WordPress Developer Notes
Introduction
WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level. It is BETA software and is continually being developed.
If you have landed here directly we suggest starting at the wp-scanner launch page.
This page is part of a group of pages discussing various aspects of wp-scanner. This particular page provides instructions on how to develop additional tests for the wp-scanner engine and how to submit them.
The WP-Scanner Engine
The WP-Scanner engine is quite straight forward. It works in four phases:
- Loads Tests from XML
- Call Network Liabrary and Execute Tests
- Parse Results
- Report Issues Found
XML Format for Tests
The test format is as follows:
<tests>
<title>WP Scanner Activation Plugin</title>
<test>
<url>index.php</url>
<descrip>WP Scanner Plugin Enabled. This is an authorised blog.</descrip>
<method>GET</method>
<params></params>
<match><!– wpscanner –></match>
<risk>None</risk>
<category>wpscan</category>
</test>
</tests>
Broken down we have:
- Title – This should include your name and email address
- URL – This is the page that is to be requested. This shouldn’t really be called URL as we are only referring to the script we intend to GET or POST content to not an entire URL.
- Descrip – This is a detailed explanation of what the test does, how the issue affects the user and a solution (if possible).
- Method – Currently, the engine only supports GET and POST, although other methods are available if required.
- Params – This field is only used when the POST method is used, otherwise it can remain blank. The POST params should be urlencoded (i.e. log%3Dadmin%26pwd%3Dtest%26wp-submit%3DLog%2BIn%26redirect_to%3D%2F%26testcookie%3D).
- Match – The regular expression function is based around preg_match. If an image is requested (i.e. akismet.gif), this field can be left blank.
- Risk – The test can be a “Low”, “Medium” or “High” risk issue.
- Category – In most cases this can be left as WordPress for the time being.
All submitted tests should follow the above XML example format.
Submitting Tests
If you would like to submit a test or query please use the contact form with the message starting with “wpscan development”.
Contributers
A list of test contributors here.
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Thanks for providing the XML test format as request, cheers! :)