WordPress Scanner Information Page
About us
BlogSecurity are security evangelists with a specific target on web 2.0 related security. Learn more about us.
Introduction
WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level. It is BETA software and is continually being developed.
This page is the primary help page for wp-scanner. All official documentation can be found this page or links provided.
How to Run WP-Scanner
To run wp-scanner, you have to download the wp-scanner activator plugin. This plugin is only about 5 lines long. All it does is add “<!–wp-scanner–>” to your current WordPress template. Why does it do this? Simple, it allows us to verify that you actually own the blog and have permission to test it. Please remember to disable the plugin after use or others will be able to scan your blog too. More precise instructions are available here (if required).
If the plugin fails for some reason, wp-scanner now supports text file verification. Simply download the following file and place it in your blog directory (i.e. /wordpress/wpscan.txt).
Launch WP-Scanner (once Activation Plugin is enabled)
Once you have activated the wp-scanner plugin, you can click on the “WordPress Scanner” page on the BlogSecurity menu. Alternatively, click here:
I provided links to both scanners for the time being. Note, the Old WP-Scanner is no longer supported and will soon be removed altogether. For the time being, it is worth running both as the new version is currently not as detailed.
Frequently Asked Questions
Link to FAQ here.
Contributer Notes
Link to contributer notes (coming soon).
Developer Notes
Link to developer notes here.
Found a bug?
If you have found a problem with wp-scanner, please report it so we can continue to improve the service.
Get Notified of Updates
Subscribe to the BlogSecurity RSS feed or via email and keep up to date with the latest WordPress Security developments and news.
WP-Scanner in News
The WordPress version survey was largely successful; it was released on both Slashdot and SecurityFocus. These articles are when wp-scanner was first conceived in early 2007. Alot has been done since then.
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
[...] wp-scanner online has just been released; we are still bouncing ideas around the project but check it out and feel free to try the BETA. [...]
Nick, I must have removed the link, but it is now available here
[...] wp-scanner online is still in its infant stages, the results of these tests are certainly eye opening. You’ll [...]
[...] see bloggers and fanatics so interested in Security. Germany have been especially interested in the wp-scanner as well as many [...]
[...] Security Scanning July 3rd, 2007 I’ve found BlogSecurity’s WordPress Scanner to be invaluable for me; I’ve recently brought a bunch of installs up to current, but I [...]
[...] from gfmorris.wordpress.com gave wp-scanner such an awesome review that I just had to mention it, because he sheds light on exactly what [...]
[...] Blog Security website is a useful resource for testing the security on your WordPress blog. The wp-scanner tool will look at your blog and give you useful information about your themes, your WP install and [...]
[...] Dennoch würde man sich wohler fühlen, wenn man irgendwelche Tools benutzen könnte, um die Sicherheit (wenigstens bezüglich bereits bekannter Lücken) testen zu können. Ähnlich wie Port-Scanner und Co. gibt es auch einen WordPress Scanner von BlogSecurity.net. [...]
[...] hablado anteriormente de un Escaner de Vulnerabilidades para Wordpress ahora les presento el wp-scanner que realiza casi lo mismo (con algunas funciones extras) pero de forma online sin ejecutar nada en [...]
[...] wp-scanner onlin の結果が出ていました。最近、人気のWordPressですが、オープンソースであるためか分かりませんが、Movable Typeと比べるとセキュリティホールが結構多いので、つい気になってしまいます。 [...]
[...] che questo scanner di BlogSecurity sia veramente utile in quanto permette di fare una rapida radiografia del proprio [...]
[...] [ BlogSecurity : Wordpress Scanner ] FECHA July 9th, 2007 AUTOR myself CATEGOR&IACUTE;A Actualidad, Seguridad [...]
[...] herramienta que te puede ayudar a encontrar las vulnerabilidades de tu sitio web, la herramienta es WordPress Scanner y para que nadie pueda hacer estas pruebas te exige que pongas un código en el index.php en tu [...]
[...] tu bitácora segura, tener mucho cuidado con los plugins, etc. Si tu blog es wordpress cuentas con Wp-scanner, una herramienta online bastante buena que te realiza un chequeo básico de la seguridad con la que [...]
[...] rete, anche bambini o lamer potrebbero farlo. Ecco che ci può tornare utile il servizio offerto da BlogSecurity, un nuovo sito in cui è possibile effettuare una scansione specifica per i Blog segnalando [...]
[...] des Blogs durch den WP-Scanner von BlogSecurity. Dieser testet sowohl die Plugins, als auch das verwendete Wordpress Theme auf [...]
[...] dies in einem Interview mit BlogSecurity. Auf ebendieser Seite, BlogSecurity, findet sich auch ein Tool, mit dem man seine Wordpress-Installation auf Lücken testen kann, sowie ein Artikel, wie man [...]
[...] BlogSecurity has 2 developers eager to develop wp-scanner to the next level. However, it has been decided that we will also bring on a paid team leader to [...]
[...] http://blogsecurity.net/wordpress/tools/wp-scanner/ kann man seinen Wordpress Blog auf Sicherheit überprüfen lassen. Dazu muss man aber [...]
[...] WP-Themes immer wieder mal Sicherheitsrisiken bieten können wie , lohnt sich der Besuch beim WP-Scanner. Den regelmäßigen Check des eigenen Blogs empfiehlt auch die Contentschmiede. Beitrag [...]
[...] help is at hand: over at blogsecurity lies a small plugin that will scan your WordPress installation for known [...]
I recieve a 404 when I click on the wpscan link - is it off or did I missunderstand the usage of the scanner?
[...] Galima pasitikrinti HTML/CSS atitikimą standartams. Saugumo tai nepridės, bet tvarkos ir suderinamumo su naršyklėmis – turėtų. Dar radau, kad galima pasitikrinti tinklaraščio ir jo šablonų saugumą nuo XSS antpuolių su WordPress Scanner. [...]
[...] Scripting Vulnerabilities in themes. As a result of these vulnerabilities, I made use of the WordPress scanner at BlogSecurity.net to check all activated themes as I did the upgrades. If your theme was vulnerable, I moved you to [...]
[...] wp-scanner en BlogSecurity han analizado 1000 blogs creados con WordPress para descubrir las plantillas que [...]
testeando…
Finalmente me actualicé a Wordpress 2.2.2 y estoy probando si anda todo… quería solucionar de una puta vez el tema de la validación, pero cada vez me tira más errores en el sidebar. Además voy a ver si puedo hacer andar bien el tema de OpenI…
[...] gratuita que escanea y detecta vulnerabilidades de XSS (Cross site scripting) en nuestro theme: WP-Scanner. Por ahora solo nos dice si tenemos una versi
[...] BlogSecurity » WordPress Scanner Site que possibilita verificar códigos maliciosos em temas para wordpress (tags: wordpress security) [...]
[...] è in ferie… quindi niente vignetta WordPress Scanner (tool che analizza il vostro template alla ricerca di XSS e altri problemi di sicurezza) Send email [...]
[...] WordPress Scanner ist ein Tool, um Schwachstellen in einer WordPress-Installation zu finden und die notwendigen [...]
[...] BlogSecurity » WordPress Scanner (tags: wordpress scanner security blog tool xss blogging) [...]
Please note there is a bug we are trying to work out, where some blogs cannot use wp-scanner, we are working on it. Thanks for letting us know.
[...] and direct you to how to fix them. The main page to get the plugin and read up on how it works is http://blogsecurity.net/wordpress/tools/wp-scanner/. Remember though, once you use the scanner, go back and disable the plugin you installed on your [...]
[...] blogsecurity.net, a security tool is proposed to check your own blog: WP-Scanner. It’s like a Nessus scanner but “blog oriented”. I tested it on this blog and [...]
[...] acordo com o BlogSecurity que analisou 1000 blogs utilizando o wp-scanner, 11,5% dos blogs que utilizam Wordpress estão vulneráveis a ataques XSS. Este problema foi [...]
[...] Blog Security offers a “WordPress Theme Scanner WordPress Plugin” which looks for common WordPress template flaws and security issues in your WordPress Themes, reporting on what may need changing or updating. It doesn’t get everything, but they are working on improving it all the time. Consider testing your WordPress Theme, whether or not you designed it yourself. [...]
[...] WordPress Scanner will look at your blog and give you useful information about your themes, your WP install and any security type issues that you should address on your blog. [...]
[...] BlogSecurity » WordPress Scanner O WordPress Scanner verifica se o blog no wordpress tem algumas vunerabilidades de segurança nos plugins ou nos temas. (tags: blog security wordpress plugin) [...]
[...] (memiliki celah). Bagi yang ingin menguji blog miliknya dengan scanner tersebut, silahkan kunjungi http://blogsecurity.net/wordpress/tools/wp-scanner dan lakukan tes sebelum blog anda di tes orang lain [...]
i also review this plug in on my blog.
[...] werde ich konsultieren. Ich habe heute schonmal den Anfang mit blogsecurity.net und dem dortigen WP-Scanner [...]
[...] have just updated my themes and checked my blog for other XSS vulnerabilities using the WP Scanner by Blogsecurity.net and now everything is [...]
[...] bringen nix! Es gibt mehr Möglichkeiten festzustellen ob ein Exploit machbar ist. Oder ihr testet ob Euer Blog durch bekannte Lücken bedroht ist! Diesen Beitrag anderen Nutzern empfehlen [...]
[...] gibts ein paar Tipps, was man tun kann, um sein Blog nach Auffälligkeiten zu durchsuchen. Und, checkt mal BlogSecurity. Artikelzusatzinfos 1. Tags: security, spam, wordpress 2. Related [...]
[...] Seit ein paar Tagen gibt es einen “Wordpress-Scanner”. Dabei handelt es sich um ein Online-Tool, welches den eigenen Blog auf Sicherheitslücken etc. prüft. Da man ein Plugin installieren muss, kann auch niemand anderes den eigenen Blog scannen. Vorausgesetzt, man deaktiviert das Plugin nach dem eigenen Scan wieder. Hier geht zum Sicherheits-Scan für Blogs [...]
[...] ja nicht noch nach aussen kommunizieren. Hier gibt’s noch ein paar Tipps zum Thema und “BlogSecurity” ist auch ein Besuch wert. Blog Security ist ein Tool mit dem man sein Blog nach [...]
[...] have seen more and more people using our wp-scanner service to test their WordPress blogs for common security weaknesses. wp-scanner has been used to [...]
[...] es einen Test, der das installierte Wordpress samt seiner Plugins mal unter die Lupe nimmt. Der “WordPress Scanner” schaut ob das Blog von bekannten Problemen betroffen ist. Ob das immer zu 100% klappt, sei mal [...]
[...] Use the wordpress online security scanner. This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities. [...]
[...] WordPress Scanner - Of course, we totally agree with using BlogSec’s online wp-scanner service :) [...]
[...] (memiliki celah). Bagi yang ingin menguji blog miliknya dengan scanner tersebut, silahkan kunjungi http://blogsecurity.net/wordpress/tools/wp-scanner dan lakukan tes sebelum blog anda di tes orang lain [...]
[...] most disturbingly, until yesterday, WP-Sphere was the number one paid search result for “WordPress Themes” on Google. Today, there are sites and plug-ins devoted to blog security and detecting vulnerabilities. But [...]
[...] most disturbingly, until yesterday, WP-Sphere was the number one paid search result for “WordPress Themes” on Google. Today, there are sites and plug-ins devoted to blog security and detecting vulnerabilities. But [...]
[...] 最令人不安的是,直至昨天,WP-Sphere依旧在Google上“WordPress Themes”付费搜索的第一名。现在,有专门的网站和插件用来检测网络日志安全和站点漏洞,但是WordPress太流行了以至于在不久的将来它将不得不来直接处理这些。它的灵活性使得它广受欢迎,也让那些别有用心的人把恶意代码插入博客中。现在,博客社区不得不采用某种形式不会抑制创新的认证流程。 [...]
[...] of all things Wordpress-ey. The blogger’s quest for security should start with installing the wp-scanner and loginlockdown as well as WPIDS (WordPress Intruder Detection System) plugins. It’s as [...]
[...] Wordpress scanner WordPress Scanner although in its infant phase, supports the following security checks: [...]
[...] 最令人不安的是,直至昨天,WP-Sphere依旧在Google上“WordPress Themes”付费搜索的第一名。现在,有专门的网站和插件用来检测网络日志安全和站点漏洞,但是WordPress太流行了以至于在不久的将来它将不得不来直接处理这些。它的灵活性使得它广受欢迎,也让那些别有用心的人把恶意代码插入博客中。现在,博客社区不得不采用某种形式不会抑制创新的认证流程。 [...]
[...] Use the wordpress online security scanner. This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities. [...]
[...] οποίο τελικά χρησιμοποίησα σε όλα τα blog μου είναι το WordPress Scanner. Με μερικά απλά βήματα ακολουθώντας τις οδηγίες που θα [...]
[...] BlogSecurity ” WordPress Scanner … kann man seinen Wordpress Blog auf Sicherheit überprüfen lassen. … Pingback by 9 ways to secure your WordPress blog - Simplehelp — September 10, 2007 … [...]
[...] de en rahatsız edici durum, daha düne kadar WP-Sphere’nin Google’da “WordPress Themes” arama anahtarı için birinci sıradaki “ücretli arama sonucu” olması. Bugün artık, güvenlik açıklarını inceleyen eklentiler ve özel siteler [...]
[...] de en rahatsız edici durum, daha düne kadar WP-Sphere’nin Google’da “WordPress Themes” arama anahtarı için birinci sıradaki “ücretli arama sonucu&… olması. Bugün artık, güvenlik açıklarını inceleyen eklentiler ve özel siteler [...]
[...] designer’s tips on security. Oh and if you’re really gutzy - or lazy - check out the wp scanner - should help you take care of some [...]
[...] Security has released a plugin that you will need to download, install and activate. Once activated just head over to their online [...]
[...] You can go there and learn more: http://blogsecurity.net. They also have a cool blog WordPress scanner. It will scan your blog, and give you a report detailing the security of your blog. You can check it out here: http://blogsecurity.net/wordpress/tools/wp-scanner/ [...]
Has anybody successfully used WP-SCANNER recently?
I keep getting “ERROR: Server read timed out”.
Is the load on the server too high at this moment, or is something else wrong?
Thanks,
Nick
Nick, hope you came right. The next version is on the cards, but its a massive overhaul, so bear with us.
[...] like what I found im my footer where they usually put the code. It could be. 4.Testing it with the WordPress Theme Scanner Plugin before using it. 5. Remove the Version Meta Tag: In your blog’s header.php template tag, remove [...]
Thank you for this plugin. I run two wordpresses and have just learned about wp scanner and installed it on both wps. I have run it and after wandering around in google, managed to make almost all of the recommended fixes.
I have religiously upgraded to latest stable releases whenever WP announces them. I am NOT a programmer - I know just enough about it to get myself in trouble. For future releases of the scanner, it might not be a bad idea to draft a few more hints about how to fix things. I have 3 questions:
1.) I have removed the version number from the header so that “Wordpress version leak” has been eliminated. I now get the following message. “No WordPress version found; ensure you are scanning with the correct WordPress directory.” What does this mean?
2.) There were some plugins in “WordPress Plugins Found”. I upgraded them to their latest releases and yet there are still two plugins listed. I am reluctant to discard the plugins. What is to be changed so they do not show up?
3.) Under the heading “WordPress Options Found”, there is a version leak listed beside ‘wp-major-ver’. Where is this wp-major-ver file found?
[...] caso es que hoy topé con wp-scanner, un escaneador de invulnerabilidades de Wordpress (que no estoy seguro si funciona bien o un [...]
Thanks for the great scanner and plugin that helped might secure my wp blog in the past.
On running the tool today, I come to see that my installed version 2.2.3 DE is still considered up to date from a security point of view. Is this correct?
(Update to 2.5.1 will take some time, as I adapted some parts of wp to my needs.)
Thanks, best wishes
Hi tinne, that’s hard to say if your WordPress Version is still secure, as much as we know there’s no Security Issue directly addressed to WP 2.2.3(DE). But as within each new branch not all code is rewritten, so it’s quite possible that Security holes from 2.3.x or even 2.5.x are within 2.2.x, but we can’t tell as we don’t have the time to track foreach version if that hole is present within that version or not.
If you want to stay safe you should get at least the latest 2.3 version, even better the one from the trunk as within 2.3.3 a security hole was discovered within recent days.
[...] Wordpress tels que Blogsecurity.net vous permettent de suivre les différentes failles et même de scanner votre blog pour évaluer le degrés de sécurité. Il publie régulièrement des livres blancs sur la [...]
I’ve just used the scanner and it tells me “This blog is running a vulnerable version of WordPress, please upgrade to the latest version available here.”.
I am using version 2.5.1, which is the latest version available.
Other than that, nice tool - thanks.
[...] that worked in much the same way as antivirus or anti-spyware software? That’s exactly what WordPress Scanner from BlogSecurity.net is meant to provide. The simple plug-in needs only be uploaded and activated, [...]
[...] vous donner est de faire un audit en sécurité de votre blog via des services web externes comme WP Scanner pour Wordpress ou via un plugin comme WP Security Scan. Ces solutions vont analyser la structure de [...]
[...] Tip: Please download and install the WP Vulnerability Scanner plugin. When done, simply activate it and launch WP-Scanner and then de-activate it once [...]
[...] you think you need a more concrete-solid protection against unauthorized access, you can install wp-scanner plugin to get your list of security risks on your [...]
[...] WordPress Scanner - um plugin para verificar se o seu blog foi invadido. O scaneamento é feito através do acionamento de um cgi nesta página do desenvolvedor. [...]
[...] Outro plugin muito importante, é o WP Security Scan. Ele avisa quando existem problemas e, sugere recomendações que você deve seguir. É um plugin bastante útil e, fácil de ser utilizado e, instalado. Algumas pessoas recomendam outro plugin com nome semelhante chamado WP Scanner. [...]
[...] security checks on your blog. You can do this using the Wordpress scanner plugin, available from: wp-scanner. Scanner will perform the following security checks on your [...]
[...] don’t have it, you probably should do it now! One Last Tip: Please download and install the WP Vulnerability Scanner plugin. When done, simply activate it and launch WP-Scanner and then de-activate it once you’re done [...]
[...] que hubo gente usando scanners de seguridad así como algunas aplicaciones conocidas -como lo es el WP-Scanner-). Sin embargo aun con todas estas utilidades, solo 1 pudo encontrar/enumerar la versión exacta de [...]
[...] de en rahatsız edici durum, daha düne kadar WP-Sphere’nin Google’da “WordPress Themes” arama anahtarı için birinci sıradaki “ücretli arama sonucu&… olması. Bugün artık, güvenlik açıklarını inceleyen eklentiler ve özel siteler [...]
[...] hablado anteriormente de un Escaner de Vulnerabilidades para Wordpress ahora les presento el wp-scanner que realiza casi lo mismo (con algunas funciones extras) pero de forma online sin ejecutar nada en [...]
[...] tambahan yang akan menambah kesaktian blog Anda dalam menangkis serangan, Anda dapat menginstall wp-scanner plugin untuk memperoleh daftar celah keamanan tambahan blog Anda yang belum terdeteksi. Nah, selanjutnya [...]
[...] WordPress Scanner This is another security scanner that requires a plugin to be installed, but is then processed through an external site to determine any vulnerabilities. It is still a work in progress and the developer has made a call to security professionals to enhances its features. We have not yet tried this method and recommend proceeding with some caution if you are a beginner. [...]
[...] WordPress Scanner This is another security scanner that requires a plugin to be installed, but is then processed through an external site to determine any vulnerabilities. It is still a work in progress and the developer has made a call to security professionals to enhances its features. We have not yet tried this method and recommend proceeding with some caution if you are a beginner. [...]
[...] Unfortunately, every blog will have security holes unknown to the webmaster until a break-in has occurred. However the WordPress developers over at BlogSecurity have created a WordPress scanner plugin which can be found here. [...]
[...] redirect. Also, be sure to scan through your theme files for anything suspicious, and install the Wordpress scanner plugin to catch anything you might have [...]
[...] BlogSecurity releases next-gen WordPress scanner. The tool is still BETA but has some cool new features like an XML driven test engine allowing anyone to contribute tests. We hope to split this project off to other open source apps. as resources permit. [...]
[...] WPSCAN est un plugin de blogsecurity permettant au travers du site de tester la sécurité de votre blog. Le principe est simple, vous installez le plugin et ensuite, vous vous rendez sur le blog, où vous saisirez l’adresse de votre Blog pour lancer le test. Une fois réalisée, il ne vous restera plus qu’à vérifier les points signalés. yoo_permalink = ‘http://www.guppytrucs.fr/2009/02/12/wpscan-tester-la-securite-de-son-blog/’; yoo_title = ‘WPSCAN, tester la sécurité de son Blog’; yoo_size = ‘M’; yoo_site_id = ”; Partager sur Yoolink SHARETHIS.addEntry({ title: “WPSCAN, tester la sécurité de son Blog”, url: “http://www.guppytrucs.fr/2009/02/12/wpscan-tester-la-securite-de-son-blog/” });Articles SimilairesDotclear, Sortie de la version 2.1.5 du système de Blog [Web] (1)WP Wetfloor, ajouter du reflet à ses images sous Wordpress (1)Top applications pour la sécurité [Windows] (1)BestSecurityTips, le site indispensable pour la sécurité sous Windows (0)AnnuBlogOnline, Un Annuaire pour vos Blogs [Screencast] (11)AnnuBlogOnline, Un Annuaire pour vos Blogs [Web] (17)123 People, trouver toutes les informations sur une personne [Web] (0)Ixquick, Méta-Moteur de recherche sécurisé et confidentiel [Web] (3) TAGS: Blog, plugin, Sécurité [...]
[...] WP-Scanner. Measures your WordPress security level with a remote scan. May not work with some themes. [...]
[...] WP Scanner is a plugin and service at same time that uses plugin to validate that you are scanning your own blog and then use a web interface to test your blog security! [...]
I forgot that I’d requested a scan on one of my new installations - I saw the scan and assumed it was an attack until I traced it back to this site and remembered “Oh yeah. I asked them to do that.” Anyway, bloody awesome, I need the crap scared out of me like that more often! Keep it up!
[...] WP Scanner (rated 8 out of 10): Scans your WordPress installation and provides a measure of your WordPress security level (requires install of WP-Scanner Activator; at time of this writing their site was down and throwing an internerl server error). [...]
[...] can verify this as it has been working on a similiar project and will release the latest version of wp-scanner later this week which includes some additional theme vulnerability checks as well as some bug [...]