wp-scanner online was made available on 23/06/07.
Check out some screenshots of wp-scanner in action, Demo 1,
Demo 2.
To run wp-scanner, please download the wp-scanner activator plugin. Once downloaded, simply activate it launch the wp-scanner and then de-activate it once your done. More detailed installation instructions are available here.
The WordPress version survey was largely successful; it was released on both Slashdot and SecurityFocus which I am quite pleased about, but now onto something even more interesting - that was just the appetizer.
I received alot of questions regarding how my survey was conducted. I was going to write an aftermath post (which I still may do), but decided to release my tool, "wp-scanner" instead.
WordPress Scanner although in its infant phase, supports the following security checks:
- WordPress Version Check (currently supports 7 version checks). Future releases will include a file existence version check, for those blogs that have removed their version details.
- Tests the WordPress theme template for basic XSS vulnerabilities
- Enumerates WordPress Plugins. Future releases will perform additional tests in this area.
The original tool was written for command line use, but we moved it to CGI to allow ease of use for both technical and non-technical users alike.
The original command line tool is no longer supported, but is still available for download here. More information available here.
We are looking for 2 individuals (possibly more) with some security experience to become contributers to the BlogSecurity project. If you are interested please contact me via the Contact Form.
Changelog:
v1.2c
- Added Blog Identity Check (<!– wpscanner –>)
v1.2b
- Added XSS protection to output
- Added FeedBurner
v1.2 Release
- Online version updated only
- Additional plugin payloads
- Minor bug fixes
- Risk ratings and highlighting
v1.1 Release
- Some additional plugin payloads
- WordPress Template XSS Check
- Bug fixes especially in other XSS checks.
Comments
[…] can verify this as it has been working on a similiar project and will release the latest version of wp-scanner later this week which includes some additional theme vulnerability checks as well as some bug […]
thanks for this nice tool. hope it works
What will it display if some style file is vulnerable?
[…] wp-scanner online has just been released; we are still bouncing ideas around the project but check it out and feel free to try the BETA. […]
I could not find the link to the unsupported command-line version. Is it indeed still available?
Nick, I must have removed the link, but it is now available here
[…] wp-scanner online is still in its infant stages, the results of these tests are certainly eye opening. You’ll […]
[…] see bloggers and fanatics so interested in Security. Germany have been especially interested in the wp-scanner as well as many […]
[…] Security Scanning July 3rd, 2007 I’ve found BlogSecurity’s WordPress Scanner to be invaluable for me; I’ve recently brought a bunch of installs up to current, but I […]
[…] from gfmorris.wordpress.com gave wp-scanner such an awesome review that I just had to mention it, because he sheds light on exactly what […]
[…] Blog Security website is a useful resource for testing the security on your WordPress blog. The wp-scanner tool will look at your blog and give you useful information about your themes, your WP install and […]
[…] Dennoch würde man sich wohler fühlen, wenn man irgendwelche Tools benutzen könnte, um die Sicherheit (wenigstens bezüglich bereits bekannter Lücken) testen zu können. Ähnlich wie Port-Scanner und Co. gibt es auch einen WordPress Scanner von BlogSecurity.net. […]
[…] Enlace | wp-scanner. […]
[…] Enlace | wp-scanner. […]
[…] hablado anteriormente de un Escaner de Vulnerabilidades para Wordpress ahora les presento el wp-scanner que realiza casi lo mismo (con algunas funciones extras) pero de forma online sin ejecutar nada en […]
[…] wp-scanner onlin の結果が出ていました。最近、人気のWordPressですが、オープンソースであるためか分かりませんが、Movable Typeと比べるとセキュリティホールが結構多いので、つい気になってしまいます。 […]
[…] Web - Wp-Scanner […]
[…] Oficial: wp-scanner. vía: […]
[…] che questo scanner di BlogSecurity sia veramente utile in quanto permette di fare una rapida radiografia del proprio […]
[…] Moi aussi je veux scanner mon site ! […]
[…] Info: WordPress Scanner Scanner online: Wordpress Scanner […]
[…] [ BlogSecurity : Wordpress Scanner ] FECHA July 9th, 2007 AUTOR myself CATEGOR&IACUTE;A Actualidad, Seguridad […]
[…] herramienta que te puede ayudar a encontrar las vulnerabilidades de tu sitio web, la herramienta es WordPress Scanner y para que nadie pueda hacer estas pruebas te exige que pongas un código en el index.php en tu […]
[…] tu bitácora segura, tener mucho cuidado con los plugins, etc. Si tu blog es wordpress cuentas con Wp-scanner, una herramienta online bastante buena que te realiza un chequeo básico de la seguridad con la que […]
[…] rete, anche bambini o lamer potrebbero farlo. Ecco che ci può tornare utile il servizio offerto da BlogSecurity, un nuovo sito in cui è possibile effettuare una scansione specifica per i Blog segnalando […]
[…] des Blogs durch den WP-Scanner von BlogSecurity. Dieser testet sowohl die Plugins, als auch das verwendete Wordpress Theme auf […]
[…] dies in einem Interview mit BlogSecurity. Auf ebendieser Seite, BlogSecurity, findet sich auch ein Tool, mit dem man seine Wordpress-Installation auf Lücken testen kann, sowie ein Artikel, wie man […]
[…] BlogSecurity has 2 developers eager to develop wp-scanner to the next level. However, it has been decided that we will also bring on a paid team leader to […]
[…] http://blogsecurity.net/wordpress/tools/wp-scanner/ kann man seinen Wordpress Blog auf Sicherheit überprüfen lassen. Dazu muss man aber […]
[…] WP-Themes immer wieder mal Sicherheitsrisiken bieten können wie , lohnt sich der Besuch beim WP-Scanner. Den regelmäßigen Check des eigenen Blogs empfiehlt auch die Contentschmiede. Beitrag […]
[…] 2.再到這個WordPress Scanner網站進行掃描。 報表格式這裡有範例 […]
[…] help is at hand: over at blogsecurity lies a small plugin that will scan your WordPress installation for known […]
exelente herramienta, por suerte mi blog es seguro :D
I recieve a 404 when I click on the wpscan link - is it off or did I missunderstand the usage of the scanner?
bix, try again.
[…] Enlace | wp-scanner. […]
[…] Galima pasitikrinti HTML/CSS atitikimą standartams. Saugumo tai nepridės, bet tvarkos ir suderinamumo su naršyklėmis – turėtų. Dar radau, kad galima pasitikrinti tinklaraščio ir jo šablonų saugumą nuo XSS antpuolių su WordPress Scanner. […]
[…] BlogSecurity […]
[…] Scripting Vulnerabilities in themes. As a result of these vulnerabilities, I made use of the WordPress scanner at BlogSecurity.net to check all activated themes as I did the upgrades. If your theme was vulnerable, I moved you to […]
[…] wp-scanner en BlogSecurity han analizado 1000 blogs creados con WordPress para descubrir las plantillas que […]
testeando…
Finalmente me actualicé a Wordpress 2.2.2 y estoy probando si anda todo… quería solucionar de una puta vez el tema de la validación, pero cada vez me tira más errores en el sidebar. Además voy a ver si puedo hacer andar bien el tema de OpenI…
[…] gratuita que escanea y detecta vulnerabilidades de XSS (Cross site scripting) en nuestro theme: WP-Scanner. Por ahora solo nos dice si tenemos una versi
[…] 提供了一個服務 WordPress Scanner。它可以掃描您的 WordPress […]
[…] Test the security of your WordPress blog with the WP Scanner. […]
[…] A Plugin and the WP-Scanner checking your blog for vulnerabilities […]
[…] BlogSecurity » WordPress Scanner Site que possibilita verificar códigos maliciosos em temas para wordpress (tags: wordpress security) […]
[…] |Vía Genbeta| |wp-scanner| […]
[…] è in ferie… quindi niente vignetta WordPress Scanner (tool che analizza il vostro template alla ricerca di XSS e altri problemi di sicurezza) Send email […]
[…] WordPress Scanner ist ein Tool, um Schwachstellen in einer WordPress-Installation zu finden und die notwendigen […]
[…] BlogSecurity » WordPress Scanner (tags: wordpress scanner security blog tool xss blogging) […]
Please note there is a bug we are trying to work out, where some blogs cannot use wp-scanner, we are working on it. Thanks for letting us know.
[…] Theme kann man mit dem WP-Scanner auf Sicherheitslücken […]
[…] and direct you to how to fix them. The main page to get the plugin and read up on how it works is http://blogsecurity.net/wordpress/tools/wp-scanner/. Remember though, once you use the scanner, go back and disable the plugin you installed on your […]
[…] blogsecurity.net, a security tool is proposed to check your own blog: WP-Scanner. It’s like a Nessus scanner but “blog oriented”. I tested it on this blog and […]
[…] acordo com o BlogSecurity que analisou 1000 blogs utilizando o wp-scanner, 11,5% dos blogs que utilizam Wordpress estão vulneráveis a ataques XSS. Este problema foi […]
[…] Blog Security offers a “WordPress Theme Scanner WordPress Plugin” which looks for common WordPress template flaws and security issues in your WordPress Themes, reporting on what may need changing or updating. It doesn’t get everything, but they are working on improving it all the time. Consider testing your WordPress Theme, whether or not you designed it yourself. […]
[…] and install the wp-scanner plugin. It performs he following security […]
[…] WordPress Scanner will look at your blog and give you useful information about your themes, your WP install and any security type issues that you should address on your blog. […]
[…] BlogSecurity » WordPress Scanner O WordPress Scanner verifica se o blog no wordpress tem algumas vunerabilidades de segurança nos plugins ou nos temas. (tags: blog security wordpress plugin) […]
[…] (memiliki celah). Bagi yang ingin menguji blog miliknya dengan scanner tersebut, silahkan kunjungi http://blogsecurity.net/wordpress/tools/wp-scanner dan lakukan tes sebelum blog anda di tes orang lain […]
i also review this plug in on my blog.
[…] werde ich konsultieren. Ich habe heute schonmal den Anfang mit blogsecurity.net und dem dortigen WP-Scanner […]
[…] have just updated my themes and checked my blog for other XSS vulnerabilities using the WP Scanner by Blogsecurity.net and now everything is […]
[…] BlogSecurity » WordPress Scanner (tags: wordpress security scanner) […]
[…] bringen nix! Es gibt mehr Möglichkeiten festzustellen ob ein Exploit machbar ist. Oder ihr testet ob Euer Blog durch bekannte Lücken bedroht ist! Diesen Beitrag anderen Nutzern empfehlen […]
[…] gibts ein paar Tipps, was man tun kann, um sein Blog nach Auffälligkeiten zu durchsuchen. Und, checkt mal BlogSecurity. Artikelzusatzinfos 1. Tags: security, spam, wordpress 2. Related […]
[…] Seit ein paar Tagen gibt es einen “Wordpress-Scanner”. Dabei handelt es sich um ein Online-Tool, welches den eigenen Blog auf Sicherheitslücken etc. prüft. Da man ein Plugin installieren muss, kann auch niemand anderes den eigenen Blog scannen. Vorausgesetzt, man deaktiviert das Plugin nach dem eigenen Scan wieder. Hier geht zum Sicherheits-Scan für Blogs […]
[…] ja nicht noch nach aussen kommunizieren. Hier gibt’s noch ein paar Tipps zum Thema und “BlogSecurity” ist auch ein Besuch wert. Blog Security ist ein Tool mit dem man sein Blog nach […]
[…] have seen more and more people using our wp-scanner service to test their WordPress blogs for common security weaknesses. wp-scanner has been used to […]
[…] es einen Test, der das installierte Wordpress samt seiner Plugins mal unter die Lupe nimmt. Der “WordPress Scanner” schaut ob das Blog von bekannten Problemen betroffen ist. Ob das immer zu 100% klappt, sei mal […]
[…] Use the wordpress online security scanner. This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities. […]
Now I Can check security of my blog
[…] WordPress Scanner - Of course, we totally agree with using BlogSec’s online wp-scanner service :) […]
[…] (memiliki celah). Bagi yang ingin menguji blog miliknya dengan scanner tersebut, silahkan kunjungi http://blogsecurity.net/wordpress/tools/wp-scanner dan lakukan tes sebelum blog anda di tes orang lain […]
[…] most disturbingly, until yesterday, WP-Sphere was the number one paid search result for “WordPress Themes” on Google. Today, there are sites and plug-ins devoted to blog security and detecting vulnerabilities. But […]
[…] most disturbingly, until yesterday, WP-Sphere was the number one paid search result for “WordPress Themes” on Google. Today, there are sites and plug-ins devoted to blog security and detecting vulnerabilities. But […]
[…] 最令人不安的是,直至昨天,WP-Sphere依旧在Google上“WordPress Themes”付费搜索的第一名。现在,有专门的网站和插件用来检测网络日志安全和站点漏洞,但是WordPress太流行了以至于在不久的将来它将不得不来直接处理这些。它的灵活性使得它广受欢迎,也让那些别有用心的人把恶意代码插入博客中。现在,博客社区不得不采用某种形式不会抑制创新的认证流程。 […]
[…] of all things Wordpress-ey. The blogger’s quest for security should start with installing the wp-scanner and loginlockdown as well as WPIDS (WordPress Intruder Detection System) plugins. It’s as […]
[…] Wordpress scanner WordPress Scanner although in its infant phase, supports the following security checks: […]
[…] 最令人不安的是,直至昨天,WP-Sphere依旧在Google上“WordPress Themes”付费搜索的第一名。现在,有专门的网站和插件用来检测网络日志安全和站点漏洞,但是WordPress太流行了以至于在不久的将来它将不得不来直接处理这些。它的灵活性使得它广受欢迎,也让那些别有用心的人把恶意代码插入博客中。现在,博客社区不得不采用某种形式不会抑制创新的认证流程。 […]
When I try wp-scanner, I keep getting: “Can’t connect to host”…
Now I Can check security of my blog
A very useful plugin i will use it each time i use or upgrade my wordpress plugin, thanks again.
I want to thank you guys for this and the other great plugins and documentations. Very usefull.
[…] Use the wordpress online security scanner. This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities. […]
[…] οποίο τελικά χρησιμοποίησα σε όλα τα blog μου είναι το WordPress Scanner. Με μερικά απλά βήματα ακολουθώντας τις οδηγίες που θα […]
[…] BlogSecurity ” WordPress Scanner … kann man seinen Wordpress Blog auf Sicherheit überprüfen lassen. … Pingback by 9 ways to secure your WordPress blog - Simplehelp — September 10, 2007 … […]
[…] WordPress Scanner […]
[…] de en rahatsız edici durum, daha düne kadar WP-Sphere’nin Google’da “WordPress Themes” arama anahtarı için birinci sıradaki “ücretli arama sonucu” olması. Bugün artık, güvenlik açıklarını inceleyen eklentiler ve özel siteler […]
I just keep getting “server read timeout”
[…] Wordpress Scanner […]
[…] de en rahatsız edici durum, daha düne kadar WP-Sphere’nin Google’da “WordPress Themes” arama anahtarı için birinci sıradaki “ücretli arama sonucu&… olması. Bugün artık, güvenlik açıklarını inceleyen eklentiler ve özel siteler […]
[…] designer’s tips on security. Oh and if you’re really gutzy - or lazy - check out the wp scanner - should help you take care of some […]
[…] Security has released a plugin that you will need to download, install and activate. Once activated just head over to their online […]
[…] You can go there and learn more: http://blogsecurity.net. They also have a cool blog WordPress scanner. It will scan your blog, and give you a report detailing the security of your blog. You can check it out here: http://blogsecurity.net/wordpress/tools/wp-scanner/ […]
Has anybody successfully used WP-SCANNER recently?
I keep getting “ERROR: Server read timed out”.
Is the load on the server too high at this moment, or is something else wrong?
Thanks,
Nick
Nick, hope you came right. The next version is on the cards, but its a massive overhaul, so bear with us.
[…] like what I found im my footer where they usually put the code. It could be. 4.Testing it with the WordPress Theme Scanner Plugin before using it. 5. Remove the Version Meta Tag: In your blog’s header.php template tag, remove […]
[…] BlogSecurity » Blog Archive » WordPress Scanner […]
Thank you for this plugin. I run two wordpresses and have just learned about wp scanner and installed it on both wps. I have run it and after wandering around in google, managed to make almost all of the recommended fixes.
I have religiously upgraded to latest stable releases whenever WP announces them. I am NOT a programmer - I know just enough about it to get myself in trouble. For future releases of the scanner, it might not be a bad idea to draft a few more hints about how to fix things. I have 3 questions:
1.) I have removed the version number from the header so that “Wordpress version leak” has been eliminated. I now get the following message. “No WordPress version found; ensure you are scanning with the correct WordPress directory.” What does this mean?
2.) There were some plugins in “WordPress Plugins Found”. I upgraded them to their latest releases and yet there are still two plugins listed. I am reluctant to discard the plugins. What is to be changed so they do not show up?
3.) Under the heading “WordPress Options Found”, there is a version leak listed beside ‘wp-major-ver’. Where is this wp-major-ver file found?
[…] WordPress Scanner […]
[…] caso es que hoy topé con wp-scanner, un escaneador de invulnerabilidades de Wordpress (que no estoy seguro si funciona bien o un […]
Thanks for the great scanner and plugin that helped might secure my wp blog in the past.
On running the tool today, I come to see that my installed version 2.2.3 DE is still considered up to date from a security point of view. Is this correct?
(Update to 2.5.1 will take some time, as I adapted some parts of wp to my needs.)
Thanks, best wishes
Hi tinne, that’s hard to say if your WordPress Version is still secure, as much as we know there’s no Security Issue directly addressed to WP 2.2.3(DE). But as within each new branch not all code is rewritten, so it’s quite possible that Security holes from 2.3.x or even 2.5.x are within 2.2.x, but we can’t tell as we don’t have the time to track foreach version if that hole is present within that version or not.
If you want to stay safe you should get at least the latest 2.3 version, even better the one from the trunk as within 2.3.3 a security hole was discovered within recent days.
[…] and run the WP Scanner WordPress Plugin from Blog […]
[…] you can install wordpress scanner for blog […]
[…] Wordpress tels que Blogsecurity.net vous permettent de suivre les différentes failles et même de scanner votre blog pour évaluer le degrés de sécurité. Il publie régulièrement des livres blancs sur la […]
Demo 1 and Demo 2 links don’t work :(
I’ve just used the scanner and it tells me “This blog is running a vulnerable version of WordPress, please upgrade to the latest version available here.”.
I am using version 2.5.1, which is the latest version available.
Other than that, nice tool - thanks.
-
Search site:
-
Additional WP Resources
