The runaway popularity of WordPress and the open source nature of the WordPress ecosystem has made it an intense target of hackers. Security has long been a major issue with WordPress. That may have changed recently when the commercial arm of WordPress recently acquired a security company which may help internalize security and reduce hacking incidents.
Third Party Plugin and Theme Developer Vulnerabilities
Common vulnerabilities like Cross Site Scripting (XSS) and WordPress API exploits happen because of sloppy coding practices from third party developers in the WordPress ecosystem.
The two most common points of failure are when software coders fail to sanitize what is being input or uploaded to a WordPress installation. That means, for example, if a contact form is expecting text content to be input then it can’t allow scripts or images to be input, there must be a way to block anything but what is expected.
The other coding failure is a failure to adequately check the privilege level of the person interfacing with the WordPress site, which leads to what’s called a privilege escalation exploit, where an attacker with the lowest level of access is able to acquire the highest privilege levels.
Every vulnerability that is discovered is entered into a hand-curated database called the WPScan Vulnerability Database. That database serves as a resource to the WordPress security community, serving as an alert system for newly discovered exploits.
That database now belongs to the commercial arm of WordPress.
WordPress Security Company Acquired by WordPress
Jetpack, a division of the commercial arm of WordPress, Automattic, announced that it is acquiring the popular WPScan WordPress security suite company. WPScan provides resources that enable the WordPress and WordPress security ecosystem to fight back against security issues quickly. Jetpack is a suite of WordPress tools that also includes a security component.
WordPress security is an important area for WordPress because it’s what competitors cite as a weakness in WordPress. So on that level it makes sense for Jetpack to acquire a company with a proactive stance on WordPress security.
Jetpack promised to keep the products free for non-commercial use while also noting that some of WPScan will be absorbed into the security offering within the Jetpack suite of tools.
Why WPScan is Important
WPScan is a database of vulnerabilities.
WPScan also provides:
- An API for accessing the database
- WPScan Security Scanner, a Command Line Interface (CLI) scanner
- A WordPress security plugin
WPScan Database
WPScan is first and foremost an openly available database that records WordPress vulnerabilities and makes the information available via an API.
The information about WordPress vulnerabilities is hand curated by WPScan and contributors.
WPScan is also an official CVE Numbering Authority (CNA), which means they can assign the numbers that vulnerabilities are referenced by in the security community.
The database is accessible by individuals, businesses and security researchers.
Depending on how many API calls made to the database the information is available free via an API and also for relatively modest prices for more database access and custom pricing for enterprise level requirements.
WPScan WordPress Security Scanner
WPScan also provides WPScan WordPress Security Scanner, which is a Command Line Interface scanner that is free for non-commercial use for scanning a website for vulnerabilities that are recorded in the WPScan database.
A sample additional things the free WPScan WordPress Security Scanner checks for:
- “The version of WordPress installed and any associated vulnerabilities
- What plugins are installed and any associated vulnerabilities
- What themes are installed and any associated vulnerabilities
- Username enumeration
- Users with weak passwords via password brute forcing
- Backed up and publicly accessible wp-config.php files
- Database dumps that may be publicly accessible
- If error logs are exposed by plugins”
WPScan WordPress Plugin
Lastly, WPScan offers a free plugin that scans a website to determine if the WordPress installation itself and/or installed themes and plugins have vulnerabilities. The plugin uses the WPScan database API to check for vulnerabilities. The daily scan is said to fall within the free tier of API usage.
The plugin also scans for common weaknesses that could make a website vulnerable:
- “Check for debug.log files
- Check for wp-config.php backup files
- Check if XML-RPC is enabled
- Check for code repository files
- Check if default secret keys are used
- Check for exported database files
- Weak passwords
- HTTPS enabled”
The main feature of the WPScan plugin is offering a rapid alert if a site plugin, theme or WordPress itself contains a vulnerability and if a patch is issued.
Why Did Jetpack acquire WPScan?
Jetpack’s stated reason for acquiring WPScan is to open up the data even more and to continue it as a resource for the entire WordPress ecosystem.
Jetpack announced:
“…our goal for this acquisition is to make malware data and APIs more open source. We want to ensure that WPScan continues to be a high-quality security resource for the entire WordPress community. To that effect, we’ll be exploring ways to make the API completely free for non-commercial sites.
…WPScan will continue to operate independently in the near term and may be integrated into Jetpack Scan in the future.
Current WPScan customers won’t be impacted by the acquisition in the near-term and will receive the same high-quality WordPress security service they’ve come to expect.”
WordPress Security Will Improve
The founders of WPScan are going to work for Automattic as part of the deal that culminated in the acquisition.
An email to the WPScan community offered a glimpses of how the WordPress community will benefit:
“Joining a company like Automattic is going to allow us to improve our services faster, implement new features and products, and look for new ways to make our WordPress vulnerability data more open and accessible to the community.
We will also be working closely with Automattic’s Jetpack Scan security team, benefiting from their expertise to make the WordPress eco-system even more secure for users.”
This acquisition sets the WordPress development community on a path for new features and improvements that will help the entire WordPress community.
Citations
Read the Jetpack Announcement of the WPScan Acquisition:
Jetpack Acquires WordPress Vulnerability Database WPScan
Visit the Official WPScan Plugin Page
WPScan – WordPress Security Scanner Plugin