RandomStorm has announced a free download to protect Websites from being hacked. The WordPress Scanner checks blogs for plug-ins that could open up back doors into Websites, which could then be exploited by hackers.
WordPress Scanner has been developed by RandomStorm penetration tester, Ryan Dewhurst, who also developed the Damn Vulnerable Web Application (DVWA), which teaches developers and security professionals how to secure Web applications. The WordPress Scanner software enables security professionals and Word Press administrators to check for any plug-ins or vulnerabilities that could leave blogs and Websites open to hackers.
Common Website hacks include injecting SQL code into a page; defacement, such as swapping out corporate logos for the slogan of a protest organisation; cross site scripting (XSS) and code execution. Examples of organisations’ Websites that have been compromised using these methods include the BBC 6 Music and 1Xtra Websites, which were used to host a drive by download attack to infect visitors’ computers with the Phoenix Trojan and the Sun newspaper Website, which displayed a false story that Rupert Murdoch had died, placed by the LulzSec hacker group.
Commenting on the new vulnerability scanning tool, Ryan Dewhurst said: “Sometimes it is not easy to spot when a blog has been compromised. Hackers use tactics such as inserting infected iFrames, which look like normal pictures on the Web page, but which can be used to initiate drive by downloads of malware to visitors’ computers. This sort of activity can get your site blacklisted so it’s important to scan for vulnerabilities and remove them.”
The WordPress Scanner is a black box tool developed using the Ruby programming language. It is available for free download.
Andrew Mason, Technical Director at RandomStorm, commented, “WordPress Scanner forms part of RandomStorm’s overall service to help companies to close vulnerabilities in their Web applications and improve security for their business and their customers.”
RandomStorm provides vulnerability scanning and intrusion detection services to help companies to improve their security posture. The company is a CESG CHECK security consultancy and recently announced that it has been certified as a Qualified Security Assessor by the Payment Card Industry Security Standards Council, enabling qualified employees to carry out audits to help merchant companies to comply with the Payment Card Industry Data Security Standard (PCI DSS).