WordPress is not only the most popular script that we host, it is also most frequently targeted by attackers. While critical vulnerabilities in the WordPress core are relatively rare, they are fairly common in plugins and themes. It is important that these items are always kept updated to help prevent a compromise.
This can be a confusing process because the WP admin interface may not accurately portray certain situations. For example, if you’ve installed a plugin or theme outside of the WordPress repository, it may always show no updates being available even though that is not the case. The WP admin interface also doesn’t warn when something hasn’t received an update in a while, indicating it may no longer be actively maintained. These are both scenarios that require special attention but are easily overlooked.
Further, if a WordPress is compromised due to a vulnerability it can be very difficult to get the site back online in a secure state. Typically, we recommend a complete fresh re-install because there is no easy way to tell what attackers may have modified or left behind. Last modified dates on files can’t even be trusted once an account has been compromised.
We know that there are already a lot of options out there for WordPress security, vulnerability scanning, etc. but we’ve found that all of them fall short in one way or another. Some of our clients have even paid for third party cleanup services only to find obvious malware left behind. As a result, we decided to create our own WordPress scanning utility. A preliminary beta version is currently available that we can use to scan your WordPress instance upon your request. Currently it will perform the following tasks:
- Check the WP core version and alerting if the version is outdated or insecure.
- Check all plugin versions and alerting if any are outdated or haven’t received an update in six months or longer.
- Check all theme versions and alerting if any are outdated or haven’t received an update in six months or longer. Also will alert you if more than one theme is installed.
- Verify the checksum of all WP core files. This makes sure that no modifications have been made, including the injection of malicious code.
- Alert for any files that do not otherwise exist in the WP core.
Below is a sample screenshot of what this report may look like currently.
As we continue development on this project, we plan to add many more capabilities, including:
- Malware scanning of all files.
- Verifying the checksum of all theme and plugin files. Alerting on added files.
- Scanning for executable scripts of any kind in wp-content/uploads.
Eventually we hope to incorporate an ability to trigger these scans from directly within our portal without our intervention. Until then, you can simply submit a ticket to request a scan and we’ll provide you with the results as quickly as possible. We’d love to hear any feedback or suggestions you may have!