Free WordPress security scanning software released

In use, the software is billed as checking WordPress-based sites for plug-ins and other threats that could open up back doors into websites, which could then be exploited by hackers.

The software developed was by RandomStorm's penetration tester Ryan Dewhurst, who also developed the Damn Vulnerable Web Application (DVWA), which is billed as teaching developers and security professionals how to secure their web applications.

Common website hacks that the software monitors for include injecting SQL code into a page; defacement, such as swapping out corporate logos for the slogan of a protest organisation; cross site scripting (XSS) and code execution.

Examples of organisations' websites that have been compromised using these methods include the BBC 6 Music and 1Xtra sites, which the firm says were used to host a drive by download attack to infect visitors; computers with the Phoenix Trojan and the Sun newspaper's site, which displayed a false story that Rupert Murdoch had died, placed by the LulzSec hacker group.

Dewhurst says that sometimes it is not easy to spot when a blog has been compromised. Hackers use tactics such as inserting infected iFrames, which look like normal pictures on the web page, but which can be used to initiate drive by downloads of malware to visitors computers.

"This sort of activity can get your site blacklisted so it’s important to scan for vulnerabilities and remove them", he said, adding that the WordPress Scanner is a black box tool developed using the Ruby programming language.

Andrew Mason, RandomStorm's technical director, meanwhile, said that WordPress Scanner forms part of his firm's overall service to help companies to close vulnerabilities in their web applications and improve security for their business and their customers.

What’s hot on Infosecurity Magazine?