Whether you use WordPress for your personal blog, or your organization uses it for its entire Web site, ensuring its security is a good thing. One tool that can help secure WordPress is the the Exploit Scanner plugin.
Typically, I look at command-line tools and utilities for the tips column -- but this week I wanted to take a look at a WordPress plugin I've been testing. Why? Primarily because I know WordPress is one of the most popular CMSes in use today, and the single most popular open source CMS. That means quite a few admins are likely to be responsible for dealing with WordPress in one way or another.
But also because, let's face it, WordPress (and other PHP/MySQL-based apps) tend to fall victim to attacks. This is especially true when organizations let WordPress get out of date -- so if you just picked up responsibility for a WordPress install that has not been updated, it's time to give it a once-over with the Exploit Scanner.
Luckily, this is very easy. Log into the WordPress Dashboard as the admin and go to the Add New page under Plugins. Search for Exploit and walk through the process to install and enable Exploit Scanner.
Once it's enabled, head over to the Exploit Scanner page under Tools. Here, take a moment to sigh and wish that WordPress extensions/plugins lived in standard locations (some locate themselves under Settings, others under Tools, others still elsewhere). Once that's done, set the parameters for the scan. You can set an upper size limit for files (the standard is 400KB) and the number of files to scan in one batch. Exploit Scanner will also look for "suspicious styles," which are CSS styles that might be used to hide spam.
The first time I ran the scan it took ages. Then I realized that I had months worth of daily backups of my database under the WordPress folder, and the tool was trying to scan those (and then giving up due to size). Once I made adjustments for that, the scan sped up appreciably.
Next, you'll receive a report of files that match warning signals for possible exploits or code that can be exploited. Note that many of the official plugins or approved plugins will match, and you will need to weed through the report to see what's actually a problem. You may, after using the Exploit Scanner, wish to disable plugins that aren't entirely necessary.
Is it foolproof? Nope. But it's an additional tool that will come in handy when you're trying to track down exploits or just wish to run it regularly in case.
Joe 'Zonker' Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at email@example.com and follow him on Twitter.