How to set up Sqreen on a PHP Plesk webserver for monitoring a WordPress Blog

This article is about installing Sqreen on the hosting and web server management system Plesk. Sqreen is a Web-Application-Firewall (WAF) and Runtime-Application-Self-Protection (RASP) solution.

Sqreen is easy to install and works out of the box. The onboarding process guides you very well step-by-step through the whole setup and while setting up your first application you learn about each config. This works very well in less than one hour until production. If you add a banner into your footer you are allowed to use Sqreen free for one production app.

In this article I want to show how to use Sqreen to protect a WordPress Blog. Therefore we only need to install the Sqreen PHP agent. We don’t need any changes on the code or the application itself. Later in the process, when we want to monitor usernames instead of only a IP address, it may be required to add a additional line to share the username (or a UUID or a hash) with Sqreen. Fortunately, Sqreen provides a WordPress Plugin, so even this is very simple in case your application is a WordPress Blog. Just install the WordPress Plugin to monitor users.

Plesk itself has had several PHP versions available. We first need to determine which PHP version we want to install Sqreen for.

  1. To do this, we connect to our web server with SSH and execute the following command:
# List all your PHP versions in Plesk
ls -l /opt/plesk/php/
total 0
drwxr-xr-x 8 root root 71 Feb 21 2018 5.6
drwxr-xr-x 8 root root 71 Dec 7 2018 7.0
drwxr-xr-x 3 root root 16 Sep 25 2019 7.1
drwxr-xr-x 9 root root 85 Aug 28 17:02 7.3

2. After we found the path of our PHP Version we have to follow the steps from the Sqreen manual installation instruction:

I am not going into detail because all these commands are mentioned in the manual installation instruction.

# Select your specific PHP instance
/opt/plesk/php/7.3/bin/php -i | grep 'PHP Version'
/opt/plesk/php/7.3/bin/php -m

# From now run the steps as described in:
/opt/plesk/php/7.3/bin/php -i | grep extension_dir
ls /opt/plesk/php/7.3/etc/php.d

/opt/plesk/php/7.3/bin/php -i| grep 'additional .ini files'

curl -o sqreen-php-extension.tar.gz
tar xf sqreen-php-extension.tar.gz
cp /usr/lib/sqreen/extensions/7.3/ /opt/plesk/php/7.3/lib64/php/modules
cp /usr/lib/sqreen/conf/sqreen.ini /opt/plesk/php/7.3/etc/php.d
ls /opt/plesk/php/7.3/etc/php.d

# Enter your token (as described in the mentioned Sqreen instruction)
sudo nano /opt/plesk/php/7.3/etc/php.d/sqreen.ini

# Now restart your php service from Plesk UI
# Check your logs if Sqreen is running
ps aux | grep sqreen
cat /var/log/sqreen/sqreen.log

3. Your application should show up in the sqreen Dashboard after restarting the PHP service and running a php file by requesting your website.

Sqreen detected a massive security scan which was triggered by nikto — a vulnerability scanner.

4. As you have followed the Sqreen onboarding process you may want to set up a user monitoring. For some technologies Sqreen is able to automatic discover user context information. In case of PHP we need to integrate the PHP SDK ourself. But this is very simple as described in the following instruction:

A screenshot of the user monitoring after the first successful login failure.

You will notice quickly that the following line is self-describing:

// On every request to map the authenticated user to the request
$user = get_user_from_cookie($_COOKIE['session_id']);
sqreen\identify(['email' => $user->email])

As mentioned in the beginning of this article, luckily Sqreen already provides a WordPress Plugin for that case. If you have worked a little bit with WordPress plugins before, you’ll know that WordPress Hooks are suitable for this kind of task. Of course this plugin is exactly what we’ve needed — only the Login Hook. Just download the latest ZIP from the GitHub Release page and upload the ZIP at “Plugins > Add new > Upload plugin”.


Finally I am done. Looking forward to receive the swag :-)

I have to admit, it is really as easy and as fast as Sqreen advertises. Attacks are also detected and blocked reliably. There is a very large background noise of malicious traffic that would otherwise remain undetected. Especially what is important in WordPress blogs the vulnerability scanners are detected as shown below:

IT security specialist with a passion for secure software development 🔐