Managing a WordPress Website? External Vulnerability Scanners Can Boost Your Security

Defiant, the company behind the popular WordPress security plugin Wordfence (4 million+ active installs), released a new command-line interface (CLI) malware scanner just last week. Wordfence CLI is written in python and can run on Linux cloud servers, PCs, and, probably any other Linux device with enough processing power capable of hosting a website.

CLI security scanners aren’t a new phenomenon, with WPScan (see below) an old favourite among network and site administrators. But given Wordfence’s popularity among WordPress website owners, the team behind Wordfence is ideally positioned to build one of the most up-to-date malware scanners available.

But do you really need a security scanner if you already have security software installed on your website? As it turns out, there is a strong case to be made for periodically using a security scanner to scan your hosted apps and information.

Perhaps the most obvious benefit is that external security scanners are independent of the website or server being scanned, which means that in the event of security software being compromised, the scanner will provide a more objective second opinion on the state of your site or server’s security. Even when your site’s security software is functioning perfectly fine, not an external security scan may use other scanning techniques or take other vectors into account that your site or server’s installed security software may not pick up.

This ties in neatly with the fact that such external scanners are considered a proactive security measure that can help identify potential vulnerabilities and threats before they have been exploited by an attacker. Contrast this to reactive security that addresses vulnerabilities after a security incident has occurred.

Then there’s the obvious PR benefit – clients and stakeholders will be more at ease knowing that security is being addressed from all sides. Plus, given that paid-for security scanners cost a fraction of the money compared to a breach, they effectively work to protect your budget too.

Online WordPress Security Scanners

Online WordPress security scanners can be used to supplement your installed security plugin – useful if you suspect that an attacker somehow got hold of legitimate account details to infiltrate your site’s backend, and if you don’t have access to a Linux machine to run a CLI scanner. There are many to choose from, so here’s a short list of recommendations:

Storm Internet / SecurityMetrics PCI Vulnerability Scans

PCI DSS is arguably one of the most well-known security standards on the market. It aims to ensure that vendors who accept credit card information from customers are capable of protecting their data. If you store card data, then PCI compliance is a must. For other websites, the PCI DSS provides a solid framework for enhanced security.

Storm Internet’s external vulnerability scans are available for both servers and websites, and scans for misconfigured firewalls, malware hazards, and remote access vulnerabilities, among others. Better still, it isn’t exclusively focused on WordPress – use it whether you’re running a custom site, Joomla, or Umbraco.

Here’s what’s included:

• Approved Scanning Vendor (ASV) Scan Report Included
• ASV Certificate Included (Proof of Compliance)
• Dynamic “Security Verified” Site Seal Included
• Managed PCI Compliance
• Data Protection Guarantee
• 24/7/365 Threat Monitoring

Although there is no free option available (it is a PCI-compliant scan, after all), scans start from a meagre £10 per month per site. Plus, if you’re a Storm customer with a managed website hosting or cloud server plan, any detected vulnerabilities will be repaired by us.

SUCURi Site Check

Acquired by GoDaddy in 2017, SUCURi is one of the leading WordPress security plugins with a free website security checker anyone can use to check for malware, viruses, blacklisting status, website errors, out-of-date software, and malicious code.

While the accuracy of its website monitoring and firewall detection is debatable (the site in the screenshot above has a firewall and monitoring enabled), the additional malware scans and blacklist checks are very useful. The scanner also provides suggestions for “Hardening Improvements”.

WPSec

Previously WPScans, WPSec’s online security scanner scans for “known bugs that have been indexed in our WordPress Vulnerability Database, which contains over 14000 reported vulnerabilities.”

WPSec’s report is straightforward and light on the technical stuff, simply letting you know that there’s a very high likelihood that your site is indeed safe, or not. For a more detailed report, easily create a free account and add your sites. Two or more sites require a premium account.

Pentest Tools

Pleasing on the eye and very easy to use, Pentest Tools’ WordPress Scanner runs through the usual gamut of security scans, ranking potential vulnerabilities either low, medium, or high.

Whether you’re viewing your scan results online or via the freely downloadable PDF report (no signup required), you’ll get an easy-to-understand description of risks and an accompanying remedial course of action. While the ‘Light’ scan doesn’t include plugin scanning, it does check whether your theme has any known vulnerabilities.

CLI vulnerability scanners for your website

The internet being, well, the internet, there is no shortage of malware and vulnerability scanners for websites. But some have been around a little longer and tend to do the job a little better. Let’s take a look.

Wordfence CLI

Although Wordfence CLI has the clout backing of the Wordfence brand, it’s worth keeping in mind that, at the time of writing, the CLI scanner only checks for malware. More to the point, if you’re using the free version, you’ll be relying on Wordfence’s Free Signature Set, which is also used by the free version of the Wordfence plugin. If you require scans for even more malware variants, you’ll have to shell out for one of the paid subscriptions.

How to install Wordfence CLI

Installing the Wordfence CLI is straightforward, and can be done in a few easy steps. The Wordfence CLI doesn’t seem to support remote URL scanning, so you’ll have to install it on the server where your site’s files reside. Here’s how:

1. Download the latest version from the Wordfence CLI GitHub page into a newly created directory on your PC or Linux cloud server.

wget https://github.com/wordfence/wordfence-cli/releases/download/v1.0.1/wordfence_1.0.1_amd64_linux_exec.tar.gz

2. Extract the package.

tar xvzf wordfence_1.0.1_amd64_linux_exec.tar.gz

3. Request your free key from the Wordfence CLI page.

4. Test your Wordfence CLI binary

./wordfence scan --version

If all goes well you should receive the Wordfence logo along with a version number.

5. Configure Wordfence CLI with the key you received from Wordfence (check your inbox)

./wordfence scan --configure

6. Run your first scan

./wordfence scan /var/www/your-site-root

For a full list of Wordfence CLI command-line arguments, see this page.

WPScan

WPScan uses both passive (non-invasive) and aggressive (invasive) scanning techniques to provide you with ample information about your WordPress website. Needless to say, use this tool with care –  it’s strongly advised to use WPScan only for your own WordPress sites. 

A few of the potential vulnerabilities WPScan checks for include:

• The version of WordPress installed and any associated vulnerabilities
• What plugins are installed and any associated vulnerabilities
• What themes are installed and any associated vulnerabilities
• Username enumeration
• And many more

How to install WPScan CLI

1. WPScan CLI scanner is available as a Ruby gem, which makes installation very easy:

gem install wpscan

If you don’t have Ruby installed, you can do so with the following command:

sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential libgmp-dev zlib1g-dev

2. To use WPScan, you’ll need a key which can be obtained by creating a free WPScan account.

3. wpscan --url https://www.yoursite.com/ --random-user-agent -e vp --plugins-detection mixed --api-token <your API token here>

The scanner might take a while to do its thing, but it does a thorough job and the results are detailed. Check out the full user guide for a more complete list of what the scanner checks for as well as command-line arguments.

Conclusion

CLI security scanners like Wordfence CLI and WPScan add an additional layer of defense to your security strategy. These scanners are an invaluable tool for both detecting and preventing potential vulnerabilities, acting as a second set of eyes that can independently assess the state of your website’s security.

Whether you decide to go with Wordfence CLI, WPScan, or any other scanner, remember that the best security posture is a proactive one. Investing a little in advanced scanning today could save you a lot down the line, both in terms of finances and reputation.