Run wpscan on vhosts - Githubissues

ocf / projects

Overview of technical OCF projects

3 stars 0 forks source link

Run wpscan on vhosts #33

Open kkuehlz opened 4 years ago

kkuehlz commented 4 years ago

Someone should create a script that runs wpscan on all OCF vhosts. It should enumerate vulnerable plugins and themes. If one is detected, create an rt ticket for security@. Have the entire thing run in a container and deploy in Kuberenetes Cron.

nikhiljha commented 4 years ago

Blocker: wpscan refuses to say if the plugins are vulnerable or not without a subscription to their API

It still detects old/vulnerable Wordpress versions for free, and I found a few of those manually. Maybe it'd be worth getting started with that first.

BernardZhao commented 4 years ago

@cg505 Had a whole stream where he tried to set this up, @nikhiljha you should inquire with him

cg505 commented 4 years ago

I mean it pretty much failed for the reason nikhil stated...

ja5087 commented 4 years ago

If wpscan doesn't work out we can at least relax the requirement a little and turn it into something like making sure people's sites are updated, they don't have weak passwords etc.

nikhiljha commented 4 years ago

TL;DR from summer meeting notes:

"Strongly encourage" people to install this plugin: https://wordpress.org/plugins/better-passwords/
"Strongly encourage" people to enable auto-update for both WP and plugins.

Also see #45

ethanhs commented 2 years ago

In lieu of WPScan, we could try running https://github.com/swisskyrepo/Wordpresscan, which seems to be a re-implementation of some of the simpler tests.