WordPress.org

Ready to get started?Download WordPress

Forums

how to detect outdated plugins system wide OR how do hackers find sites? (4 posts)

  1. kdelayed
    Member
    Posted 2 years ago #

    Is there an app or method to scan numerous wordpress sites for outdated themes and plug-ins?

    I was hired to by a web designer to remove a javascript virus from several of his clients sites. He has 26 sites (17 wordpress) hosted on a shared webhosting plan at a sub-par web host.

    I've removed the virus code and found and deleted 2 php backdoors, but original weakness still remains. I dont have access to each client's WordPress dashboard to check for things that need to be updated or install security plugins and doing anything 1 at a time on a per site basis isn't practical anyway.

    I have ssh access to the home directory on the server but beyond grepping for 'tim-thumb', I dont know what to search for. I havent been able to find any mention of other linux tools for this.

    Obviously theres a way to scan multiple sites from the outside because hackers are doing it. But I dont know what they use. Google turned up a zillion potential and sketchy seeming programs. I tried 2 of them (nessus and metasploit) but they didnt seem to work. (metasploit was time-consuming and complicated, I might have been doing it wrong).

    Does anyone else run into issues like this?
    What do hackers (or preferably, system administrators) use to find vulnerable wordpress sites?

  2. johnnypope
    Member
    Posted 2 years ago #

    Hi kdelayed,

    This plug-in may help you:
    - It's a One Click Plugin Updater.

    Another alternative might be Manage WP which I use to manage all of my sites: https://managewp.com

    I have about 12 sites so far and with just 1 click I update ALL of the plugins (and wordpress itself). Plus you can do 1 click installs and copies and backups etc very easily.

    It's not cheap though which can be stumbling block if the sites arn't profitable.

    Hope this helps!

    Johnny

  3. I dont have access to each client's WordPress dashboard

    That makes it challenging. If they dont want to or are unable to do so then your client may want to pay you or someone to do the maintenance.

    If you have file level access via FTP or whatever file management tools your host provides you with then try making a complete backup of your clients wp-content/plugins directory and restore that onto your own installation.

    Once on your installation upgrade the plugins. That will get you an upgraded set of plugins which you can then transfer back.

    The same can be done with themes too but be careful. People modify themes all the time.

  4. kdelayed
    Member
    Posted 2 years ago #

    Thanks for the suggestions folks.

    Since I'm just working with these people temporarily (yet the problem comes up often for me), I need a more portable solution than managewp.com. But I can suggest it to web developer.

    I've been working on this on and off all weekend and have come up with a few helpful things, but no total solution. Since I have ssh access to the server:

    This finds all the php files that have been changed in the last 1 day
    find -mtime -1 -print | grep *.php

    This prints out the version for each WordPress installation in the directory:
    find . -name 'version.php' -path '*wp-includes/*' -print -exec grep '$wp_version =' {} \; -exec echo '' \;

    This was the best search line I found for finding timthumb:
    find . | grep php | xargs grep -s timthumb

    As far a hacker tools and things that work from outside the server, I gave up on metasploit and am currently playing with wpscan:
    http://code.google.com/p/wpscan/
    It still does more than I need but is way more focused than the other programs I've tried. I need to mess around with it some more, but I havent gotten the most important feature (to me) working
    Plugin vulnerability enumeration (based on plugin name)
    I also havent figured out how to give it a list of sites. Giving it 17 sites one at a time is possible but a pain. I want it to either take a list of sites as input or (if i.p. addresses work this way, I'm not sure if all the sites would have the same address) 1 i.p. and find all the sites host there.

    Anyway, I'm still up for suggestions and maybe these partial ideas will help someone dealing with many WordPress installs.

Topic Closed

This topic has been closed to new replies.

About this Topic