Tools -> Exploit Scanner
is the settings page.
But I agree, it does feel abandoned.
Thread Starter
Mike
(@manndtp)
Found a site which has updated hash files. Have not gone through to check if they are correct.
https://github.com/philipjohn/exploit-scanner-hashes
Yes.
https://github.com/philipjohn/exploit-scanner-hashes/blob/master/hashes-4.1.php
From which you can create the file
/wwwroot/wp/wp-content/plugins/exploit-scanner/hashes.4.1.php
Then the scanner works much better.
Steve
Indeed, this is garbage. Pure junk. It shows hundreds of basic WordPress 4.1 core files as “vulnerable” and plugins as well.
I’ve compared SOME of the files manually side by side (my files found on FTP vs stock files, redownloaded WP and some plugins) and they are ok.
Why can’t this useless plugin automatically compare ALL FTP files with the repository files just like Wordfence is doing????
I use both, and wordfence is great at checking ‘known’ files against the repository, but does nothing with UNKNOWN files. I had a hacked WP that Wordfence could not find. Using the https://github.com/philipjohn/exploit-scanner-hashes/ project allowed me to generate the hashes for WP and then run a scan against ALL files. It found 20+ files with malware in them that Wordfence just missed because they were not officially part of a plugin. They were found in the upload directory as well.
So you really need both tools and exploit-scanner does not really need more than the hashes to be updated for it to work, plus one other item to make it work with W3TC and other object cache tools (it does work as expected with Tribe Object Cache however).
So I do not feel it is abandoned, plus there was a recent update. I use it, and use it effectively.
Awesome to see this recently updated. An amazing script indeed. Not Worthless anymore.
Hi folks,
I’m now contributing new hashes to this plugin. Yay!
