Interview – Keeping WordPress secure with Ryan Dewhurst from WPScan
Who wants a hacked website. Anyone… anyone… Bueller! No? It’s something that nobody wants, to wake up to discover that your WordPress website(s) have been breached and that unexpected things are now happening. Perhaps it’s benign, but it might be serious. Data has been downloaded and you’ve got to spend time ameliorating the situation.
Why people hack websites is something that I’ll never fully understand. Sure, I know that hackers can hitchhike on your SEO, they can get users of your site to mine cryptocurrency for them, or they can do it just for kicks – I know that all. All that being said, it still amazes me that people do it and turn their obvious intellect to these nefarious pursuits when they could be being helpful instead. I’m naive… I know!
Anyway, people are trying to take over your site, whether I like it or not, and so it means that we all have to worry about.
Some people, like me, worry about it a little bit. I read articles about internet security, but don’t actively participate in creating solutions to the problems that I read about. Others though are really, really keen on online security and devote hours of their time into trying to keep the rest of us hack free and happy.
Ryan Dewhurst is one such man. He’s dedicated many years to protecting the WordPress community from bad actors online. He’s behind WPScan, a free to use vulnerability scanner.
We have a detailed chat about what people gain from attacking your website, as well whether or not the bad guys are winning at present. We also get into the topic of how there are increasing efforts to make it profitable for people to become ‘white hat’ hackers. Programs like HackerOne (which WordPress uses) and other, slightly more shady, platforms like Zerodium are making it possible to make a living from find and disclosing vulnerabilities so that they can be patched before they find their way into the hands of the bad guys.
From that more general start we get into what WPScan is and what it can do. It’s a pretty comprehensive tool, but might not be for the feint of heart as it might need a significant understanding of things like Ruby and Docker before you can get started.
We find out just how much of a labour of love this has been for Ryan. Many, many hours have been spent on this project for no financial gain, and whilst this is certainly laudable, it’s not something that Ryan can keep doing ad-infinitum, and so we also talk about WPScan.io, the paid for, easy to use version of WPScan.
We also talk about the WPScan Vulnerability Database, which is a constantly updated list of discovered vulnerabilities which you really ought to look at from time to time to see if any familiar (to you) plugins pop up and reinforce in you the idea that you should be updating your WordPress websites as often as is humanly possible.
Great episode if you’re into WordPress security, and certainly worth a listen even if you’re not.
Mentioned in this episode:
The WP Builds podcast is brought to you this week by…
The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at go.me/wpbuilds.
Join the VIP list to be the first to know when you can get your free ticket and make huge progress in streamlining and simplifying WordPress website builds!
Join the Summit now, what are you waiting for?
We thanks them for their support of WP Builds.
Transcript (if available)
These transcripts are created using software, so apologies if there are errors in them.
Nathan Wrigley: [00:00:00] Welcome to the WP Builds podcast, bringing you the latest news from the WordPress community. Now, welcome your hosts, David Waumsley. Nathan Wrigley.
Hello there, and welcome to the WP Builds podcast. Once more. This is episode 158 entitled keeping WordPress secure with Ryan Dewhurst from WP scan. It was published on Thursday the 12th of December, 2019. My name's Nathan Wrigley and a few bits of housekeeping before we begin, if you want to keep up to date with the things that we do at WP Builds, if you're into WordPress, then you're into WP Builds, then head over to WP belts.com forward slash subscribe over there. You'll be able to sign up to our newsletters and be updated when we release podcast episodes. And news episodes, and also you'll be able to find us on your favorite podcast player. YouTube channel or Facebook group of over 2,300 WordPress has all been very helpful. So that's WP Builds.com forward slash subscribe. We've also got a competition on at the moment, WP Builds.com forward slash win. If you go over there, you're going to have a chance of winning a pro license for WP forms. Kindly donated by the guys at WP forms so you can win. That's WP Builds.com forward slash a win. Also, we're back to our normal deals page. Now we've got a whole heap of WordPress deals. They never go away. There's got nothing to do with black Friday or anything like that. That's WP, belts.com forward slash deals and lastly WP Builds.com forward slash advertise if you would like to have your product or service puts in front of a WordPress specific audience like these guys have, the WP Builds podcast is brought to you by. Page, build a cloud, work faster and your page builder of choice by reusing your cloud, save templates, important export, any layouts to any of your WordPress websites page, build a cloud, works with elemental BeaverBuilder, breezy Gothenburg and more. You can get a free trial up and running page builder, cloud.com. And WP feedback, our client communications, eating up all of your time. If so, check out WP feedback. It's a visual feedback tool for WordPress that's specifically designed to get you and your clients on the same page. Check it [email protected] and lastly, cloud ways. Cloud ways is a managed cloud based hosting platform for WordPress. Unlike others, they'll let you choose the service from top cloud providers like Google cloud, Amazon, and digital ocean, and there are no restrictions on the number of websites per server. Cloud ways can be tried using the promo code WP Builds, and if you use that, you'll get $20 free hosting credit, and we do thank our sponsors because they help enable us to put the WP Builds podcast on. Okay. Let's get on with the podcast, shall we? Today we're talking with Ryan . Now Ryan is a WordPress security expert. He works over at WP scan, but the podcast that we, that we have today is really wide ranging. We start off by talking about just . Generally internet security. What kind of threats are we facing these days? Have things moved on from defacing websites? Is there now a bit more to it than that? Also, what is it that he does over at WP scan? What is it? How can it be used? Is it for technical people only? Is there a paid version and so on and so forth? And then finally we get into things like his WP scan of vulnerability database. He is a total expert in this field. he's very, very, humble and has been putting a whole bunch of content out helping the WordPress community for nothing for years and years. And so really appreciate people like Ryan, doing all the good stuff that they do. I hope that you enjoy this episode. Hello there. Welcome to the WP Builds podcast. This is the interview portion of the show, and today I'm joined by Ryan Dewhurst. Hello Ryan.
Ryan Dewhurst: [00:04:08] Hi there. How are you?
Nathan Wrigley: [00:04:10] Yeah, I'm good, thanks. Ryan and I, we met one another very briefly, I think, really, in WordCamp in Europe, in Berlin, in June 20, 19. And I asked Ryan to come on the show because Ryan has a significant, interest in internet security, which is not something that we've really covered. Before. So first of all, Ryan, I think it's good to give the listeners a bit of a background into into why they might pay attention to what you're saying regarding this subject. So first of all, do you want to just tell us a little about, a little bit about your background, perhaps regarding WordPress and potentially more significantly about internet security in general?
Ryan Dewhurst: [00:04:48] Yeah, sure. yeah, so my name's Ryan Dewhurst. I'm, been interested in computer security since, since, since my first computer. I went to university in Northumbria and I did a undergraduate degree in, in, in ethical hacking for computer security. I worked for various consultancy companies working as a penetration tester, which is basically, a good hacker and ethical hacker. And then I started my own consultancy a bout six, seven years ago, working for various clients, doing penetration testing, specializing in, in web security mainly. And then I had my own WordPress blog. And I was blogging about security research that I was doing at the time, and I was interested in the security of my own blog, obviously, and I started to create a tool which would, which built a test, my blog for security issues in an automated way. As, so I rotated, released it, which eventually became WP scan. And over the years we had various contributors and a couple of that's stuck around. so we created a team around it. And then we've just been slowly building Heights, the DVP scan tool, since then, so since 2011 so we've been around. Well for quite a while.
Nathan Wrigley: [00:06:02] Okay. I'm just carrying on talk there for a moment. It might be that people don't know what a penetration tester is. I have a fairly good idea, I think of what one is, but what does a penetration test to spend their time doing? What is their, what is their sort of job description, if you like?
Ryan Dewhurst: [00:06:19] Yeah. So we try to hack into computer systems, whether that's a web application, mobile application, or a computer network. we get paid by companies to do this cause they have, usually they have a legal, requirements that they have to be, they have to protect the data, which they collect their customer's data. whether that be PCI standards, which is a credit card policy. where, where if you take, if you take, you take payments, you, you have to protect your, the credit card numbers basically. so yeah, so I like it. It's a legal requirement or the cases, companies just want to make sure they don't get defaced or whatever. So they pay us the high roads to try and hack their website like a. Like a hacker would, so that we're trying to simulate a hacker and trying to break into their systems. and then we create a report with our findings and, and, and then they, hopefully, after we give them the report, they fix the issues that we find.
Nathan Wrigley: [00:07:17] So it's not incumbent upon you to offer suggestions for how to fix it. It's simply a process of, look, we, we managed to succeed in doing this. Now go get your guys to go and mend what, what we discovered was broken.
Ryan Dewhurst: [00:07:31] So, so we do give high level, yeah, we give high level, guidance on how to fix the issue with most of the time it is becoming more common that we have access to that, to a source code. But most of the time we don't have that access. So we can't give them very specific sort of, you know, add this code here or sanitize that specific parameter in the code. So we also, we give very high level, Fixed recommendations such as you need, you need to implement cross-site request Badri prevention mechanisms, and that kind of thing. So, so yeah, usually it's high level, but if we do have the source code, we can start to get, give specific, Six recommendations
Nathan Wrigley: [00:08:08] is this, this sort of penetration testing, presumably the larger your organization and the greater your turnover. So let's say, for example, HSBC bank, as opposed to mom and dad's a shoe shop. there's like a, a certain degree of spend and the amount of money that they spend on it, sec penetration testing, if you like, gives you more time to try out more stuff and try to break it in a variety of more intriguing and expensive and time consuming ways.
Ryan Dewhurst: [00:08:36] Yeah. So, so obviously when, when we're hired with the company, Ohio's has, has a budget. so we usually, our tests run for could be five to 10 days, even a month, depending on how, how many web applications that require testing. But yeah, if you have a bigger budget, it means that we can spend. Longer looking for vulnerabilities, which increases the chance that we find them. So that's where we differentiate with, with sort of black hat hackers really is that usually we are time limited where a black hat hacker could spend years trying to break into your company where we limited to a week or a month, that kind of thing. If you look at very recently, I think it was yesterday, British airways got fined, I think it was 183 million. Yes. They they, yeah. They got breached and it was the, Yeah. I can't, can't remember their who find them, but yeah, they've got to, they've got a huge fan of 183 million yesterday for not adequately protecting their customer's data.
Nathan Wrigley: [00:09:32] They're probably thinking it would have been far better to spend 150 million on penetration testing. Yeah. But I suppose it never, ever, ever works that way around. which leads us onto what I want to talk about a very generic discussion, I suppose, about internet security, what your thoughts on what that means and so on. so one of the things that we. Constantly talk about in the WordPress space is internet security, but I'm just wondering if you could pin that down really a little bit more. what are the sort of recent things that are happening? And, and by that I don't mean like Def, you know, necessarily the, the most new and interesting shiny media attention grabbing. I'm just the most typical things that somebody with a WordPress website might need to concern themselves about.
Ryan Dewhurst: [00:10:23] Yeah. So, so when we think of security as, especially with w with, with, what we do is, is it's old code based, right? So it's all a mistake within source code, which, which creates a vulnerability and which can be abused, in, in some way. and that's really where, where I specialize in. So I. With the vulnerability database, which I run, which we'll talk about a bit later. we collect these vulnerabilities in, in, in WordPress core plugins and themes. So the trend I've been seeing recently is a vulnerability code, PHP object injection. so it's going to get quite technical. So, so this is, is quite, it's, I mean, it's been around. That's probably been around forever, but it's only recently really started to, to be an exploited, and be found. so in PHP you can serialize data, which basically means that it's like compressing data. and people are discovered that you can, coal, Different classes, different code in, in PHP, in a PHP application, by injecting this year a lot serialized data. and, and that can lead to a full compromise, of, of a WordPress blog. So that's, that vulnerability over the past, say year or two has, has been steadily increasing just because people are more aware of it and they're starting to start into to look for it. The really, the, the vulnerabilities, which have been, which are most common, I would say are things cross site script in, it's still a huge issue. And that's, that's been around for forever. and. And yeah, we, it's, it's, it's, it's the most common vulnerability which we, which we get submissions for. So,
Nathan Wrigley: [00:12:12] sorry. I was just going to say, so we see this acronym all the time, this XSS acronym, and we hear the term cross site scripting might, might be good to just give a very high, overview of what that actually is and what it can do.
Nathan Wrigley: [00:13:56] Yeah, I mean, the, it's, it is literally limitless in possibility. You, it's just a waiting game really, isn't it? A waiting for somebody to come up with the next thing. And that, that leads me to my next question actually, is, is this, is this people, are we mostly talking about actual people sitting behind computers? or are we largely talking about kind of scripts that have been deployed over the internet or automated bots? You know, that kind of thing. so real people versus, automated machines.
Ryan Dewhurst: [00:14:28] Yeah. so yeah, so would be a mixture. th yeah, there will be people, who are specifically targeting a subset of websites maybe for political reasons or what are they? and are, there will be some people will create automated tools, which will scan the internet looking for WordPress blogs that are vulnerable and automatically, Exploiting those. The automated stuff is probably more, business centric. So they're doing it more for money, money, monetary gain, rather than, rather than political reasons. That's usually anyway. but also nowadays we've got things like state actors such as, governments now have their own teams, who are researching and collecting exploits for various pieces of software. And, I'm, I'm weaponizing those in case of, a cyber war, if you will.
Nathan Wrigley: [00:15:19] it struck me that, you know, I was walking down the street the other day and saw that somebody had put a brick through somebody's car windows, and I thought, boy, that's. That's horrible. Who would do that? Why would you do that? And of course, you know, obviously the contents of the car is, is what they're after. There may have been something sitting on the seat or what have you, but it presented me with this sort of moral, moral dilemma, you know, would I ever do that? Is there any situation in which I would do that? And then I'm sort of transport transposing that I suppose onto this and asking, you know why they do it? And, and if you go back a long time when all of this began, it felt like there was just this almost like graffiti component to it. You just want you to paste your, your tag and demonstrate that you are capable. But now things have moved on. And as you alluded to now, there's a whole bunch of different reasons, largely monetary. for hacking people's website. And I wonder if we could talk about that for a minute. How, how can somebody possibly gain from taking your website down or in some way infecting it?
Ryan Dewhurst: [00:16:17] Yeah, I think you're right that the, as the information security industry has matured, so of these people who were. Defacing websites in the late nineties, early two thousands. They've probably gone on now to, to create a career out of information security. But yeah, as, as, as the industry's matured, not only the, defenders and the consultants and the antivirus companies as well. So have the, the attackers have also become more sophisticated. yeah. I mean, it's, we don't know. Only they have, we have. Some information of who is behind these, these attacks. And, and a lot of the time it's, it's organized crime who's trying to make money from, from promoting, other. so, so for example, getting you to visit a specific website and charging for that, or trying to affect your, your machine, and then using that as part of a botnet to carry out attacks on other websites. very recently, and with the advent, with the increase in Bitcoin and other cryptocurrencies, we have a crypto mining. So they using your, your computer CPU, to, to mine cryptocurrencies. and then they're directed profiting from, from your CPU cycles. Yeah. Yes. It's largely nowadays money-based it's not very much sort of defacement anymore. I mean, it still does happen, but largely, yes, it's, it's, it's for, for making money and a lot of effort, a lot of money can be made. So I love effort goes into that, and then there's the last sophistication behind it.
Nathan Wrigley: [00:17:52] Yeah, just last week it was, one of the, what a tiny little town in Florida somewhere, gave they, the, so this is nothing to do with WordPress, but they, they managed to get, and I think it was a phishing attack. So somebody clicked on an email, you know, over a period of time, they've, their files became encrypted and a lot of medical data sensitive medical data, which was absolutely essential, became encrypted. And this tiny little municipality somewhere in Florida is handed over, I think it was $600,000. and they were given the key, and apparently they were, they were actually successfully, they were able to decrypt. But, just goes to show, you know, $600,000 off the strength of getting one click in an email. It's, it can be very profitable, which kind of leads me to the. The next question. It's a depressing question and I hope the answer is, is not what I'm thinking it might be, but I'm just wondering if, if the good guys are fighting a losing battle here. I'm just wondering if there's any sense that the hackers are always so ingenious and after all, they only need to succeed once, whereas the good guys need to succeed 100% of the time. I'm just wondering if the good guys are losing.
Ryan Dewhurst: [00:19:02] I don't think so. I think, I think it's, I think it's a race where, you know, one's always trying to up the other. but I think in general, I think people are more aware of security that their coding practices are becoming more secure. what as itself, as we've seen over the past, how old weapons, like 15, nine.
Nathan Wrigley: [00:19:21] Yeah. Yeah, absolutely. Yeah.
Ryan Dewhurst: [00:19:24] Well, the past 15 years, I mean, it's, it's, it's the, the security is increased significantly. and what we're seeing the same across all software. Even in my, in my consultancy work, if I compare the, website, I tested, maybe five, 10 years ago to a website that I tested there. There's, there's a huge difference. We were regularly being able to, to get very sensitive information five or 10 years ago. Whereas now the. Businesses and programmers are taking security much more seriously. So it's becoming much harder, to, to build, to access sensitive data. And I can hack websites. so I think, yeah, I think, I think the good guys are winning. It's, it's, it's slow. I don't think we're ever gonna. Being in a world where there aren't attacks and that kind of thing, but I think it's definitely getting more sophisticated and it's getting harder for the attackers of the time.
Nathan Wrigley: [00:20:15] Oh, I'm, I'm pleased to hear that. That's great. I was, I was fearful that might be the other way around, but that's lovely. You were speaking about WordPress in its heritage, you know, 15 years, and the fact that it's tightening up over those 15 years, and yet WordPress has this, Baggage, I think, and it has this backpack, heavy backpack on which people point to all the time, sort of WordPress not secure, you know? So I'm wondering if you could speak to that, whether or not, if we got a vanilla install of the very latest version of WordPress, and we thought very carefully about the hosting company that we were going to put it onto. So we're not putting any plugins, we're not doing anything strange with themes. We're just installing WordPress spin and do you believe that, that, that piece of software that, that CMS is. It's pretty well locked down.
Ryan Dewhurst: [00:20:59] If you choose a secure password at the time of good point installation, I think yes. So as long as it's use that secure password at the point of installation, the Natalie's dog WordPress is secure enough, right? I'm not going to install it. if I, if I was a bank I would instill on my banking web server. But yeah, if, if your, if your blogging or FCR company blog or whatever, and then you're not holding much sensitive information, then WordPress is absolutely fine, secure enough for, for its purpose. and yeah, as long as she has a secure password during a setup, you should be secure enough. Problems come when you start to install other plugins, themes. and if you don't update WordPress going forwards, then that could also be an issue.
Nathan Wrigley: [00:21:48] Yeah. and if you do, if you do deploy a secure password, make sure it's not the same secure password that you're deploying everywhere else on site.
Ryan Dewhurst: [00:21:59] Again, a password manager, definitely. Yeah. That.
Nathan Wrigley: [00:22:03] Yeah, I use, I use, I don't know the merits of it over the other competitors, but I've, for a long time been using, using LastPass, which I think delivers a reasonable solution. And then, then have that locked down with a YubiKey, which I, which I also think is quite a valuable thing. It's like a, for those that don't know, it's a USB. it's like a USB keyboard, which types in a yet even more complicated, unique password each time you try to log into LastPass. So, okay, so WordPress is potentially reasonably secure, should we say, as a piece of software, what are the, what are the, let's go for two or three, just for the sake of it. Two or three things, which, Which are going to increase the, the surface area for attack. Once you start, once you start messing with WordPress and start installing things and changing things and what have you.
Ryan Dewhurst: [00:22:55] Yeah. So as we mentioned, using a weak password for the administrative user is, is obviously the one of the biggest issues. And it's. Relatively easy to guess that if you do use a weak password, it's relatively easy to guess that I'm using tools such as the repeat scan. and yeah, so second thing, plugins. So the, the, the, the biggest issue with WordPress security is the plugin ecosystem. And these plugins are developed by third parties who have varying degrees of skills and interest insecurity in their plugins. And, Every plugin that you install on your WordPress blog increases the attack surface. So increases the number of doors or windows which an attacker can potentially break into. so keep the plugins to a minimum, make sure the well known plugins and keep them up to date, which leads on to the third thing is keep WordPress. Plugins and themes, UpToDate constantly.
Nathan Wrigley: [00:23:55] Yeah. Yeah. I mean, there's , especially our audience who are, I would say the vast majority are in some way, professionally connected with WordPress. You know, it is, it is their job. I think it's, it's unconscionable really to be leaving sites for any. Great length of time and not going in and updating them, especially when there's so many wonderful tools, you know, manage WP and main WP that will, that will assist you in that process all be, it's by installing probably another plugin. So, okay, let's move on to. By the way. Thank you. That was a really nice summary of, I think that the state of internet security, you know, in, in 15 minutes, which is great. Thank you. let's move onto to what it is that you do, which is, well, one of them is WP scan. Would you like to tell us, a little bit about what WP scan is? I'm sure that, many of our listeners may not have heard of this, so this is, a great opportunity to get it in front of some, some eyeballs.
Ryan Dewhurst: [00:24:53] Yeah, so the, our main , the main, the main service of products that we have is a command line interface tool, which will scan a WordPress blog and tell you of any security issues that, that may affect it. So the. The very first thing that it does is it checks the WordPress version to see if it's, UpToDate or not. And if it's not up to date, is it, is the version you have installed affected by any non vulnerabilities. We'll list those. I for you. we'll do plugin and numeration. So we'll find out. And this is all from a. an attacker's perspective. So you don't need to log into your, this tour or anything. This is what a hacker can see. This is an outsider's perspective of your blog. So we do plug enumeration so we can see all the plugins that you have installed on a WordPress blog, what version that plugin is. So then we, then we can compare that we have a vulnerability database where we keep a list of vulnerabilities for WordPress calls. So again, some themes, and once we have the version of the plugin that you have installed, we can compare that against our database and find the non-fun abilities, which affect that plugin. We do the same thing for themes. many people may not know, but you can also find out what usernames are installed on a WordPress blog pretty trivially. once we have the usernames and we can, conduct an automated password attack against those users and find if any of them are using any, any weak passwords. That's the main functionality. But we hope also do a lot of little things which people may not be aware of, such as we look for backs up to wippy dash conflict dot PHP files. So lot of time save them. For example, there is a command line text editor. If you edit that, the weepy conflict file, I'm not sure if it's specifically with Venn, but there are some command line text editors, which, which do do this. They create an automatic backup, which you don't even, you're not even aware of, of that file. and so we check for all those. and yeah, we do various other, we do a whole bunch of things on top of, the main, the main enumerations that we do. So that's the command line interface. And that's not very, we tried to make it as user friendly as possible. It's, but it's, it's still a bit daunting for some non technical users. We recently launched the candor IO, which is a, a web interface on top of. WP scan. and on that you can basically put in a URL press goal and we'll, we'll, we'll scan the site and give you a PDF reports. And yeah, so do piece can come alive in space too, is you can use it free of charge it, for non commercial use. So anyone can use that for free and we're being given it away for free or released in 2011. So we're giving it away for free all that time.
Nathan Wrigley: [00:27:34] I'm sorry, I was just gonna interrupt there if you'd like. Cause I want to carry the conversation on about the, the non IO version and then, if it's all right, we'll come to the IO version a bit nicer. All right. Yeah. so the words, the words command and line joined together, we'll. Terrify some people, but what, what, how, how easy realistically, if somebody was to follow the guidelines on the website, how, how easy is this to get set up and get some data out of it? You know, is it, is it fairly straightforward so long as you copy and paste the things into, I don't know, the terminal or something.
Ryan Dewhurst: [00:28:06] Yeah, I, it's, it's, we do have installation guides and there's, there's a, there's a hell of a lot of blog posts on the internet, guiding you through this lesson of WP scan. There's a lot of YouTube videos and, and that kind of thing. So, yeah, it, it should be relatively easy, but you, you will need to be, you will need to know how to use basic command lined arguments. so the terminal on your computer, And we also have a Linux. So there's penetration testing, Lennox distributions out there, which are pretty, install our tool. So if you install that Linux distribution, our tool's pre-installed on that. So you can, you can, you don't have to install it. It's, it's, it's there already. And getting even, even more technical. We have a dukkha images, which are like, virtual machines. Which you can run sort of in a virtual machine that's pre-installed too. You need to start Docker, but then the BP scan is pre-installed. Yeah. but yeah, I mean, it should be, there's plenty of resources out there and yeah, we, we, we do try and make it as easy as possible for, for users to install, but you will, you will need some sort of. Technical knowledge to install it
Nathan Wrigley: [00:29:13] to me like this is a good place to gain that technical knowledge. You know, you can't really go too wrong with it. Follow the instructions and and give it a go. You're not going to break anything. Your computer will not stop working if you were, if you, if you don't, well, I probably shouldn't say that. It depends how our friends, what commands you. XQ I suppose. but is this, okay, let's, let's say that I've managed to install it successfully in my case on a Mac. and I've tucked in some commands. And how does it feed back the data to me? Is it all to, you know, does it produce, reports and things? And is that all just displayed as text in the command line back at me? And I've got to scroll through it. And so on.
Ryan Dewhurst: [00:29:51] Yes. So the, the command line interface tool is all text-based. Yes. So you, you put in, you type WP scam, which is the name of the program, dusk dash URL. And then you give it a URL so that you know your domain name of your website, and you press enter. in the background, what it'll do is update the vulnerability database. So it has, the latest wettability data, and then, yeah, it was, it would spit out everything in the command line that it's found. again, going more technical. We also support Jason. I put his. We'd use to con consume, so other software can consume the output. But for users in general, yeah. It will be text-based outputs in the command line.
Nathan Wrigley: [00:30:35] And, we're, we're kind of, I think sometimes we have this feeling that. These these plugins and you know, these security solutions will in some way, not only alert us to these problems, but will in some way fix the problems as well. That's just to be clear. That's not what this is about. This is simply alerting us to something that a, a hacker, if you like, might well be finding out about your site, without you wishing them to, but it's not trying to fix anything.
Ryan Dewhurst: [00:31:02] That's correct. Yeah. No, we don't. yeah, we don't give any remediation information. and we don't, certainly don't try to fix anything ourselves through the tool. we just point out problems and then. It's up to you. What, what you decide to do with that. Yeah.
Nathan Wrigley: [00:31:19] You mentioned that upon executing that command, WP scan, hyphen, hyphen, that URL, what have you, that it would then go out and update the database, which is lovely. I'm just wondering how the database itself is updated and what. Process. Presumably a fairly manual process to some extent, is taken on by you and other people in order to, to keep that database. W w what's the sort of ingress of information that you're sucking in? Where do you get all of this from in order to make the database current and up to date. Yeah.
Ryan Dewhurst: [00:31:52] So it, so it is a manual process. every vulnerability added to the database is I did buy by myself or one of my, one of my team members. so there was a few different methods of how we discover these vulnerabilities. So largely we. Look for known vulnerabilities. So what happens is I've got a, I've got a bunch of, you can use Google alerts, which is a service by Google where you can search for key keywords on the web, and if those key words are found, you'll get an automatic email. So I use that to look for stuff like WordPress vulnerability and plugin vulnerabilities. So I get emails from that. I use Twitter searches for WordPress, vulnerability of plugging vulnerability. And, and I, I checked that every morning and see if people had been tweeting about specific vulnerabilities. I were registered to a bunch of software. There's a, there's a American organization called MITRE meta. Assign a, see the numbers, which is basically a, an an ID, which they are assigned to specific vulnerabilities. So we're red. We're officially registered with them. So they will also let us know if they've assigned a number to a specific vulnerability. And very recently, what we've started to do is check. So every time a plugin is updated. On the WordPress repository. there's, there's a commit message. And most, most developers, when, when, when, when, when they commit something, they'll put a message such as fixed XSS or fix security issue. So over the past, few weeks, we've been monitoring those and we've been adding a lot of those tower database. we also have a submission system. So security researchers can submit vulnerabilities directly to us. Oh, a website. We'll try out from there.
Nathan Wrigley: [00:33:40] It sounds like I'm a, you know, a large burden of work to keep this going. And I'm, I'm sort of wondering also the fact that you can go to, to your website and download and execute this, it feels kind of almost like a philanthropic, just gesture on your behalf. You know, it's all free. Here's, I've done loads of hard work in it, so I'm wondering if there's like a . A commercial side of this, perhaps a license for a, I don't know, businesses or, or some other products or services where, where there's an actual business model with revenue for you as well in order to keep this, keep this going at the rate which it requires.
Ryan Dewhurst: [00:34:14] Yeah. So, so I released this in 2011, or for free, and it was basically the technical challenge and just, just for learning basically, and just the joy of creating something. but yeah, over the years it has become a bit, a bit of a burden. Keep releasing new things. not monetizing them. I, for example, we have a, we have a WordPress plugin, a very simple WordPress plugin. But yeah, we spend loads of time creating these things and releasing them and then not thinking about monetizing, these services very recently. Yeah. They started to become too much. Cause we all do this. There's three of us on the team and we do this in our spare time. so last year, January, 2018, we officially created the wipies cam business and we started to think about how we're going to make, I, we're going to sustain the we piece can go forward cause this, it starts to take a large chunk of my working day, over the past few years. And as well as my, as my colleagues day days. so we started charging for businesses who wanted to resell our services. So a lot of businesses will integrate our tools, our vulnerability database sees within their own services and tools. So we started charging those users, but we've, we were working on a trust basis. So we, we. We, we rely on them telling us that they use our software commercially, which, which doesn't work all the time. Not, not everyone's honest. so we've found that's not generating enough revenue to sustain, do a piece count. So we tried, a commercial service that we please scan the aisle. I really stopped two months ago. So that's basically a web interface on top of WP scan, which tries to simplify things for the users. You can schedule daily, weekly, monthly scans, that kind of thing. and that, that is growing, but slowly it didn't take off as much as we thought it would, but it might may take more time.
Nathan Wrigley: [00:36:12] It might be, it might be a slow burn. Yeah. Sorry, I interrupted you. Carry on.
Ryan Dewhurst: [00:36:16] That's what we're hoping. Yeah. but yeah, we still got a lot of things planned for that and a lot of updates, which cause we give away, we give away a three day free trial, which has been hugely successful. We get many, many users signing up for that. But then going on to touch the, pay for the service, there's not that many. Okay. So our, now what we're going to do is we're going to try to monetize the vulnerability database API. so the. The commercial uses or may not be honest with us, that they are using our software commercially. So what we're going to do is we're going to cap the amount of requests you can make daily as we're going to still keep it free for right. We don't have the exact numbers because we not release the gavel keeping it free for like a hundred to 200 requests per day, which should be more than enough for any. Normal user. but we're going to put a cap on there for, for anything more than that. And you'd have to pay a small fee to use the APA after that. And we're hoping that's what's really going to monetize a project and make, make sure that we can sustain it in the future, make it a real business.
Nathan Wrigley: [00:37:21] I mean, just listening to that story, it strikes me that, you know, you've really, you really have worked a very large amount of hours on keeping this going. And it, it feels to me like if there was any justice in the world, somebody somewhere will, will. Put their hand in their wallet and subscribe to WP scan the IO, so in, in, in, in a bid to make that more likely. Could you tell us exactly how that process works? You know, what are you getting? If you go to WP scan.io and sign up, maybe even talk about the price points and, and what it's doing in the background whilst you're sleeping.
Ryan Dewhurst: [00:37:58] Yeah. So WPScan dot IO, we offer a three day free trial so you don't have to pay anything to try it out. I'll give you one websites on and you can basically, you put in, you have to verify your website first before you can scan it. This is to prevent. attackers just using our service to scan under webs.
Nathan Wrigley: [00:38:19] Yeah.
Ryan Dewhurst: [00:38:20] So you have to verify that you on the website first, and you do that by creating a file on your web server, which we check. And once you do that, you can, you can start to scan, you can start it immediately, or you can schedule it for a specific day and time, or you can schedule it to be recurring. So it can be daily, monthly, or weekly. after the three day free child, the lowest plan we have is called a stop start applying, which is five euros per month. And that gives you one website. and you can schedule scans with that. And you also get an email alerts every time we finish a scan. So you can then look at your, your results. above that, we have a professional plan, which is 20 euros per month, that allows you to have five websites and also PDF report. So you can download your report and send that to, to whoever you need, send it to. And then we have an enterprise plan, which is $100 euros per month, which alows you up to 20 websites. And that also gives you Json output, which is more for enterprise users. They can then use that data within their own software
Nathan Wrigley: [00:39:21] and pipe that into something else and make use of it. Okay. And I'm on the website. You've got the, the features listed that's on the homepage. Maybe go through, although you have briefly touched on those, go through exactly what those six, six things that it's doing. Ah.
Ryan Dewhurst: [00:39:36] Yeah. So w we'll check the, the WordPress version that's in use on, on the WordPress blog. as mentioned before, that that's really useful if, if it's outdated and we can correlate that with our vulnerability database and see if it's affected by any, any known vulnerabilities. we, we, we don't just you can do just simple checks by just taking the next page. But we do, we have like six different methods, cause some people do try and hide the word version, but we, we found. Various ways of writing that
Nathan Wrigley: [00:40:05] there's always a way security through obscurity is not really, yeah. Anyways, sorry.
Ryan Dewhurst: [00:40:11] It's a bit harder for us. Still do it. so we'll find out what plugins you have installed on your WordPress site, and what vulnerabilities affect those plugins. Again, with a theme, we use the power of our vulnerability database. So we have, I can't remember exact figure, but we have a lot of vulnerabilities in our database to try and get you that.
Nathan Wrigley: [00:40:29] And I've got it actually somewhere. What, 14,000. Oh, no, maybe that's not it. 14,126.
Ryan Dewhurst: [00:40:36] Correct. Yeah. They're all the vulnerabilities we have in our database and we're checking if you have a plugin that is affected by a non vulnerability, then we'll alert you of that and it's updated. Obviously, the vulnerability database is updated daily with 'em. You know, many vulnerabilities. We'll also see check if any users have weak passwords. So we'll do automated password, brute forcing and this or this. You don't have to do anything. You just put in your URL, press goal, and this is all done in the background.
Nathan Wrigley: [00:41:03] Are you taking, which, which password database are you using? Are you using, what's his name? what's the guy's name? Who recently, yeah, I think he's no longer supporting that. Is he? But is that the one you're using.
Ryan Dewhurst: [00:41:15] so yeah, it's trying to S it's trying to sell it at the moment. no. we, the reason is we, so we find this out when we created the service, there's. We could, we could throw absolutely everything at the website and you get the best results. But something like that may take an hour or two, which most users weren't willing to wait. so what we do is we use a small password list. I think it contains me up maybe a hundred of the most common passwords. and that's just the keep the. The scan time reasonable, reasonably well. and then keeping users happy. So there's, there's, there's sort of a, a middle ground of, of, of keeping of the checks we do. and, and, and the amount of time that it takes. How about on top of that, we do our own, all the other things that the space tool also does such as checking for, do we P config backup files, that kind of thing. And you get it.
Nathan Wrigley: [00:42:07] So, yeah. I'm sorry. I was going to say, so the, the process for this is dead simple. You go to WP scam.io and basically hit the sign up button. Choose your package. And from that moment on, everything is done on, on your infrastructure. You don't need to worry about the command line, you know, just think about any of that stuff. You just set it up, choose whatever tier of service you want to do, and click go and, and then sit and wait for, wait for information, hopefully never to come back to you.
Ryan Dewhurst: [00:42:35] Exactly. Yes. So, so yeah, so we, if you schedule scans as well, so you can be sure that in the future, you know, you're going to be made aware of any potential issues that affects, affects your blog as well. So, so you saw a user interface, so buttons and, and that kind of thing forms. So it's, it's more. P P less technical users made me find it more useful then than a command line interface tool.
Nathan Wrigley: [00:42:59] Yeah. So let's imagine then that we've, we've signed up for this, or we've taken the trouble to install the command on interface. Either way, we've got some data back, which says, Oh, ouch. This is, there's a handful of things which really you ought to address. Is there any component of your business, or do you refer this on to somebody else where. There's like a, for want of a better word, a cleaning service. I don't know what the right word is for that. Yeah. Some, some process of mitigating these problems. Do you offer that or do you, do you forward that onto trusted third parties or
Ryan Dewhurst: [00:43:30] no? No, we. We have, we don't have any data. We don't collect any data on what vulnerabilities affects. your, your website for the command line interface to a week. Our comp, the only thing the command in does to connect to us is to download the database about vulnerabilities. And that's the only time the client interface tool will connect to our server. If you don't collect any details on, on any. Issues that may affect your website, even that you've scanned your website. We have, we have no knowledge of that at all. the IO service, yes, we could, we could potentially view the details that of, of the, of the website scan where we w we don't at the moment, but it could be a good idea to possibly suggest, a service. Within the report, where users can, can get their things, their problems fixed.
Nathan Wrigley: [00:44:18] Yeah. I know that there are many companies which offer, I don't know the, the, the merits of any company over another, but, you know, this is a, this is a business, isn't it? You know? Okay. We will fix what is broken and we will explore and obviously having a, having a little bit, yeah. Data to start to kickstart that process, possibly from something like WP scan might be a, might be a good starting point, to begin that exploration.
Ryan Dewhurst: [00:44:41] Yeah, it's good idea. We'll, we'll definitely implement some good.
Nathan Wrigley: [00:44:47] Oh, great. I'm pleased. It's not just all one way, this conversation that there's, that's great. Yeah. Just just to sort of round it off, is there anything that you feel that you wanted to, to explore during this podcast that I never asked? Any sort of salient question that you felt was missing that you want to mention? And if not, perhaps I'm just sort of drop some Twitter handles or you know, email addresses or whatever you feel comfortable sharing on the internet about how you can be, how you can be contacted.
Ryan Dewhurst: [00:45:16] Yeah. I think maybe talking to the word as. plugin developers themselves is, is, yeah. Just to, sort of spend more time on the security or of, of, of, of, of the code. And, and also are they. The, the plugin developers, sometimes it's hard. We need to contact them now and then to make them aware of what, of a vulnerability in their plugins. And sometimes that can be hard to do, to contact them. So it's easy for us to contact them, would certainly help us a lot. and in the end it would help them to, but no, yeah. If to, to get in contact with myself. yeah, I'm usually on Twitter. so my handle is ethical hacker. And the last E in hacker is a three.
Nathan Wrigley: [00:45:57] yes. yeah. Just speaking to that, I think there is a proposal, I can't remember who put it forward. It may have been Google or somebody in the same way that we've got like robots stop texts, which. it doesn't really, serve any purpose apart from, you know, getting information to the, to the, to the bots, going around the internet. I think there is a proposal to make a similar file with the security persons details in it. So in that file, which would be, I can't even remember what it would be called, you would drop the contact details of the person in the event of a security breach so that you wouldn't have to go trolling on their website to find out. I don't know if that's got any legs or. Whether it's taken off or not, but I thought that was quite good idea.
Ryan Dewhurst: [00:46:40] Yeah, I think it's called. Yeah, I think you're right. It's called security dot text, and I've seen some, usually larger businesses who have implemented it, but I don't think it's very widely used. Well, I think, I think actually that'd be a super good idea of plugging developers, maybe if even WordPress themselves could force WordPress developers to. And that information to, to their plugins would be certainly helpful.
Nathan Wrigley: [00:47:03] Yeah. I mean it strikes me as, yeah, I can say WordPress course seems like a good place cause then we've got less plugins. so that you could be contacted. Well, that was absolutely fascinating. First of all, I think a great. A great burden of thanks from people like me who probably over the years have benefited from the, the existence of the database, whether we realize it or not. So the WP scan vulnerability databases, no doubt helped an awful lot of people. So thank you for that. And, yeah, thank you for coming on the podcast and sharing your, your story with us today. Cheers, Ryan.
Ryan Dewhurst: [00:47:35] Thank you for having me on. It's been great.
Nathan Wrigley: [00:47:37] Well, I hope that you enjoyed that Ryan do hearse, talking about internet security, the WP scan, vulnerability database, WP scan itself, and so on and so forth. An awful lot of knowledge in there and I just think everything that Ryan's been doing over many, many years, it has been absolutely amazing helping us all keep our websites safe and secure, which is something I think we could all agree is highly needed. The WP Builds podcast was brought to you today by page builder cloud. If you want to dramatically speed up your WordPress website workflow, then checkout page, build a cloud. It securely saves all your templates to your own cloud. You can then reuse them on any other website in seconds. Page builder cloud works with element or Beaver builder breezy, Gothenburg and many more, but it's not just for page builders. You can save your contact forms and ACF layouts to get a free trial today at page builder, cloud.com. And WP and UP one in four of us will be directly affected by mental health related illness. WP and op supports and promotes positive mental health within the WordPress community. This is achieved through mentorship, events, training, and counseling. Please help enable WP and UP by visiting WP and UP.org forward slash give. Okay. As always, I hope I see you back here. Next Thursday, we'll have another podcast episode. Likely a discussion between David Waumsley and myself, but do remember that on a Monday we also put out a weekly WordPress news are released, that it's about 30 minutes of me going over the WordPress news that comes out. 7:00 AM UK time. So if you. Put your podcast player on Monday morning, then it should be there. If you've subscribed to WP Builds, and also at 2:00 PM UK time, we have a live in our Facebook group or [email protected] forward slash live and you'll be able to listen to me, or rather, should I say, watch me and. Three or four other WordPress's chatting about this week's WordPress new, so there's a lot going on. Hopefully I'll see you around for some of that good stuff, and I'm going to fade in some really awful cheesy music and say, bye bye for now .