Jetpack, a division of the commercial arm of WordPress, Automattic, announced that it is acquiring the popular WPScan WordPress security suite company. WPScan provides resources that enable the WordPress and WordPress security ecosystem to fight back against security issues quickly. Jetpack is a suite of WordPress tools that also includes a security component.
WordPress security is an important area for WordPress because it’s what competitors cite as a weakness in WordPress. So on that level it makes sense for Jetpack to acquire a company with a proactive stance on WordPress security.
Jetpack promised to keep the products free for non-commercial use while also noting that some of WPScan will be absorbed into the security offering within the Jetpack suite of tools.
Why WPScan is Important
WPScan is a database of vulnerabilities.
WPScan also provides:
- An API for accessing the database
- WPScan Security Scanner, a Command Line Interface (CLI) scanner
- A WordPress security plugin
WPScan Database
WPScan is first and foremost an openly available database that records WordPress vulnerabilities and makes the information available via an API.
The information about WordPress vulnerabilities is hand curated by WPScan and contributors.
WPScan is also an official CVE Numbering Authority (CNA), which means they can assign the numbers that vulnerabilities are referenced by in the security community.
The database is accessible by individuals, businesses and security researchers.
Depending on how many API calls made to the database the information is available free via an API and also for relatively modest prices for more database access and custom pricing for enterprise level requirements.
WPScan WordPress Security Scanner
WPScan also provides WPScan WordPress Security Scanner, which is a Command Line Interface scanner that is free for non-commercial use for scanning a website for vulnerabilities that are recorded in the WPScan database.
A sample additional things the free WPScan WordPress Security Scanner checks for:
- “The version of WordPress installed and any associated vulnerabilities
- What plugins are installed and any associated vulnerabilities
- What themes are installed and any associated vulnerabilities
- Username enumeration
- Users with weak passwords via password brute forcing
- Backed up and publicly accessible wp-config.php files
- Database dumps that may be publicly accessible
- If error logs are exposed by plugins”
WPScan WordPress Plugin
Lastly, WPScan offers a free plugin that scans a website to determine if the WordPress installation itself and/or installed themes and plugins have vulnerabilities. The plugin uses the WPScan database API to check for vulnerabilities. The daily scan is said to fall within the free tier of API usage.
The plugin also scans for common weaknesses that could make a website vulnerable:
- “Check for debug.log files
- Check for wp-config.php backup files
- Check if XML-RPC is enabled
- Check for code repository files
- Check if default secret keys are used
- Check for exported database files
- Weak passwords
- HTTPS enabled”
The main feature of the WPScan plugin is offering a rapid alert if a site plugin, theme or WordPress itself contains a vulnerability and if a patch is issued.
Why Did Jetpack acquire WPScan?
Jetpack’s stated reason for acquiring WPScan is to open up the data even more and to continue it as a resource for the entire WordPress ecosystem.
Jetpack announced:
“…our goal for this acquisition is to make malware data and APIs more open source. We want to ensure that WPScan continues to be a high-quality security resource for the entire WordPress community. To that effect, we’ll be exploring ways to make the API completely free for non-commercial sites.
…WPScan will continue to operate independently in the near term and may be integrated into Jetpack Scan in the future.
Current WPScan customers won’t be impacted by the acquisition in the near-term and will receive the same high-quality WordPress security service they’ve come to expect.”
Citations
Read the Jetpack Announcement of the WPScan Acquisition:
Jetpack Acquires WordPress Vulnerability Database WPScan
Visit the Official WPScan Plugin Page
WPScan – WordPress Security Scanner Plugin