WordPresser

WordPresser

Automating WordPress Vulnerability Management with Terminus & WPScan

WordPresser is an advanced vulnerability management tool that leverages the power of Pantheon’s Terminus CLI and WPScan to elevate the security posture of WordPress installations. With a majority of the web powered by WordPress, it becomes crucial to maintain the sanctity of these installations, and WordPresser bridges this gap with precision and efficiency.

GitHub Repository

Key Features

Integration with Pantheon’s Terminus CLI:

  • Employs Terminus to seamlessly discover and list all WordPress sites.
  • Retrieves exhaustive details of plugins installed on each site.

Plugin Vulnerability Scanner Using WPScan’s API:

  • Instead of scanning each site directly, which is noisy and can be detected as malicious activity, WordPresser uses WPScan’s API to look up vulnerabilities associated with each plugin.
  • Ensures a silent operation with minimal disruption and noise.
  • Correlates the scan results with sites, promptly identifying and alerting on vulnerable plugins.

Integrated Alerts to Microsoft Teams:

  • Dispatches detailed alerts to Microsoft Teams via connector cards.
  • Highlights the discovery of new WordPress sites.
  • Delivers a systematic triage status of flagged vulnerabilities.
  • Classifies confirmed vulnerabilities by their respective severity levels.
  • Showcases the top 10 riskiest WordPress sites for immediate attention.

Efficient Database Management and Reporting:

  • Engages with a custom database system for site data recording and retrieval.
  • Offers dynamic querying capabilities for detailed insights.
  • Uploads snapshots of the database to SharePoint, enhancing data availability and sharing.
  • Integrates seamlessly with PowerBI, enabling users to view detailed reports. They can inspect their sites, gauge the health of their plugins, ascertain the versions, and discover vulnerabilities alongside their mitigation steps.

Tech Stack

Python: Central scripting language.

Pantheon’s Terminus CLI: Drives the discovery of WordPress sites and their plugins.

WPScan: The go-to scanner for vulnerabilities, accessed via its API.

Pymsteams: Connects the application to Microsoft Teams for prompt alerts.

Pandas: Simplifies data manipulation and CSV operations.

Requests: Oversees API engagements for vulnerability insights.

Benefits

Reduced Noise

Unlike direct site scans which can be detected and flagged, WordPresser’s approach is discreet, querying WPScan’s API to retrieve vulnerability details—resulting in a silent, yet highly effective operation.

Holistic View

It doesn’t merely focus on plugins; it contextualizes vulnerabilities with their respective sites, providing a comprehensive security panorama.

Prompt Notifications

Timely alerts via Microsoft Teams ensure you’re never caught off guard, facilitating swift mitigations.

Strategic Action

By categorizing vulnerabilities and ranking the most at-risk sites, it ensures you combat the most pressing threats initially.

Enhanced Reporting and Transparency

With SharePoint storage and PowerBI integration, teams get a transparent view of vulnerabilities, their severity, and their remedies. Users can deep-dive into their plugin health, aiding in informed decision-making.

Conclusion

WordPresser stands at the crossroads of development, operations, and security, ensuring that WordPress installations, widespread as they may be, remain pristine. By harmonizing the capabilities of Terminus and WPScan’s API, and offering an in-depth reporting structure, it eradicates the need for manual checks, conserves valuable time, and secures your web entities.

See All Projects