Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
156 lines (107 sloc) 4.17 KB

WP Vulnerability Scanner

Check WordPress core, installed plugins and themes for vulnerabilities reported by wpvulndb.com.

Installation

Global command, automatically

It can be installed as a wp-cli package via git repo which is the most preferred way to install.

wp package install git@github.com:10up/wp-vulnerability-scanner.git

VulnDB API Access

Per the VulnDB API documentation, you will need to register for a user account and supply an API token. Once you have acquired the token, you can add it as a constant in wp-config.php as follows:

define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' );

Global command, manually

Clone this repo, and require wp-vulnerability-scanner.php from wp-cli config.

E.g. in ~/.wp-cli/config.yml [other config locations]

require:
  - /path/to/this/repo/wp-vulnerability-scanner.php

Standard plugin

This repo can be installed as a regular plugin. There is no UI, but the command will become available.

wp plugin install --activate https://github.com/10up/wp-vulnerability-scanner/archive/master.zip

After plugin installation, you can verify the command is in place with wp help vuln

Usage

wp vuln status
  • Options:
  • --test Load test data
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios
wp vuln core-status
  • Options:
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios
wp vuln plugin-status
  • Options:
  • --test Load test data
  • --porcelain Only print slugs of vulnerable plugins with updates
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios
wp vuln theme-status
  • Options:
  • --test Load test data
  • --porcelain Only print slugs of vulnerable theme with updates
  • --format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
  • --nagios Output for nagios

Example usage

Basic

wp plugin update $(wp vuln plugin-status --porcelain)

Will simply error out if there are no slugs returned by the plugin-status command. Can suppress the output by appending &> /dev/null

wp theme update $(wp vuln theme-status --porcelain) &> /dev/null

Scheduled/Cron

0 0 * * * wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
0 0 * * * wp plugin update $(wp vuln plugin-status --porcelain) &> /dev/null

0 0 * * * is everyday at midnight. For assistance creating an alternate schedule, check out http://crontab.guru/. For example, 0 0 * * 1,4 runs at midnight every Monday and Thursday.

With email notifications

Included is a sample bash script, includes/vuln.sh. This can be customized and used in a cron job so that you can be alerted when vulnerabilities are found.

  • WPCLIPATH should be the full path to your wp command. The script will attempt to discover this automatically if the given filename does not exist

  • RECIPIENT should be an email address which will receive the notifications

  • SUBJECT is the email subject

This readme does not discuss configuring the mail command on your server. To run a simple test, try

echo "This is the body text" | mail -s "Email subject" you@domain.com

Nagios

wp vuln plugin-status --nagios will give output for Nagios monitoring.

Check uninstalled themes and plugins

Check a specific version of a theme or plugin. Example:

wp vuln theme-check twentyfifteen --version=1.1

Or check several at once (cannot accept versions)

wp vuln plugin-check wppizza wordpress-seo

Running Tests

Prerequisites:

Must have environment variables for WP_CLI_BIN_DIR and WP_CLI_CONFIG_PATH

export WP_CLI_BIN_DIR='/tmp/wp-cli-phar' && export WP_CLI_CONFIG_PATH='/tmp/wp-cli-phar/config.yml'

Install dependencies

./bin/install-package-test.php

Note: Not uncommon for composer to run out of memory, you may need to take steps to free up memory on your end

Run tests

./vendor/bin/behat features/vuln-theme-status.feature
You can’t perform that action at this time.