10up / Wpcli Vulnerability Scanner
WP-CLI Vulnerability Scanner
Check WordPress core, installed plugins and themes for vulnerabilities reported by wpvulndb.com.
Installation
Global command, automatically
It can be installed as a wp-cli package via git repo which is the most preferred way to install.
wp package install [email protected]:10up/wpcli-vulnerability-scanner.git
WPvulnDB API Access
Per the WPvulnDB API documentation, you will need to register for a user account and supply an API token. Once you have acquired the token, you can add it as a constant in wp-config.php as follows:
define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' );
Global command, manually
Clone this repo, and require wpcli-vulnerability-scanner.php from wp-cli config.
E.g. in ~/.wp-cli/config.yml [other config locations]
require:
- /path/to/this/repo/wpcli-vulnerability-scanner.php
Standard plugin
This repo can be installed as a regular plugin. There is no UI, but the command will become available.
wp plugin install --activate https://github.com/10up/wpcli-vulnerability-scanner/archive/master.zip
After plugin installation, you can verify the command is in place with wp help vuln
Usage
wp vuln status
- Options:
-
--testLoad test data -
--format=<format>Accepted values: table, csv, json, count, ids, yaml. Default: table -
--nagiosOutput for nagios
wp vuln core-status
- Options:
-
--format=<format>Accepted values: table, csv, json, count, ids, yaml. Default: table -
--nagiosOutput for nagios
wp vuln plugin-status
- Options:
-
--testLoad test data -
--porcelainOnly print slugs of vulnerable plugins with updates -
--format=<format>Accepted values: table, csv, json, count, ids, yaml. Default: table -
--nagiosOutput for nagios
wp vuln theme-status
- Options:
-
--testLoad test data -
--porcelainOnly print slugs of vulnerable theme with updates -
--format=<format>Accepted values: table, csv, json, count, ids, yaml. Default: table -
--nagiosOutput for nagios
Example usage
Basic
wp plugin update $(wp vuln plugin-status --porcelain)
Will simply error out if there are no slugs returned by the plugin-status command. Can suppress the output by appending &> /dev/null
wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
Scheduled/Cron
0 0 * * * wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
0 0 * * * wp plugin update $(wp vuln plugin-status --porcelain) &> /dev/null
0 0 * * * is everyday at midnight. For assistance creating an alternate schedule, check out http://crontab.guru/. For example, 0 0 * * 1,4 runs at midnight every Monday and Thursday.
With email notifications
Included is a sample bash script, includes/vuln.sh. This can be customized and used in a cron job so that you can be alerted when vulnerabilities are found.
-
WPCLIPATHshould be the full path to your wp command. The script will attempt to discover this automatically if the given filename does not exist -
RECIPIENTshould be an email address which will receive the notifications -
SUBJECTis the email subject
This readme does not discuss configuring the mail command on your server. To run a simple test, try
echo "This is the body text" | mail -s "Email subject" [email protected]
Nagios
wp vuln plugin-status --nagios will give output for Nagios monitoring.
Check uninstalled themes and plugins
Check a specific version of a theme or plugin. Example:
wp vuln theme-check twentyfifteen --version=1.1
Or check several at once (cannot accept versions)
wp vuln plugin-check wppizza wordpress-seo
Running Tests
Prerequisites:
Must have environment variables for WP_CLI_BIN_DIR, WP_CLI_CONFIG_PATH and VULN_API_TOKEN
export WP_CLI_BIN_DIR='/tmp/wp-cli-phar'
export WP_CLI_CONFIG_PATH='/tmp/wp-cli-phar/config.yml'
export VULN_API_TOKEN='Your API Token Here'
Install dependencies
./bin/install-package-tests.sh
Note: Not uncommon for composer to run out of memory, you may need to take steps to free up memory on your end
Run tests
./vendor/bin/behat features/vuln-theme-status.feature
Like what you see?
