Support » Plugin: WPScan » WPVulnDB API Token

  • Resolved John

    (@dsl225)


    When registering we can use only 1 website.
    Possible to use the same WPVulnDB API Token for multiple sites?

    Thanks.

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author FireFart

    (@xfirefartx)

    Hi John,
    currently the website on the register page is just metadata, it’s not used to link your key against a single website.

    You can use the key on multiple sites but we have request limiting in place per API key so be sure not to exceed that (currentlt 100req/30 seconds).

    Thanks for this but how can I check and limit those requests?
    Sorry but I don’t well understand what that means…
    I would appreciate if you can elaborate this further.

    Plugin Author FireFart

    (@xfirefartx)

    You can not limit them, requests over 100/30sec are denied but this only results in possible vulnerabilities not beeing shown in the dashboard. Basically there is one request per plugin and one per theme once a day so it’s hard to hit the 100req limit anyways 🙂

    OK, I see, but who decides WHEN this “once a day” happens for each website?
    Is this relative to the time of the plugin’s initial installation?
    If this is the case, it would then be advisable to install the plugin at different times for each website, isn’t it?

    Plugin Author FireFart

    (@xfirefartx)

    May I ask how many websites do you plan to scan using the plugin?

    For scanning we schedule a daily wordpress task so it’s hard to say when this starts

    That would be about a dozen.

    Plugin Author ethicalhack3r

    (@ethicalhack3r)

    The cron job is started relative to the time the schedule is set.

    So, for example, if you schedule a daily scan, it will scan every 24 hours since you set it. So, yea, it would be recommended to stagger the scheduling for each site.

    Although, 12 sites may be under the 100 requests within 30 seconds limit, but this will depend on how many plugins on each site. To be sure, I’d stagger the scheduling. Perhaps in the future, we can add functionality to configure the cron time.

    Thanks for this but where do you schedule scans?
    I didn’t find any settings for that…

    Plugin Author ethicalhack3r

    (@ethicalhack3r)

    Sorry, I was assuming we were talking about notifications.

    So, if you schedule daily notifications, the cron task will run from 24 hours from when you set it.

    The same applies if you have no notifications set. The cron job to update the report within the plugin runs from 24 hours from the time you enter a valid API key into the settings page.

    • This reply was modified 6 months, 2 weeks ago by  ethicalhack3r. Reason: spelling
    Plugin Author FireFart

    (@xfirefartx)

    I created an internal issue for a feature request to make the run time configurable so maybe we will implement this in the next version.
    In the meantime you can activate the plugin at different times or use an external plugin like https://wordpress.org/plugins/wp-crontrol/ to edit the cron jobs manually.

    PS: Please be advised that cron jobs run only if you have users visiting your sites as they are triggered by the users browsers. So if you have no traffic to a site (for example an internal dev site) the cron job will only trigger when you visit the site again

    @ethicalhack3r : there are no notification settings either!
    There were at previous Vulnerabilities Alerts plugin but I had to remove it and install this one that lacks those settings, both for notifications and scheduled scans.

    @xfirefartx : thanks for this, well noted.

    For now I only activated this plugin at a single site and the only result I got right after that is that I got a 500 Internal Server Error and all websites at same shared server were down until the hosts corrected this and said there were too many request in the DB…

    Plugin Author FireFart

    (@xfirefartx)

    @dsl225 the notification settings are there on the main page but you have to enter an API key to enable the full features.

    What do you mean by HTTP500 and too many database connections? Do you have some error logs?

    Yep, you are right, I found those settings at right sidebar, thanks.
    In fact there are settings for both the email address and the scan’s periodicity.

    Sorry no error logs, I simply got this 500 Internal Server Error right after activating the plugin for the first time and entering the API key.
    Maybe a bad timing in conjunction with other activities running in the background.

    I still need to investigate this further and see what happens at other sites.
    I now re-activated the plugin at first site, entered the notification settings and API again and will see what happens.

    I just run a scan right now and everything run smoothly.
    The only thing I notice is that the displayed date of scan did not update and still shows yesterday’s date.

    Plugin Author FireFart

    (@xfirefartx)

    @dsl225 version 1.1 now shows an error if the API limit is hit. We have an internal feature request noted for a configureable cron start time

    Sounds great, thanks for this!

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘WPVulnDB API Token’ is closed to new replies.