wp-scanner to detect backups
As many of you already know, wp-scanner is a free online vulnerability scanner for WordPress. The next release of wp-scanner hopes to include functionality to scan for backups.
While reviewing wp-scanner results and searching Google, it is clear that many backup plugins (x2 that I have tested so far) store backups within the web root, making it accessible to anyone on the Internet. If an attacker gets hold of your backed up database it is very likely that they will be able to get access to your WordPress installation and possibly your web server.
We urge plugin developers to remember to store sensitive data outside the web root directory so that these files are not accessible from the Internet.
The risk is mitigated for those readers who implemented our ideas in BlogSec’s Hardening WordPress article.
In preparation for the backup detection features we have made a minor release, details to follow.
We have now included a Nikto type engine to wp-scanner. For those of you who arent familiar with Nikto, it is an open source security tool that checks web servers for common files that may pose a security risk. My changes on the weekend will allow us to begin scanning blogs for dangerous files related to WordPress. Version 1.3 currently only checks password files from aa-password-protect.
We have also expanded wp-scanner’s plugin detection database.
Just a side note to users. We have received quite a few troubleshooting questions regarding wp-scanner and its usage. A number of variables may prevent some blogs from being able to be tested, we are investigating, apologies as time has not permitted us to respond to each one of you.
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
I forgot to post this, plugin this into Google: