Check WordPress core, installed plugins and themes for vulnerabilities reported by wpvulndb.com.
It can be installed as a wp-cli package via git repo which is the most preferred way to install.
wp package install [email protected]:10up/wp-vulnerability-scanner.git
Per the VulnDB API documentation, you will need to register for a user account and supply an API token. Once you have acquired the token, you can add it as a constant in wp-config.php as follows:
define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' );
Clone this repo, and require wp-vulnerability-scanner.php
from wp-cli config.
E.g. in ~/.wp-cli/config.yml
[other config locations]
require:
- /path/to/this/repo/wp-vulnerability-scanner.php
This repo can be installed as a regular plugin. There is no UI, but the command will become available.
wp plugin install --activate https://github.com/10up/wp-vulnerability-scanner/archive/master.zip
After plugin installation, you can verify the command is in place with wp help vuln
wp vuln status
- Options:
--test
Load test data--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios
wp vuln core-status
- Options:
--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios
wp vuln plugin-status
- Options:
--test
Load test data--porcelain
Only print slugs of vulnerable plugins with updates--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios
wp vuln theme-status
- Options:
--test
Load test data--porcelain
Only print slugs of vulnerable theme with updates--format=<format>
Accepted values: table, csv, json, count, ids, yaml. Default: table--nagios
Output for nagios
Basic
wp plugin update $(wp vuln plugin-status --porcelain)
Will simply error out if there are no slugs returned by the plugin-status
command. Can suppress the output by appending &> /dev/null
wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
Scheduled/Cron
0 0 * * * wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
0 0 * * * wp plugin update $(wp vuln plugin-status --porcelain) &> /dev/null
0 0 * * *
is everyday at midnight. For assistance creating an alternate schedule, check out http://crontab.guru/. For example, 0 0 * * 1,4
runs at midnight every Monday and Thursday.
With email notifications
Included is a sample bash script, includes/vuln.sh
. This can be customized and used in a cron job so that you can be alerted when vulnerabilities are found.
-
WPCLIPATH
should be the full path to your wp command. The script will attempt to discover this automatically if the given filename does not exist -
RECIPIENT
should be an email address which will receive the notifications -
SUBJECT
is the email subject
This readme does not discuss configuring the mail
command on your server. To run a simple test, try
echo "This is the body text" | mail -s "Email subject" [email protected]
Nagios
wp vuln plugin-status --nagios
will give output for Nagios monitoring.
Check a specific version of a theme or plugin. Example:
wp vuln theme-check twentyfifteen --version=1.1
Or check several at once (cannot accept versions)
wp vuln plugin-check wppizza wordpress-seo
Must have environment variables for WP_CLI_BIN_DIR and WP_CLI_CONFIG_PATH
export WP_CLI_BIN_DIR='/tmp/wp-cli-phar' && export WP_CLI_CONFIG_PATH='/tmp/wp-cli-phar/config.yml'
./bin/install-package-test.php
Note: Not uncommon for composer to run out of memory, you may need to take steps to free up memory on your end
./vendor/bin/behat features/vuln-theme-status.feature