Interested In Security And Running WordPress?

WordPress is currently (and has been for a long time) 1 of the most popular tools for creating blogs and web sites on the internet. Due to the level of popularity that WordPress has gained it has been a target for hackers looking to deface the website, send spam or make the site a part of a bot net (and of course many other things).

The attackers use vulnerabilities that are found in the core code, plugins and yes even themes.

There are many plugins that try to help mitigate the risks but they are fighting a lost cause and really cannot combat all vulnerabilities.

Some time ago I used a tool called WPScan which is a Linux command  line tool that you can use to scan a WordPress installation for known vulnerabilities. WPScan is a great tool however it does suffer from 1 flaw. When scanning a WordPress installation it uses fingerprinting techniques that are easily fooled. Some plugins such as the iThemes Security plugin use such tactics to fool automatic scanning tools.

Using such tools help combat people using tools such as WPScan however if you are using WPScan to check how secure you are it can lead to a false sense of security.

Recently a new resource associated with WPScan has been made available. WPVulnDB is a WordPress vulnerability database that lists vulnerabilities for the core application, plugins and themes. Previously the only way to get this level of information was to use other vulnerability databases however the WordPress entries would be lost in a sea of entries for other applications.

While looking through the database it is truly frightening seeing some of the vulnerabilities that exist. For example the lote27 theme has an arbitrary file download vulnerability (see here). The example exploit for this shows the ability to download the wpconfig.php file which has the username and password for the database. It is unclear if it is related however the authors own site is now down as due to a database connectivity issue.

At present WPVulnDB is a useful tool but does need people to manually check what plugins, themes and wordpress version they have and looking on the site to see if there are any known issues (and to do this regularly). At present it does not seem that a WordPress plugin exists that would automatically check. Ideally 1 would be created and check on a regular basis. This would help make sure that WordPress site owners are aware of potential risks they have in running certain plugins.

My current thoughts about potential features the plugin may have are as follows:

  • Plugin to check the WordPress version installed for known vulnerabilities.
  • Plugin to check all installed plugins and themes daily to see if there are any known vulnerabilities (the API for WPVulnDB does not allow checking particular version numbers for plugins and themes).
  • After the daily scan the blog owner should be alerted if an issue has been found.
  • When searching for a plugin or theme the results page to show if it has any known vulnerabilities.
  • After installing a plugin a check to see if this plugin/theme has any known issues.
  • Admin area to show current known issues found in scans.
  • Plugin admin area to show vulnerable plugins.
  • Themes admin area to show vulnerable plugins.
  • Settings page to set up contact details and any other settings required.

I may make this unless someone else releases one first (hopefully with no security threats of its own). Watch this space.

3 thoughts on “Interested In Security And Running WordPress?”

  1. Hey Peter, I was just thinking about the same thing. wpvulndb does include the version in the title and so it could be possible to fetch the version number out of the titlte.

    If you ever did start on this plugin I would not mind helping out.

Tell us your thoughts