Extended Vulnerability Scanner

[swissspidy]

1, #3, #5 and #8 are steps in the right direction. But what if we could to more? Here are some thoughts…

For example, https://github.com/sergejmueller/wpscan is really interesting as it's a scanner like AntiVirus. Our advantage is that we're already inside the WordPress install so we're not limited to run checks from the outside.

What if we could take the best out of tools like this and perhaps other security plugins. Off the top of my head:

• Check existence of specific critical files like debug.log, .ssh, etc.
• Check folder permissions
• Check existence of salts & secrets (shouldn't be default values)
• Detect file changes
• Recommend HTTPS and perhaps add some other recommendations (i.e. help section)

There are tons of bloated "security" plugins that offer you to fix things like table prefixes for example. That doesn't add much security

AntiVirus should be lean and focus on attack surface reduction and malware detection.

[Zodiac1978]

This would be great, but let's first walk, then run ;)

Fixing #1 should be the priority IMHO.

For checking core files, exploits and integrity (md5 checksums) we should ask us, what would be the benefit to the known plugins which are solving these problems if the people would use our plugin?

https://wordpress.org/plugins/old-core-files/ https://wordpress.org/plugins/exploit-scanner/ https://wordpress.org/plugins/sucuri-scanner/

Automatic daily check and e-mail notification - is this our main benefit? Anything else?

[swissspidy]

Of course #1 is our top priority. Just thinking out loud here.

In my opinion the biggest benefit of AntiVirus is that it just works. There's zero configuration and you can feel a little bit safer.

Old Core Files

Detecting old core files is already mentioned in #8 and is trivial to integrate. Integrating this into AntiVirus adds no additional configuration steps and makes the install a bit more safe.

Exploit Scanner

I just installed it on a local install running trunk and it fails with hundreds of false positives. The idea is nice though.

It differs a bit from AntiVirus though (detecting malicious patterns vs. checking simple stuff like <iframe> and String.fromCharCode ).

Seems to verify file hashes too, but instead of getting them from dotorg those are bundled in the plugin. That doesn't work for localized installs and in the long term. (see #5 for integrating the checksum verifier plugin).

It categorizes results in different levels (log level, severe, etc.). We should probably do that too.

Our main benefit here: We do a slightly different job plus have a cron job. Exploit Scanner scans more stuff.

Except from file hashes updates, the plugin hasn't seen a major update in years. Doesn't even work well with latest PHP versions.

Worth noting that a few WordPress core committers and even a WordPress lead developer are listed as contributors for that plugin. Perhaps we can ask them about their plans?

Sucuri Scanner

I don't know where to start. Too much bloat, too many configuration options. Lots of features that require communicating via their API.

Their "Security Blacklist Monitoring" feature sounds promising. Keeping patterns in AntiVirus is hard, communicating with third-party services to do so would be a nice we to reduce maintenance costs.

Haven't tested the plugin much, but I don't think we should do most of what it is offering.

I think Decisions, not options applies well to this plugin.

Exploit Scanner for Active Theme

Just found out about this plugin. It has a nice UI and works a bit differently:

After installation, you generate hashes for your theme the first time. After that you can check your theme files against these hashes. Doesn't work well if you update your theme though…

We should really use such a list table for AntiVirus as well. This plugin uses it and Exploit Scanner too.

[Zodiac1978]

I like the ideas and appreciate the brainstorming for new features.

Detecting old core files is a great feature. If it is trivial to implement, let's do it.

Exploit Scanner produces false positives with trunk, because it just has hashes for releases. And it was just an example for a plugin which does a similar job. Switching to to list table looks good to me.

Sucuri has a integrity checking feature. This the feature I was looking for (as a comparing partner to our checksum verifier which could be merged with antivirus).

Generating hashes yourself like Exploit Scanner for Active Theme is doing it, seems to be a bad idea IMHO. Many people are installing plugins like antivirus because they think they got hacked. If you generate hashes in such a case, these hashes doesn't help anymore. You just can compare hashes, but they don't tell you if the files are infected or not. You just know if they are changed after generating the hashes.

More ideas/plugins:

We can add a list for plugin updates like https://wordpress.org/plugins/mail-on-update/

Check existence of salts & secrets (shouldn't be default values) -> What do we do with localized versions of wp-config.php?

File Monitoring (a really old one): https://wordpress.org/plugins/wordpress-file-monitor-plus/

Folder Permussions: What do you want to check? 755 for directories/644 for files? What if the server is configured differently?

Malware Scan for Theme: https://wordpress.org/plugins/tac/ (really old too)

[swissspidy]

Exploit Scanner

Tested with 4.5.3 yesterday and still got lots of false positives. I pinged the current maintainer of the plugin to see what his plans are. Maybe we could work together somehow.

Exploit Scanner for Active Theme

Oh yeah, it really is a stupid idea :-)

Integrity Checking Feature

If we integrate the checksum verification of all plugins and themes from WordPress.org (see pluginkollektiv/checksum-verifier#1), there's a 99% chance that those do not contain malware, making AntiVirus already much, much better.

In addition to that, we could integrate the API of https://wpvulndb.com/ to find if a particular installed plugin/theme/WordPress version has a known vulnerability.

That would work well with "Mail On Update", e.g. "Hey, there's an update for XY. Your current version is vulnerable to an attack. Please update immediately!". Related: #16

We could even offer to enable auto updates so the user doesn't have to worry about it.

Check existence of salts & secrets (shouldn't be default values) -> What do we do with localized versions of wp-config.php?

Checking if AUTH_KEY & co. are properly defined works without scanning the wp-config.php file and therefore doesn't matter.

Folder Permissions: What do you want to check? 755 for directories/644 for files? What if the server is configured differently?

For example, yes. If we'd have different log levels (notice, warning, critical), this would only be a notice and you could mark to ignore it.

Malware Scan for Theme

The plugin only checks for the availability of base64 and some hardcoded spam links in the theme (that spam method was quite popular once). Nothing spectacular but impressive 100'000 installs.

Perhaps we could ping them to ask about what they're up to. After making sure our plugin is superior in every way, we could perhaps even ask to recommend AntiVirus.