search

markri / wp-sec

Wp-sec is an exentsion for wp-cli which checks for Wordpress CVE security issues at wpvulndb.com
MIT License
84 stars 8 forks source link

error 429 #16

Closed cericoda closed 6 years ago

cericoda commented 6 years ago

I am having a problem where sometimes I get an error when running the script:-

Error: Couldn't check wpvulndb @ https://wpvulndb.com/api/v2/wordpresses/477 (HTTP code 429)

This is where I am checking once per day and even though I have caching set as true and I am also running a checksum report in between checks. It appears to occur while running wp-sec itself, and happens at much more often that I would like with installations with over 23 plugins (or over 3 themes, not actually sure which)

Is it possible to make this a bit more sophisticated? either to predict and wait when the rate limit is hit or to wait and try again if it is hit? As it stands, it means I am getting more false positives than I would like.

Do you know if wpvulndb have published any info on what the rate limits are? There doesn't seem to be anything on their site.

markri commented 6 years ago

Once a day shoudnt be a problem I guess. I have mailed wpvulndb some time ago when we hitted the rate limit as well. At that time (about a year ago) they stated a limit of 30 calls every 30 seconds.

Thus: a site with 1 core, 1 theme and 10 plugin is already 12 calls.

So maybe this is the limit that you encounter ATM. Maybe leave some time between your checks? Are you running them in parallel?

cericoda commented 6 years ago

I see, so it's possible that running one with 15 calls and another with 20 calls within 30 seconds would hit the limit.

I wonder if it's worth returning the number of cache hits and misses (therefore queries) somehow,

Would be good for my script to parse that and add a delay. I'm running them sequentially and as I said running a core file checksum verification in between as well.

markri commented 6 years ago

That'll be some more complex scripting. Maybe other people experience this as well.

An idea: If you don't mind sharing (don't feel obliged to do so :-) ), you could create a github gist/repo for a script like that. I can reference that in the README.md to overcome API rate limits.

cericoda commented 6 years ago

Sounds good, thanks for the offer. I would need to clean up my script which has various hard-coded stuff in it so it might take a while. With respects to the issue would it be acceptable to create a PR for adding counters to the JSON - total cache hits and cache misses?

markri commented 6 years ago

Sure! Extending the JSON with additional params won't break anything. Can't hurt, especially when they can be used in a case lik this