The incredible popularity of WordPress and its open-source nature has made it a significant target for hackers. Security has long been a pressing issue within the WordPress ecosystem. However, this might change as the commercial wing of WordPress recently acquired a security company, potentially aiding in internalizing security measures and reducing hacking incidents.
### Third Party Plugin and Theme Developer Vulnerabilities
Common vulnerabilities like Cross Site Scripting (XSS) and WordPress API exploits often stem from poor coding practices by third-party developers within the WordPress ecosystem.
The two primary points of failure occur when software coders fail to sanitize what is being input or uploaded to a WordPress installation, such as allowing only text in a contact form to block scripts or images. Another failure is not adequately checking the privilege level of users interacting with the WordPress site, leading to privilege escalation exploits where an attacker with the lowest access level gains the highest privilege levels.
Every detected vulnerability is entered into a hand-curated database called the WPScan Vulnerability Database, acting as a valuable resource for the WordPress security community to alert them about newly discovered exploits. This database now belongs to the commercial arm of WordPress.
### WordPress Security Company Acquired by WordPress
Jetpack, a division of the commercial arm of WordPress, Automattic, announced its acquisition of the well-known WPScan WordPress security suite company. WPScan provides resources to help the WordPress and WordPress security ecosystem swiftly address security issues. Jetpack, which includes a security component, is a suite of WordPress tools.
Security has always been a crucial area for WordPress due to competitors highlighting it as a weakness. Hence, Jetpack’s acquisition of a company with a proactive stance on WordPress security makes strategic sense. Jetpack promised to keep the products free for non-commercial use, while noting that some aspects of WPScan would be integrated within the Jetpack suite’s security offerings.
### Why WPScan is Important
WPScan is a comprehensive database of vulnerabilities. It also provides:
– An API for accessing the database
– WPScan Security Scanner, a Command Line Interface (CLI) scanner
– A WordPress security plugin
### WPScan Database
WPScan is primarily an openly available database recording WordPress vulnerabilities, accessible via an API. The information is hand-curated by WPScan and its contributors. WPScan is also an official CVE Numbering Authority (CNA), allowing them to assign the numbers that vulnerabilities are referenced by in the security community. The database is accessible to individuals, businesses, and security researchers. The data is free for limited API calls, with affordable prices for more extensive access and custom pricing for enterprise-level requirements.
### WPScan WordPress Security Scanner
WPScan offers a WPScan WordPress Security Scanner, a CLI scanner free for non-commercial use, for scanning websites for vulnerabilities recorded in the WPScan database. The scanner checks for various issues, including:
– The WordPress version and any associated vulnerabilities
– Installed plugins and themes along with any associated vulnerabilities
– Username enumeration
– Weak passwords via brute forcing
– Publicly accessible wp-config.php files and database dumps
– Exposed error logs due to plugins
### WPScan WordPress Plugin
WPScan also offers a free plugin that scans a website to detect vulnerabilities within the WordPress installation or installed themes and plugins. Using the WPScan database API, the plugin provides daily scans that fall within the free tier of API usage. It checks for common weaknesses such as:
– Debug.log files
– wp-config.php backup files
– Enabled XML-RPC
– Code repository files
– Default secret keys
– Exported database files
– Weak passwords
– HTTPS enabled
The plugin’s main feature is offering rapid alerts if a site plugin, theme, or WordPress itself contains a vulnerability, and if a patch is issued.
### Why Did Jetpack Acquire WPScan?
Jetpack’s stated reason for acquiring WPScan is to make malware data and APIs more open source and ensure WPScan remains a high-quality security resource for the entire WordPress community. WPScan will operate independently in the near term and may be integrated into Jetpack Scan in the future. Current WPScan customers will not be impacted by the acquisition and will continue receiving high-quality WordPress security services.
### WordPress Security Will Improve
The WPScan founders will work for Automattic as part of the acquisition deal. An email to the WPScan community highlighted the benefits for the WordPress community, emphasizing faster improvements to services, new features and products, and making vulnerability data more open and accessible. This acquisition sets the WordPress development community on a path towards enhanced security features and improvements.
### Citations
– Jetpack Announcement of the WPScan Acquisition
– Official WPScan Plugin Page
