WordPress Security Scanning
Tue 03-Jul-2007I’ve found BlogSecurity’s WordPress Scanner to be invaluable for me; I’ve recently brought a bunch of installs up to current, but I hadn’t considered the vulnerabilities in XSS attacks on templates. But now that I know that those have holes, too, I can patch them up.
Go give WordPress Scanner a shot: all you’ll need to do to let it run is to put <!-- wpscanner --> somewhere in your template. I’d suggest putting it in the Header, where any page that WordPress Scanner comes across would have access to the statement. That way, all pages can be scanned for vulnerabilities. Just be sure to remove it after the scan is over so some black hat can’t use it against you! 
It would be awesome if WordPress would include a post-upgrade scanner into the mix, checking your theme for possible holes. Upgrading WP only fixes the core files—any template you’ve used other than the default isn’t going to get fixed, and it could have a hole.
Tue 03-Jul-2007 at 14:43
[...] Geof from gfmorris.wordpress.com gave wp-scanner such an awesome review that I just had to mention it, because he sheds light on exactly what wp-scanner is all about; I promise we didn’t pay him. [...]
Tue 03-Jul-2007 at 14:48
Scan Your WordPress Installation
I know that a lot of people who read this Weblog run their own WordPress-powered Weblogs. As a result, I will make the rare WP post here on IJSM.org [with its far superior Google-juice to my WordPress-oriented Weblog, which rarely gets posts, much les…
Tue 03-Jul-2007 at 15:52
Hello Geof.
About the post-upgrade Scanner:
I think that this idea is nice, but goes maybe too much beyond, what a platform developer should offer and do. I mean it’s quite enough work to keep WP secure and then take care about security flaws within 3rd party components may be a way too much. In my eyes It would be ok if they would handle advisories which make the theme developer/plugin creator more careful about the common security flaws, and how to write secure code.
For checking your theme after xss-flaws you have now blogsecurity.net, isn’t that enough :)?
Sun 08-Jul-2007 at 15:11
[...] man aus den angezeigten Hinweisen macht, bleibt natürlich jedem selbst überlassen. Aber wenigstens dem Hinweis, immer die aktuelle Version zu benutzen, sollte [...]
Mon 09-Jul-2007 at 19:12
Philipp: I don’t think that they should solve the problems, but simply let the user know that they exist. I’m willing to bet that a lot of users don’t ever bother to check on updates to their theme or their plugins—if it’s not broken, folks aren’t going to care about it. [Heck, I don't think that WordPress makes a big enough deal about upgrades with users, but that's another entry entirely.] It would be great to do this kind of scan.
That said, there’s nothing to stop a plugin developer from developing a plugin for this very purpose: one that performs a check using BlogSecurity’s plugin, inserts the necessary <!– wpscanner –%gt; while the scanning is done, and then removing the HTML comment after testing is done. Hmmm.