Research and Development

WordPress Build Review is a tool to check the basic security settings in a WordPress installation.

Key features

  • Checks the WordPress version
  • Checks the WordPress plugins versions
  • Checks WordPress minor updates are enabled
  • Checks the WordPress configuration
  • Checks the theme configuration
  • Identifies the presence of backup files in web folder
  • Checks the antivirus
  • Checks the file and directory permissions
  • Checks HTTPS in admin panel is enabled

Overview

WordPress-build-review checks the basic security configuration that a WordPress installation should have.

The idea of this tool is to perform a build review on WordPress installations. This tool should works with the default installed software in a Linux distribution.

This tool was developed and tested in Linux. However, it should also work on other POSIX alike platforms as long as the dependencies (GNU utils) are available. Please let us know if you try running this tool in other platforms, your feedback is appreciated.

Installation

Download the tool from the link below and uncompress it.

Make sure you have the tools “curl” and “bc” installed in your system.

Usage

$ ./wordpress-build-review.sh /full/path/to/wordpress/root/folder/
...
Starting wordpress-build-review v1.0 at Fri Jan 31 16:19:53 GMT 2014

by David Muñoz ( dmg@portcullis-security.com )

This tool checks the basic security configuration that a wordpress installation
should have.

Use of this script is only permitted on systems which you have been granted
legal permission to perform a security assessment of. Apart from this
condition the GPL v2 applies.

Search the output below for the word '[VV]' for the security issues found.
If you don't see it then this script didn't find any problems.
Search the output below for the word '[WW]' for problems occurred during script
execution. These problems must be checked manually.
Finally search the output below for the word '[II]' for correct issues.
...

Examples

Here we can see some example issues that the tool is able to identify:

$ ./wordpress-build-review.sh /var/www/wordpress | grep "[VV]"
...
[VV][001]File wp-login.php found. It is recommended to change its name.
[VV][002]File readme.html found. It is recommended to delete it.
[VV][005]The wordpress version installed is out-to-date. Installed version is: 3.8. Last version is: 3.8.1.
[VV][006]Plugin 6scan-protection is out-of-date. Please, update it. Installed version is: 3.0.5. Last version is: 3.0.6.
[VV][009]HTTPS on the LOGIN and ADMIN sections are not enabled in wp-config but SSL may still being enforced by the web server config.
[VV][015]File /var/www/wordpress/test.bak found, consider to remove it.
[VV][015]File /var/www/wordpress/wp-config.php~ found, consider to remove it.
[VV]Default or backup files found, please remove them.
[VV][012]The file /var/www/wordpress/wp-config.php~ has 664 permissions, consider to set it to 644 or 640
[VV]Incorrect file permissions, please correct them.
[VV][013]The folder /var/www/wordpress/wp-content/plugins/test has 775 permissions, consider to set it to 755 or 750
[VV]Incorrect folder permissions, please correct them.
[VV][010]Wordpress table prefix is set by default <wp_>. Please, consider to change it.
[VV][008]Wordpress database user is root, please change it.
...

Request to be added to the Portcullis Labs newsletter

We will email you whenever a new tool, or post is added to the site.

Your Name (required)

Your Email (required)