.

What I did notice:
a) the files themselves and the files they changed got 644. So if your files are not 644-ed it was easy to detect them. Obviously a hacker can change this in any next release.
b) the file monitor wp plugin did a good job finding the new files but did not report the changed files such as “footer.php” but by back-tracking file names they were findable.
c) unfortunate file monitor plugin took so much resources on my GRID shared hosting that I had to take it offline.
d) I looked for something similar

ONTOPIC:

It would strange indeed if intrusion detection would be build inside each software package. Instead an external solution would be better. When I asked around on StackExchange I was advised TripWire : http://sourceforge.net/projects/tripwire/

But I did not have had a chance / time to use it.

I understand. Thanks for the detailed response. Have a great day.