WP-CLI Vulnerability Scanner

Check WordPress core, installed plugins and themes for vulnerabilities reported by wpvulndb.com.

Installation

Global command, automatically

It can be installed as a wp-cli package via git repo which is the most preferred way to install.

wp package install [email protected]:10up/wpcli-vulnerability-scanner.git

WPvulnDB API Access

Per the WPvulnDB API documentation, you will need to register for a user account and supply an API token. Once you have acquired the token, you can add it as a constant in wp-config.php as follows:

define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' );

Global command, manually

Clone this repo, and require wpcli-vulnerability-scanner.php from wp-cli config.

E.g. in ~/.wp-cli/config.yml [other config locations]

require:
  - /path/to/this/repo/wpcli-vulnerability-scanner.php

Standard plugin

This repo can be installed as a regular plugin. There is no UI, but the command will become available.

wp plugin install --activate https://github.com/10up/wpcli-vulnerability-scanner/archive/master.zip

After plugin installation, you can verify the command is in place with wp help vuln

Usage

wp vuln status

Options:
--test Load test data
--format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
--nagios Output for nagios

wp vuln core-status

Options:
--format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
--nagios Output for nagios

wp vuln plugin-status

Options:
--test Load test data
--porcelain Only print slugs of vulnerable plugins with updates
--format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
--nagios Output for nagios

wp vuln theme-status

Options:
--test Load test data
--porcelain Only print slugs of vulnerable theme with updates
--format=<format> Accepted values: table, csv, json, count, ids, yaml. Default: table
--nagios Output for nagios

Example usage

Basic

wp plugin update $(wp vuln plugin-status --porcelain)

Will simply error out if there are no slugs returned by the plugin-status command. Can suppress the output by appending &> /dev/null

wp theme update $(wp vuln theme-status --porcelain) &> /dev/null

Scheduled/Cron

0 0 * * * wp theme update $(wp vuln theme-status --porcelain) &> /dev/null
0 0 * * * wp plugin update $(wp vuln plugin-status --porcelain) &> /dev/null

0 0 * * * is everyday at midnight. For assistance creating an alternate schedule, check out http://crontab.guru/. For example, 0 0 * * 1,4 runs at midnight every Monday and Thursday.

With email notifications

Included is a sample bash script, includes/vuln.sh. This can be customized and used in a cron job so that you can be alerted when vulnerabilities are found.

WPCLIPATH should be the full path to your wp command. The script will attempt to discover this automatically if the given filename does not exist
RECIPIENT should be an email address which will receive the notifications
SUBJECT is the email subject

This readme does not discuss configuring the mail command on your server. To run a simple test, try

echo "This is the body text" | mail -s "Email subject" [email protected]

Nagios

wp vuln plugin-status --nagios will give output for Nagios monitoring.

Check uninstalled themes and plugins

Check a specific version of a theme or plugin. Example:

wp vuln theme-check twentyfifteen --version=1.1

Or check several at once (cannot accept versions)

wp vuln plugin-check wppizza wordpress-seo

Running Tests

Prerequisites:

Must have environment variables for WP_CLI_BIN_DIR, WP_CLI_CONFIG_PATH and VULN_API_TOKEN

export WP_CLI_BIN_DIR='/tmp/wp-cli-phar'
export WP_CLI_CONFIG_PATH='/tmp/wp-cli-phar/config.yml'
export VULN_API_TOKEN='Your API Token Here'

Install dependencies

./bin/install-package-tests.sh

Note: Not uncommon for composer to run out of memory, you may need to take steps to free up memory on your end

Run tests

./vendor/bin/behat features/vuln-theme-status.feature

oscarssanchez / wpcli-vulnerability-scanner Goto Github PK