Guides Check WordPress for Exploits

Check WordPress for Exploits

Whether you use WordPress for your personal blog, or your organization uses it for its entire Web site, ensuring its security is a good thing. One tool that can help secure WordPress is the the Exploit Scanner plugin.

WordPress is one of the most popular CMSes, which means it is among the more commonly exploited. Use the Exploit Scanner plugin to help lock it down.

Typically, I look at command-line tools and utilities for the tips column — but this week I wanted to take a look at a WordPress plugin I’ve been testing. Why? Primarily because I know WordPress is one of the most popular CMSes in use today, and the single most popular open source CMS. That means quite a few admins are likely to be responsible for dealing with WordPress in one way or another.

But also because, let’s face it, WordPress (and other PHP/MySQL-based apps) tend to fall victim to attacks. This is especially true when organizations let WordPress get out of date — so if you just picked up responsibility for a WordPress install that has not been updated, it’s time to give it a once-over with the Exploit Scanner.

Luckily, this is very easy. Log into the WordPress Dashboard as the admin and go to the Add New page under Plugins. Search for Exploit and walk through the process to install and enable Exploit Scanner.

Once it’s enabled, head over to the Exploit Scanner page under Tools. Here, take a moment to sigh and wish that WordPress extensions/plugins lived in standard locations (some locate themselves under Settings, others under Tools, others still elsewhere). Once that’s done, set the parameters for the scan. You can set an upper size limit for files (the standard is 400KB) and the number of files to scan in one batch. Exploit Scanner will also look for “suspicious styles,” which are CSS styles that might be used to hide spam.

The first time I ran the scan it took ages. Then I realized that I had months worth of daily backups of my database under the WordPress folder, and the tool was trying to scan those (and then giving up due to size). Once I made adjustments for that, the scan sped up appreciably.

Next, you’ll receive a report of files that match warning signals for possible exploits or code that can be exploited. Note that many of the official plugins or approved plugins will match, and you will need to weed through the report to see what’s actually a problem. You may, after using the Exploit Scanner, wish to disable plugins that aren’t entirely necessary.

Is it foolproof? Nope. But it’s an additional tool that will come in handy when you’re trying to track down exploits or just wish to run it regularly in case.

Joe ‘Zonker’
is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks,,, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at [email protected] and follow him on Twitter.

Follow ServerWatch on Twitter

Latest Posts

How to Convert a Physical Computer to a Virtual Machine

Many organizations are implementing virtualization technology into their networks to convert physical computers to virtual machines (VM). This helps reduce overall physical hardware costs,...

HPE ProLiant DL380 Gen10: Rack Server Overview and Insight

The HPE ProLiant DL380 series has consistently been a market leader in the server space. The Gen10 released in 2017 further increased HPE's market...

Best Server Management Software & Tools 2021

Finding the best server management software tools for your organization can have a major impact on the success of your business operations. Manually handling...

IBM AS/400: Lasting the Test of Time

Some server operating systems (OS) were built to survive the test of time – the IBM AS/400 is one such system.  The AS/400 (Application System/400)...

What is Disaster Recovery?

The modern organization's heavy dependence on using data to drive their business has made having a Disaster Recovery (DR) plan in place a necessity....

Related Stories