WordPress security just got better



The overwhelming popularity of WordPress and the open source nature of the WordPress ecosystem have made it an intense target for hackers. Security has long been a major issue with WordPress. That may have changed recently when the WordPress business arm recently acquired a security company that can help internalize security and reduce hacking incidents.

Vulnerabilities of plugins and third-party theme developers

Common vulnerabilities like Cross Site Scripting (XSS) and WordPress API exploits occur due to sloppy coding practices by third party developers in the WordPress ecosystem.

The two most common points of failure are when software coders fail to clean up what is entered or uploaded to a WordPress installation. This means, for example, that if a contact form is waiting for textual content to be entered, it cannot allow scripts or images to be entered, there must be a way to block whatever is expected.

The other coding failure is a failure to adequately verify the privilege level of the person who interfaces with the WordPress site, which leads to what is known as a privilege escalation exploit, where an attacker with the lowest access level is able to acquire the highest privilege levels.


Continue reading below

Each vulnerability discovered is entered into a hand-organized database called the WPScan Vulnerability Database. This database serves as a resource for the WordPress security community, serving as an alert system for newly discovered exploits.

This database now belongs to the commercial branch of WordPress.

WordPress security company acquired by WordPress

Jetpack, a division of WordPress’ business arm, Automattic, has announced the acquisition of popular security suite company WPScan WordPress. WPScan provides resources that enable the WordPress and WordPress security ecosystem to tackle security issues quickly. Jetpack is a WordPress tool suite that also includes a security component.

WordPress security is an important area for WordPress as this is what competitors cite as a WordPress weakness. So at this level, it makes sense for Jetpack to acquire a company with a proactive stance on WordPress security.

Jetpack has promised to keep the products free for non-commercial use while noting that part of WPScan will be absorbed into the security offering of the Jetpack suite of tools.


Continue reading below

Why WPScan is important

WPScan is a vulnerabilities database.

WPScan also provides:

  • An API to access the database
  • WPScan Security Scanner, a command line interface (CLI) to scan
  • A WordPress security plugin

WPScan Database

WPScan is first and foremost an openly available database that logs WordPress vulnerabilities and makes the information available through an API.

Information on WordPress vulnerabilities is prepared by hand by WPScan and contributors.

WPScan is also an official CVE Numbering Authority (CNA), which means it can assign numbers by which vulnerabilities are referenced in the security community.

The database is accessible to individuals, businesses and security researchers.

Depending on the number of API calls made to the database, the information is available for free through an API and also at relatively modest prices for increased database access and custom pricing for the needs of the database. business.

WordPress WPScan Security Scanner

WPScan also provides WordPress WPScan Security Scanner, which is a free command line interface scanner for non-commercial use to scan a website for vulnerabilities registered in the WPScan database.

An example of additional things that the free WPScan WordPress security scanner checks:

  • “The version of WordPress installed and all associated vulnerabilities
  • What plugins are installed and all associated vulnerabilities
  • What themes are installed and all associated vulnerabilities
  • Username enumeration
  • Users with weak passwords via brute password brute force
  • Wp-config.php files saved and accessible to the public
  • Database dumps that can be accessed by the public
  • If the error logs are exposed by plugins »

WordPress WPScan plugin

Recently, WPScan offers a free plugin which scans a website to determine if the WordPress installation itself and / or the installed themes and plugins have vulnerabilities. The plugin uses the WPScan database API to check for vulnerabilities. Daily analysis would fall under the free API usage level.

The plugin also looks for common weaknesses that could make a website vulnerable:

  • “Check the debug.log files
  • Look for the wp-config.php backup files
  • Check if XML-RPC is enabled
  • Find the code repository files
  • Check if the default secret keys are used
  • Find the exported database files
  • Weak passwords
  • HTTPS enabled “


Continue reading below

The main feature of the WPScan plugin is to offer a quick alert if a site plugin, a theme or WordPress itself contains a vulnerability and if a patch is issued.

Why did Jetpack acquire WPScan?

The reason Jetpack cites for acquiring WPScan is to open up the data even more and continue it as a resource for the entire WordPress ecosystem.

Jetpack announced:

“… Our goal for this acquisition is to make malware data and APIs more open source. We want to ensure that WPScan continues to be a high quality security resource for the entire WordPress community. To this end, we’ll explore ways to make the API completely free for non-commercial sites.

… WPScan will continue to operate independently in the short term and may be integrated with Jetpack Scan in the future.

Current WPScan customers will not be impacted by the acquisition in the short term and will receive the same high quality WordPress security service they have come to expect.


Continue reading below

WordPress security will improve

The founders of WPScan will work for Automattic as part of the deal that resulted in the acquisition.

An email to the WPScan community offered insight into how the WordPress community will benefit:

“Joining a company like Automattic will allow us to improve our services faster, implement new features and products, and research new ways to make our WordPress vulnerability data more open and accessible to the community.

We will also work closely with Automattic’s Jetpack Scan security team, leveraging their expertise to make the WordPress ecosystem even more secure for users.

This acquisition puts the WordPress development community on the path to new features and improvements that will help the entire WordPress community.


Read the Jetpack announcement of the WPScan acquisition:

Jetpack acquires WordPress WPScan vulnerability database

Visit the official WPScan plug-in page

WPScan – WordPress Security Scanner Plugin


Leave A Reply

Your email address will not be published.