WordPress Scan
About WordPress Scan
You can automatically obtain a list of installed WordPress core, plugins, and themes on the server and detect vulnerabilities. It uses the vulnerability database of wpscan.com, which has more than 20,000 vulnerability information only for WordPress-related.
First, Vuls scanner executes the wp command on the OS running WordPress to obtain the complete version list of WordPress core, plugins, and themes. It enables more accurate detection than network-type scanners (inference from signatures) because it detects vulnerabilities based on the complete list. In addition, it is a non-destructive scan that does not perform a pseudo-attack and does not affect the production site.
This function targets WordPress set up on Linux.
Linux Scanner Version 0.15.5 or later is required. For checking the version, see here.
Configuration
The following settings are required for WordPress scanning.
- Issue an API token at wpscan.com.
- Register API token with FutureVuls.
- Scanner settings
- Set sudoers on the target server.
- Execute the scan.
We will explain each of them.
Obtaining and Registering Tokens with FutureVuls
First, register and obtain an API token from wpscan.com.
Next, open FutureVuls and register the API token issued above with “Group Settings> External Connection> WordPress Vulnerability Database API.”
- If you check “Include disabled plugins,” it will detect vulnerabilities even for plugins and themes that have been disabled on the WordPress side.
- If not checked, only vulnerabilities of enabled plugins and themes will be detected.
- If you want to change “Include disabled plugins” after registration, delete the wpscan setting and re-register it.
- For each “WordPress core, plugin, and theme to be scanned,” FutureVuls consumes “1 API.”
- The number of API limits varies depending on the plan type of wpscan.com.
- If the API limit of wpscan.com is exceeded, a separate paid contract with wpscan.com is required.
- FutureVuls does not make a proxy contract with wpscan.com. Please make a contract directly with wpscan.com.
Scanner Settings
Edit /opt/vuls-saas/config.toml.
This setting scans both OS packages and WordPress.
[servers]
[servers.dev]
user = "vuls-saas"
host = "localhost"
port = "local"
scanMode = ["fast-root"]
[servers.dev.uuids]
dev = "xxxx-xxxx-xxxx-xxxx"
[servers.dev.wordpress]
cmdPath = "/usr/local/bin/wp"
osUser = "wordpress"
docRoot = "/home/kusanagi/wp/DocumentRoot/"
- Specify the absolute path to the wp command in cmdPath.
- Specify the user who has permission to execute the wp command in osUser.
- Specify the WordPress DocumentRoot in docRoot.
sudoers Configuration on the Target Server
To enable Vuls scanner to execute the wp command without a password by executing sudo -u user -i on the target server, add the following command to /etc/sudoers.d/vuls-saas on the target server where WordPress is running. If the user who can execute the wp command and the path are different, modify them accordingly for your environment.
/bin/bash -c /usr/local/bin/wp cli *, /bin/bash -c /usr/local/bin/wp core *, /bin/bash -c /usr/local/bin/wp theme *, /bin/bash -c /usr/local/bin/wp plugin *
Note that when updating Vuls scanner, /etc/sudoers.d/vuls-saas may be overwritten, which may cause an error in the next scan. Be sure to edit /etc/sudoers.d/vuls-saas again after updating Vuls scanner.
Performing the Scan
- If you want to perform an immediate scan, follow the steps described inManual Scan
Scanning WordPress Only
Edit /opt/vuls-saas/config.toml and specify scanModules = ["wordpress"]
This setting will not scan OS packages.
[servers]
[servers.dev]
user = "vuls-saas"
host = "localhost"
port = "local"
scanModules = ["wordpress"]
[servers.dev.uuids]
dev = "xxxx-xxxx-xxxx-xxxx"
[servers.dev.wordpress]
cmdPath = "/usr/local/bin/wp"
osUser = "wordpress"
docRoot = "/home/kusanagi/wp/DocumentRoot/"
Scanning Multiple WordPress Sites
To scan multiple WordPress sites, edit /opt/vuls-saas/config.toml as follows:
[servers]
[servers.dev]
user = "vuls-saas"
host = "localhost"
port = "local"
scanModules = ["wordpress"]
[servers.dev.uuids]
dev = "xxxx-xxxx-xxxx-xxxx"
[servers.dev.wordpress]
cmdPath = "/usr/local/bin/wp"
osUser = "wordpress"
docRoot = "/home/kusanagi/wp/DocumentRoot/"
## Assign a unique name in config.toml (in this case, YYYY)
[servers.YYYY]
user = "vuls-saas"
host = "localhost"
port = "local"
scanModules = ["wordpress"]
## Change UUID to avoid duplication with others
[servers.YYYY.uuids]
YYYY = "yyyy-yyyy-yyy-yyyy"
## Change it to the YYYY you named above
[servers.YYYY.wordpress]
cmdPath = "/usr/local/bin/wp"
osUser = "wordpress"
docRoot = "/home/kusanagi/wp/DocumentRoot2/"
If you want to manage OS packages and WordPress as separate servers
If you want to manage them as separate servers on FutureVuls, edit /opt/vuls-saas/config.toml as follows and split the server definitions.
[servers]
# "dev" is used for managing OS package vulnerabilities on FutureVuls.
[servers.dev]
user = "vuls-saas"
host = "localhost"
port = "local"
[servers.dev.uuids]
dev = "xxxx-xxxx-xxxx-xxxx"
# ZZZZ is for WordPress
[servers.ZZZZ]
user = "vuls-saas"
host = "localhost"
port = "local"
scanModules = ["wordpress"]
[servers.ZZZZ.uuids]
ZZZZ = "zzzz-zzzz-zzzz-zzzz"
[servers.ZZZZ.wordpress]
cmdPath = "/usr/local/bin/wp"
osUser = "wordpress"
docRoot = "/home/kusanagi/wp/DocumentRoot/"