Using WP-CLI to Scan for WordPress Security Vulnerabilities

Previously I have shown how to install WPScan on Ubuntu installation guide (for Ubuntu 16.04) and debian but what if you want to scan locally and not remotely? Especially if a site is protected from WPScan using protection methods  that prevent enumeration or access to files that expose the WordPress theme or plugins you are using.

The consequences of malware infected WordPress or WooCommerce sites can have disastrous consequences like loss of SEO rankings in Google search or if you are a store customers lose faith in your technical proficiency and competence so they no longer trust you with their money or data. It is vital to stay unhacked if you have a website of any kind you care about and your visitors.

That is why it is a good idea to be proactive with your security by having a maintenance plan or professional you can turn to if you need help.

You can check if any of your WordPress components have current known security vulnerabilities on these pages from the WPVulnDB database:

That is a manual job though and we like automation here whenever possible as long as it makes sense!

The fantastic people at 10up released a WP-CLI friendly vulnerability scanner which connects to WP VulnDB available on github.

This guide will help you set up this awesome WordPress security exploit scanner from start to finish using the official readme as a starting point.

This host actually scans all of their WordPress and WooCommerce sites daily for vulnerable plugins and themes as soon as the security issues are discovered and reported to WP Vuln DB which is why it is one of my favorite hosts!

Install WP-CLI Vulnerability Scanner

With WP-CLI you can install the vulnerability scanner from 10up package with this command

wp package install git@github.com:10up/wp-vulnerability-scanner.git

If you get an error code like this if you are running an older version of WP-CLI

Installing package 10up/wp-vulnerability-scanner (dev-master)
Updating /root/.wp-cli/packages/composer.json to require the package...
Registering git@github.com:10up/wp-vulnerability-scanner.git as a VCS repository...
Using Composer to install the package...
---
Loading composer repositories with package information
Updating dependencies
Resolving dependencies through SAT

Dependency resolution completed in 0.005 seconds
Your requirements could not be resolved to an installable set of packages.
Problem 1
    - Conclusion: remove wp-cli/wp-cli 2.0.1
    - wp-cli/doctor-command dev-master requires wp-cli/wp-cli ^2.1 -> satisfiable by wp-cli/wp-cli[2.5.x-dev, v2.1.0, v2.2.0, v2.3.0, v2.4.0].
    - wp-cli/doctor-command dev-master requires wp-cli/wp-cli ^2.1 -> satisfiable by wp-cli/wp-cli[2.5.x-dev, v2.1.0, v2.2.0, v2.3.0, v2.4.0].
    - Can only install one of: wp-cli/wp-cli[v2.0.1, 2.5.x-dev].
    - Can only install one of: wp-cli/wp-cli[v2.1.0, v2.0.1].
    - Can only install one of: wp-cli/wp-cli[v2.2.0, v2.0.1].
    - Can only install one of: wp-cli/wp-cli[v2.3.0, v2.0.1].
    - Can only install one of: wp-cli/wp-cli[v2.4.0, v2.0.1].
    - Installation request for wp-cli/wp-cli 2.0.1 -> satisfiable by wp-cli/wp-cli[2.0.1].
    - Installation request for wp-cli/doctor-command dev-master -> satisfiable by wp-cli/doctor-command[dev-master].
Running update with --no-dev does not mean require-dev is ignored, it just means the packages will not be installed. If dev requirements are blocking the update you have to resolve those problems.
---
Error: Package installation failed (Composer return code 2).
Reverted composer.json.

You may need to update WP-CLI first to overcome the above errors.

wp cli update --allow-root

Once updated you should see this output to confirm the version updated.

You have version 2.0.1. Would you like to update to 2.4.0? [y/n] y
Downloading from https://github.com/wp-cli/wp-cli/releases/download/v2.4.0/wp-cli-2.4.0.phar...
md5 hash verified: dedd5a662b80cda66e9e25d44c23b25c
New version works. Proceeding to replace.
Success: Updated WP-CLI to 2.4.0.

Now you can try installing the wp-vulnerability-scanner package again

wp package install git@github.com:10up/wp-vulnerability-scanner.git

And success!

Installing package 10up/wp-vulnerability-scanner (dev-master)
Updating /root/.wp-cli/packages/composer.json to require the package...
Registering git@github.com:10up/wp-vulnerability-scanner.git as a VCS repository...
Using Composer to install the package...
---
Loading composer repositories with package information
Updating dependencies
Resolving dependencies through SAT
Looking at all rules.
Something's changed, looking at all rules again (pass #1)

Dependency resolution completed in 0.573 seconds
Analyzed 7616 packages to resolve dependencies
Analyzed 721278 rules to resolve dependencies
Package operations: 8 installs, 2 updates, 0 removals
Installs: 10up/wp-vulnerability-scanner:dev-master a5733af, wp-cli/checksum-command:dev-master 188d2b5, composer/semver:dev-master 2667cf1, wp-cli/core-command:dev-master be62a93, wp-cli/cron-command:dev-master 184ce82, wp-cli/entity-command:dev-master 0df89e4, wp-cli/extension-command:dev-master 78f1659, wp-cli/language-command:dev-master a14a385
Updates: wp-cli/profile-command:dev-master 0d33652, wp-cli/doctor-command:dev-master 3c6ba1e
 - Installing 10up/wp-vulnerability-scanner (dev-master a5733af)
 - Installing wp-cli/checksum-command (dev-master 188d2b5)
 - Installing composer/semver (dev-master 2667cf1)
 - Installing wp-cli/core-command (dev-master be62a93)
 - Installing wp-cli/cron-command (dev-master 184ce82)
 - Installing wp-cli/entity-command (dev-master 0df89e4)
 - Installing wp-cli/extension-command (dev-master 78f1659)
 - Installing wp-cli/language-command (dev-master a14a385)
Writing lock file
Generating autoload files
---
Success: Package installed.

Or you can install a plugin that will enable the WP-CLI vuln command.

wp plugin install https://github.com/10up/wp-vulnerability-scanner/archive/master.zip --activate --allow-root 

Now we can get the necessary API key and add it to the site so we can autoscan for any known security issues in the WordPress plugin, theme or core versions.

Configure WP Vulnerability Scanner

Get API key first from WP Vuln DB by signing up here which is free for up to 50 API calls per day.

One API call is used for each plugin and theme you have installed (not only active ones!) plus 1 call for the WordPress version so delete any unused plugins if you no longer need them since they are also a security risk.

Once you have signed up you go here to get your API key as you can see in the screenshot below (this API key is not valid but feel free to try ;))

Once you copy the API token you can add it using the following syntax with WP-CLI’s wp config set command

wp config set VULN_API_TOKEN <API-TOKEN> --allow-root

so with the API token above the command would look like this

wp config set VULN_API_TOKEN 1hDOLiSA08d1UVMvf8HETFaUL2q1GwJo9g3khaurIfs --allow-root

Success!

Success: Added the constant 'VULN_API_TOKEN' to the 'wp-config.php' file with the value 'rAzKb4P0sKUjjVI2jmXGEZyih40ZbZadlqVqIgfZG44'.

Now we can start scanning.

Scanning WordPress Security Using WP-CLI

This command will do a complete scan and show you the security status for WordPress core, themes and plugins which are currently installed

wp vuln status --allow-root

Here is a sample output

WordPress 5.3.2
+-----------+-------------------+-----------------------------------------------------------+-----+
| name      | installed version | status                                                    | fix |
+-----------+-------------------+-----------------------------------------------------------+-----+
| WordPress | 5.3.2             | No vulnerabilities reported for this version of WordPress | n/a |
+-----------+-------------------+-----------------------------------------------------------+-----+
Plugins
+--------------------------------------------------+-------------------+-----------------------------------------------------------------------------------+-----+
| name                                             | installed version | status                                                                            | fix |
+--------------------------------------------------+-------------------+-----------------------------------------------------------------------------------+-----+
| advanced-db-cleaner                              | 2.0.0             | Error generating report for advanced-db-cleaner                                   | n/a |
| ari-adminer                                      | 2.0               | No vulnerabilities reported for this version of ari-adminer                       | n/a |
| autoptimize                                      | 2.5.1             | No vulnerabilities reported for this version of autoptimize                       | n/a |
| classic-editor                                   | 1.5               | No vulnerabilities reported for this version of classic-editor                    | n/a |
| disable-blogging                                 | 2.0.4             | No vulnerabilities reported for this version of disable-blogging                  | n/a |
| duplicator                                       | 1.3.24            | No vulnerabilities reported for this version of duplicator                        | n/a |
| ewww-image-optimizer                             | 5.1.3             | No vulnerabilities reported for this version of ewww-image-optimizer              | n/a |
| generate-press-navigation                        |                   | Error generating report for generate-press-navigation                             | n/a |
| google-analytics-dashboard-for-wp                | 5.3.9             | No vulnerabilities reported for this version of google-analytics-dashboard-for-wp | n/a |
| gp-premium                                       | 1.9.1             | Error generating report for gp-premium                                            | n/a |
| mailgun                                          | 1.7.1             | No vulnerabilities reported for this version of mailgun                           | n/a |
| worker                                           | 4.9.2             | No vulnerabilities reported for this version of worker                            | n/a |
| media-library-plus/maxgalleria-media-library     | 5.1.1             | Error generating report for media-library-plus/maxgalleria-media-library          | n/a |
| media-library-plus/mlp-reset                     | 5.1.1             | Error generating report for media-library-plus/mlp-reset                          | n/a |
| media-library-plus-pro/maxgalleria-media-library | 5.1.2             | Error generating report for media-library-plus-pro/maxgalleria-media-library      | n/a |
| media-library-plus-pro/mlf-pro-reset             | 5.1.2             | Error generating report for media-library-plus-pro/mlf-pro-reset                  | n/a |
| nginx-cache                                      | 1.0.4             | No vulnerabilities reported for this version of nginx-cache                       | n/a |
| query-monitor                                    | 3.5.0             | No vulnerabilities reported for this version of query-monitor                     | n/a |
| shortcodes-docs                                  | 1.0               | Error generating report for shortcodes-docs                                       | n/a |
| simple-css                                       | 1.1               | No vulnerabilities reported for this version of simple-css                        | n/a |
| simple-image-sizes                               | 3.2.1             | No vulnerabilities reported for this version of simple-image-sizes                | n/a |
| svg-support                                      | 2.3.15            | No vulnerabilities reported for this version of svg-support                       | n/a |
| updraftplus                                      | 1.16.20           | No vulnerabilities reported for this version of updraftplus                       | n/a |
| wedocs                                           | 1.5               | No vulnerabilities reported for this version of wedocs                            | n/a |
| wp-bullet                                        | 0.5.7             | Error generating report for wp-bullet                                             | n/a |
| wp-bullet-cloudflare                             | 0.5.0             | Error generating report for wp-bullet-cloudflare                                  | n/a |
| wp-bullet-lazy-load                              | 0.3.3             | Error generating report for wp-bullet-lazy-load                                   | n/a |
| wp-downloader                                    | 2.0               | No vulnerabilities reported for this version of wp-downloader                     | n/a |
| wp-featherlight                                  | 1.3.0             | No vulnerabilities reported for this version of wp-featherlight                   | n/a |
| wp-file-manager                                  | 5.4               | No vulnerabilities reported for this version of wp-file-manager                   | n/a |
| wp-theme-optimizer                               | 1.1.4             | No vulnerabilities reported for this version of wp-theme-optimizer                | n/a |
| wordpress-seo                                    | 12.6.2            | No vulnerabilities reported for this version of wordpress-seo                     | n/a |
| 0-worker                                         |                   | Error generating report for 0-worker                                              | n/a |
+--------------------------------------------------+-------------------+-----------------------------------------------------------------------------------+-----+
Nothing to update
Themes
+----------------+-------------------+----------------------------------------------------------------+-----+
| name           | installed version | status                                                         | fix |
+----------------+-------------------+----------------------------------------------------------------+-----+
| generatepress  | 2.4.1             | No vulnerabilities reported for this version of generatepress  | n/a |
| mantle         | 1.2.33            | No vulnerabilities reported for this version of mantle         | n/a |
| twentynineteen | 1.4               | No vulnerabilities reported for this version of twentynineteen | n/a |
| twentytwenty   | 1.0               | No vulnerabilities reported for this version of twentytwenty   | n/a |
+----------------+-------------------+----------------------------------------------------------------+-----+
Nothing to update

If you want to scan the plugins only try this command

wp vuln plugin-status --allow-root

Output

+--------------------------------------------------+-------------------+-----------------------------------------------------------------------------------+-----+
| name                                             | installed version | status                                                                            | fix |
+--------------------------------------------------+-------------------+-----------------------------------------------------------------------------------+-----+
| advanced-db-cleaner                              | 2.0.0             | Error generating report for advanced-db-cleaner                                   | n/a |
| ari-adminer                                      | 2.0               | No vulnerabilities reported for this version of ari-adminer                       | n/a |
| autoptimize                                      | 2.5.1             | No vulnerabilities reported for this version of autoptimize                       | n/a |
| classic-editor                                   | 1.5               | No vulnerabilities reported for this version of classic-editor                    | n/a |
| disable-blogging                                 | 2.0.4             | No vulnerabilities reported for this version of disable-blogging                  | n/a |
| duplicator                                       | 1.3.24            | No vulnerabilities reported for this version of duplicator                        | n/a |
| ewww-image-optimizer                             | 5.1.3             | No vulnerabilities reported for this version of ewww-image-optimizer              | n/a |
| generate-press-navigation                        |                   | Error generating report for generate-press-navigation                             | n/a |
| google-analytics-dashboard-for-wp                | 5.3.9             | No vulnerabilities reported for this version of google-analytics-dashboard-for-wp | n/a |
| gp-premium                                       | 1.9.1             | Error generating report for gp-premium                                            | n/a |
| mailgun                                          | 1.7.1             | No vulnerabilities reported for this version of mailgun                           | n/a |
| worker                                           | 4.9.2             | No vulnerabilities reported for this version of worker                            | n/a |
| media-library-plus/maxgalleria-media-library     | 5.1.1             | Error generating report for media-library-plus/maxgalleria-media-library          | n/a |
| media-library-plus/mlp-reset                     | 5.1.1             | Error generating report for media-library-plus/mlp-reset                          | n/a |
| media-library-plus-pro/maxgalleria-media-library | 5.1.2             | Error generating report for media-library-plus-pro/maxgalleria-media-library      | n/a |
| media-library-plus-pro/mlf-pro-reset             | 5.1.2             | Error generating report for media-library-plus-pro/mlf-pro-reset                  | n/a |
| nginx-cache                                      | 1.0.4             | No vulnerabilities reported for this version of nginx-cache                       | n/a |
| query-monitor                                    | 3.5.0             | No vulnerabilities reported for this version of query-monitor                     | n/a |
| shortcodes-docs                                  | 1.0               | Error generating report for shortcodes-docs                                       | n/a |
| simple-css                                       | 1.1               | No vulnerabilities reported for this version of simple-css                        | n/a |
| simple-image-sizes                               | 3.2.1             | No vulnerabilities reported for this version of simple-image-sizes                | n/a |
| svg-support                                      | 2.3.15            | No vulnerabilities reported for this version of svg-support                       | n/a |
| updraftplus                                      | 1.16.20           | No vulnerabilities reported for this version of updraftplus                       | n/a |
| wedocs                                           | 1.5               | No vulnerabilities reported for this version of wedocs                            | n/a |
| wp-bullet                                        | 0.5.7             | Error generating report for wp-bullet                                             | n/a |
| wp-bullet-cloudflare                             | 0.5.0             | Error generating report for wp-bullet-cloudflare                                  | n/a |
| wp-bullet-lazy-load                              | 0.3.3             | Error generating report for wp-bullet-lazy-load                                   | n/a |
| wp-downloader                                    | 2.0               | No vulnerabilities reported for this version of wp-downloader                     | n/a |
| wp-featherlight                                  | 1.3.0             | No vulnerabilities reported for this version of wp-featherlight                   | n/a |
| wp-file-manager                                  | 5.4               | No vulnerabilities reported for this version of wp-file-manager                   | n/a |
| wp-theme-optimizer                               | 1.1.4             | No vulnerabilities reported for this version of wp-theme-optimizer                | n/a |
| wordpress-seo                                    | 12.6.2            | No vulnerabilities reported for this version of wordpress-seo                     | n/a |
| 0-worker                                         |                   | Error generating report for 0-worker                                              | n/a |
+--------------------------------------------------+-------------------+-----------------------------------------------------------------------------------+-----+

In the official readme they also show you how to set a Linux system-level cronjob for automatically scanning your site(s) and sending emails if vulnerable components are found!

Sources

wp config set command