Vulnerabilty scanner for Apache and Wordpress

ddaas · 05-17-2017, 01:42 AM

Hello,
I have some WordPress installations on Apache and I worry about them. I have no specific reason, only that there is a lot of software made by 3rd parties (plugins, themes etc) and I don't know exactly that it does.

What is a vulnerability scanner you use and recommend? There are a lot.
For the beginning I would like something free.

Thank you

Habitual · 05-17-2017, 04:13 AM

13 years and Zero info.

Wordfence and https://codex.wordpress.org/Hardening_WordPress

How are you vulnerability scanning the non-Turdpress stuff?

Got backups?
clamAV
Maldet
rkhunter

New to this?

ddaas · 05-17-2017, 04:35 AM

I've already installed wordfence. I took most of the measures described there.
I have backups.
I am still worried about this maybe because the only security incidents I had with my servers in the last 10 years were related to WordPress.
Thank you

Habitual · 05-17-2017, 07:23 AM

Make sure your addons/plugins are up-to-date.
My Wordpress auto-upgrades on my hosts, but I have to manually upgrade the plugins/addons via the dashboard.

generally,
Files = 644
Directories = 755
few exceptions like .cgi-related stuff.
Watch the inputs including search boxes.

https://www.exploit-db.com/search and search for Wordpress and be amazed.

Also, Google Dork is a valuable skill.

Code:

<addon/plugin> exploit

at any engine worth spit.

I have near 300 rules in my fail2ban, most are for Wordpress abuse.

You get the Wordfence Security Bulletin via email?
https://www.wordfence.com/blog/2017/...te-recommended

ondoho · 05-18-2017, 01:08 PM

Quote:

Originally Posted by ddaas

I am still worried about this

and right you are.
wordpress is about as secure as windows XP, and much more widespread. what a glorious attack surface