WordPress’s astronomical popularity, combined with the open-source nature of the WordPress ecosystem, has made it a prime target for hackers. WordPress’s security has long been a major concern. That may have changed recently, as WordPress’ commercial arm recently acquired a security firm, which may aid in internalizing security and reducing hacking incidents.
Vulnerabilities in Third-Party Plugin and Theme Developers
Common vulnerabilities, such as Cross-Site Scripting (XSS) and WordPress API exploits, occur as a result of sloppy coding practices by third-party developers in the WordPress ecosystem.
When software coders fail to sanitize what is being input or uploaded to a WordPress installation, this is one of the two most common points of failure. That is, if a contact form expects text content to be entered, it cannot accept scripts or images; there must be a way to block anything other than what is expected.
The other coding flaw is a failure to adequately check the privilege level of the person interacting with the WordPress site, which results in what is known as a privilege escalation exploit, in which an attacker with the lowest level of access can obtain the highest level of access.
Every discovered vulnerability is added to a hand-curated database known as the WPScan Vulnerability Database. That database is a resource for the WordPress security community, acting as a warning system for newly discovered exploit
That database is now owned by WordPress’s commercial arm.
WordPress Security Firm WordPress has purchased it
Jetpack, a division of Automattic, WordPress’ commercial arm, announced the acquisition of the popular WPScan WordPress security suite company. WPScan provides resources that allow WordPress and the WordPress security ecosystem to respond quickly to security issues. Jetpack is a WordPress toolkit that includes a security component.
WordPress security is an important area for WordPress because it is cited as a weakness by competitors. On that level, Jetpack’s acquisition of a company that takes a proactive approach to WordPress security makes sense.
Jetpack promised to keep the products free for non-commercial use, while also noting that some of WPScan will be absorbed into the Jetpack suite of tools’ security offering.
WHY IS WPSCAN IMPORTANT?
WPScan is a vulnerability database.
WPScan also offers:
- An API for interacting with the database
- WPScan Security Scanner is a CLI (Command Line Interface) scanner.
- WPScan Database is a WordPress security plugin.
WPScan Database
WPScan is first and foremost an open database that records WordPress vulnerabilities and makes the data available via an API.
WPScan and contributors hand-pick information about WordPress vulnerabilities.
WPScan is also an official CVE Numbering Authority (CNA), which means they can assign the numbers used to refer to vulnerabilities in the security community.
Individuals, businesses, and security researchers can all access the database.
Depending on how many API calls are made to the database, the information is available for free via an API, as well as for relatively low prices for additional database access and custom pricing for enterprise-level requirements.
WordPress Security Scanner WPScan
WPScan also offers the WPScan WordPress Security Scanner, a Command Line Interface scanner that is free for non-commercial use and scans a website for vulnerabilities recorded in the WPScan database.
Here are a few examples of what the free WPScan WordPress Security Scanner looks for:
- “The version of WordPress installed and any associated vulnerabilities
- What plugins are installed and any associated vulnerabilities
- What themes are installed and any associated vulnerabilities
- Username enumeration
- Users with weak passwords via password brute forcing
- Backed up and publicly accessible wp-config.php files
- Database dumps that may be publicly accessible
- If error logs are exposed by plugins”
WordPress Plugin WPScan
Finally, WPScan provides a free plugin that scans a website to see if the WordPress installation, as well as any installed themes and plugins, are vulnerable. To check for vulnerabilities, the plugin makes use of the WPScan database API. The daily scan is said to fall under the free API usage tier.
The plugin also scans for common flaws that could expose a website:
- “Check for debug.log files
- Check for wp-config.php backup files
- Check if XML-RPC is enabled
- Check for code repository files
- Check if default secret keys are used
- Check for exported database files
- Weak passwords
- HTTPS enabled”
The WPScan plugin’s main feature is that it provides a quick alert if a site plugin, theme, or WordPress itself contains a vulnerability and if a patch is available.
Why did Jetpack purchase WPScan?
The stated reason for Jetpack’s acquisition of WPScan is to further open up the data and keep it as a resource for the entire WordPress ecosystem.
Jetpack has been announced:
“…our goal for this acquisition is to make malware data and APIs more open source. We want to ensure that WPScan continues to be a high-quality security resource for the entire WordPress community. To that effect, we’ll be exploring ways to make the API completely free for non-commercial sites.
…WPScan will continue to operate independently in the near term and may be integrated into Jetpack Scan in the future.
Current WPScan customers won’t be impacted by the acquisition in the near-term and will receive the same high-quality WordPress security service they’ve come to expect.”
WordPress Security Will Become Better
As part of the deal that resulted in the acquisition, the founders of WPScan will work for Automattic.
An email sent to the WPScan community revealed some of the ways the WordPress community will benefit:
“Joining a company like Automattic is going to allow us to improve our services faster, implement new features and products, and look for new ways to make our WordPress vulnerability data more open and accessible to the community.
We will also be working closely with Automattic’s Jetpack Scan security team, benefiting from their expertise to make the WordPress eco-system even more secure for users.”
This acquisition puts the WordPress development community on a path to add new features and improve the overall WordPress experience.
Need help with our free SEO tools? Try our free Plagiarism Checker, Article Rewriter, Word Counter.
Learn more from WordPress and read Solved WordPress Internal Server Error 500.
3 Comments