How to Replace Overpriced and Ineffective WPScan Based Penetration Testing of WordPress Websites With Cheaper and Better Automated Testing
Last week Bloomberg’s Katrina Manson covered a recommendation from the US Cybersecurity and Infrastructure Security Agency that urged companies to automate threat testing. The story touched on one of the realities of the poor state of security that doesn’t get much attention, the current method of threat testing is both much more expensive than it needs to be and not very effective. The story mentioned a chief information security officer of a company that changed course after a ransomware attack two years ago that found that changing had this impact:
the price was cheaper than employing so-called penetration testers, who do similar work but less regularly and effectively
That isn’t news to lots of people in the security industry, and it certainly applies to WordPress websites.
A common form of penetration testing of WordPress websites amounts to little more that running a tool called WPScan over them to identify claimed known vulnerabilities in WordPress plugins. At best, this would provide you a good snapshot of known vulnerabilities in plugins at one moment. But the results have been known to be very poor for many years.
One of the big problems with the results is the low quality of the data. As one example, earlier this year we noted where they claimed a vulnerability had been fixed in a plugin five months before there even was an attempt to address the claimed vulnerability. They were also confusingly claiming that it had been fixed in two different versions of the plugin. There wasn’t really a vulnerability. That wasn’t a one-off issue, as their data on claimed vulnerabilities is frequently wrong in at least one way.
While WPScan prominently markets their data as allowing you to “[b]e the first to know about vulnerabilities affecting your WordPress website”, in reality, that isn’t the case.
The Automated Replacement
There is a better alternative to that, which also is cheaper. With our service, you can have your website checked if you are using known vulnerable plugins as often as every hour. That can be done because unlike WPScan, we check from inside the website instead of from the outside. We then combine that with higher quality data than WPScan is using. That data is focused on plugins used by our customers.
If you are using a vulnerable plugin with an update available, it can be automatically updated.
If you are using a vulnerable plugin where there isn’t an update available, you then have access to support from someone knowledgeable with the vulnerability who can help you make the best decision on what to do. It might be safe to simply ignore the issue for the time being.
The reason we can offer that for much less than WPScan based penetration testing, is that penetration testers vastly overcharge for their services. Unfortunately, much of the security industry involves companies scamming their customers. The poor state of security despite so much money spent, shows the result of that.
Taking Your Security to the Next Level
Automated testing like our service provides a lot of security, but you can go further than that. Also included in our service is the WordPress firewall plugin that testing shows provides the most protection against zero-days vulnerabilities, which are vulnerabilities being exploited before the developer of the software knows about them. Automated testing or WPScan based penetration testing can’t know about those until a hacker starts exploiting them.
For those with more budget, then a better alternative to spending a lot on penetration testing is to get security reviews of plugins you use or are considering using. The security reviews we do are designed to catch what otherwise could be zero-days before they are exploited, as well make sure the plugins are more broadly secured. For many plugins, the price of such a review is much less than penetration testing costs.
While WordPress themes are much less of a security concern, we also can do reviews of those as well.