Instant Scanner

Have you guys heard about Instant Server? It’s pretty rad. Basically, you push a button, wait a few seconds and they give you 35 minutes of usage on an SSH-able server. Once the 35 minutes is up, you can either pay to keep it running or they trash the server instance.

Anyhow, after trying to figure out some of the fun things I could do with it, I’ve come up something that security minded WordPress folks might find useful.

There’s this command line security scanner called WPScan that performs a bunch of non-intrusive checks against WordPress installs. Folks with Linux based systems can install and run it easily. It’s also a fairly trivial install for folks who’ve set up Homebrew on their Macs. But if you don’t want to mess with installing Xcode on your MacBook or you have a (gag) Windows machine, try this out…

  1. Spin up an Instant Server instance.
  2. Log in via SSH.
  3. Run the following command:
    sudo apt-get install libcurl4-gnutls-dev libopenssl-ruby libxml2 libxml2-dev libxslt1-dev ruby-dev git make && git clone && cd wpscan && sudo gem install bundler && bundle install --without test development
  4. After that finishes running, you should have roughly 30 minutes left on the server.
  5. Run this command:
    ruby wpscan.rb --url --enumerate
    (Make sure to replace with your own domain.)
  6. Sit back and let WPScan tell you about any security issues you might need to address.

If you stay on top of core, plugin & theme updates, you shouldn’t really see anything surprising. But it’s always better to know your threats and limit your exposure, right?