Skip to main content

WordPress Watcher is a Python wrapper for WPScan that manages scans on multiple sites and reports by email.

Project description

WPWatcher

Automating WPScan to scan and report vulnerable Wordpress sites

Features

  • Scan multiple sites with WPScan
  • Parse WPScan output and divide the results in "Alerts", "Warnings", "Informations" and eventually "Errors"
  • Keep track of fixed issues
  • Handled VulnDB API limit
  • Define reporting emails addresses for every configured site individually and globally
  • Define false positives strings for every configured site individually and globally
  • Define WPScan arguments for every configured site individually and globally
  • Save raw WPScan results into files
  • Speed up scans using several asynchronous workers
  • Follow URL redirection if WPScan fails and propose to ignore main redirect
  • Log file also lists all the findings
  • Scan sites continuously at defined interval and configure script as a linux service
  • Prescan sites without API token, then use token on site having issues (i.e. outdated Wordpress, plugin version) only to save API calls

Prerequisites

  • WPScan (itself requires Ruby and some libraries).
  • Python 3 (standard libraries)
  • Tested on Linux and MacOS

Install

With PyPi (stable)

python3 -m pip install wpwatcher
Update
python3 -m pip install wpwatcher --upgrade

Manually (develop)

git clone https://github.com/tristanlatr/WPWatcher.git
cd WPWatcher
python3 setup.py install

wpwatcher should be in your PATH but you can always run the python script directly

python3 ./wpwatcher/cli.py --url exemple3.com -v

Try it out

Simple usage
Scan 2 sites with default config.

wpwatcher --url exemple.com exemple1.com

More complete exemple
Load sites from text file , add WPScan arguments , follow redirection if WPScan fails and propose to use --ignore-main-redirect, use 5 asynchronous workers , email custom recepients if any alerts with full WPScan output attached. If you reach your API limit, it will wait and continue 24h later.

wpwatcher --urls sites.txt \
        --wpscan_args "--force --stealthy --api-token <TOKEN>" \
        --follow_redirect \
        --workers 5 \
        --send --attach \
        --email_to collaborator1@office.ca collaborator2@office.ca \
        --api_limit_wait

Review the Wiki for more documentation, anyone can edit Wiki pages, please feel free to add any useful documentation, exemples or tips !

Notes on script behaviours

  • The script will automatically try to delete all temp wpscan files in /tmp/wpscan before starting scans. You might run into file not found error (#13), please consider adding --cache-ttl 0 to WPScan arguments.
  • You might want to use --ff (fail fast) when you're setting up and configuring the script. Abort scans when WPScan fails, useful to troubleshoot.
  • All messages are printed to stdout.
  • WPWatcher store a database of reports and compare reports one scan after another to notice for fixed issues. Default location is ~/.wpwatcher/wp_reports.json. Set wp_reports=null in the config to disable this feature.

Return non zero status code if :

  • One or more WPScan command failed
  • Unable to send one or more email report
  • Other errors

Configuration

WPWatcher must read a configuration file to send mail reports.
See Wiki for more informations.

Select config file with --conf File path. You can specify multiple files. Will overwrites the keys with each successive file. If not specified, it will try to load config from files ~/.wpwatcher/wpwatcher.conf , ~/wpwatcher.conf and ./wpwatcher.conf, in this order.

Create and edit a new config file from template. ( --template_conf argument print a default config file )

wpwatcher --template_conf > ./wpwatcher.conf
vim ./wpwatcher.conf

See complete list of options here.

Notes about WPScan API token

You need a WPScan API token in order to show vulnerability data and be alerted of vulnerable WordPress or plugin. If you have large number of sites to scan, you'll probably can't scan all your sites because of the limited amount of daily API request. Turn on api_limit_wait to wait 24h and contuinue scans when API limit si reached.
If no API token is provided to WPScan, scans will still trigger WARNING emails with outdated plugin or WordPress version.
Please make sure you respect the WPScan license.

Configuration exemple

Simple configuration file with SMTP authentication, full featured wp_sites entry and WPScan arguments.

[wpwatcher]
wpscan_path=wpscan
wp_sites=   [ {   
                "url":"exemple.com",
                "email_to":["site_owner@domain.com"],
                "false_positive_strings":[
                    "Yoast SEO 1.2.0-11.5 - Authenticated Stored XSS",
                    "Yoast SEO <= 9.1 - Authenticated Race Condition"],
                "wpscan_args":["--stealthy"]
              },
              { "url":"exemple2.com"  }  ]
wpscan_args=[   "--format", "json",
                "--no-banner",
                "--random-user-agent", 
                "--disable-tls-checks",
                "--api-token", "YOUR_API_TOKEN" ]
send_email_report=Yes
email_to=["me@gmail.com"]
from_email=me@gmail.com
smtp_user=me@gmail.com
smtp_server=smtp.gmail.com:587
smtp_ssl=Yes
smtp_auth=Yes
smtp_pass=P@assW0rd

You can store the API Token in the WPScan default config file at ~/.wpscan/scan.yml and not supply it via the wpscan CLI argument in the WPWatcher config file. See WPSacn readme.

Run wpwatcher --help to see options configurable with CLI.

Email reports

One report is generated per site and the reports are sent individually when finished scanning a website.
See Wiki for more informations.

WPWatcher Report List

WPWatcher Report

Output

See Wiki.

Library usage

See Wiki.

Changelog

See Releases

Questions ?

If you have any questions, please create a new issue.

Contribute

If you like the project and think you could help with making it better, there are many ways you can do it:

  • Create new issue for new feature proposal or a bug
  • Implement existing issues
  • Help with improving the documentation
  • Spread a word about the project to your collegues, friends, blogs or any other channels
  • Any other things you could imagine
  • Any contribution would be of great help

Running tests

python3 -m unittest tests.quick_test

Authors

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

wpwatcher-2.2.3.dev1.tar.gz (33.6 kB view details)

Uploaded Source

Built Distribution

wpwatcher-2.2.3.dev1-py3-none-any.whl (39.1 kB view details)

Uploaded Python 3

File details

Details for the file wpwatcher-2.2.3.dev1.tar.gz.

File metadata

  • Download URL: wpwatcher-2.2.3.dev1.tar.gz
  • Upload date:
  • Size: 33.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/49.2.0 requests-toolbelt/0.9.1 tqdm/4.48.0 CPython/3.8.5

File hashes

Hashes for wpwatcher-2.2.3.dev1.tar.gz
Algorithm Hash digest
SHA256 17de818f4b3e181810ba0c245c1dad310194bcf667ecaff8d35b40e0111c65eb
MD5 527a8606117d268d2517885143128606
BLAKE2b-256 968971b6040b8b0a8184b1be5a98866622386aa2351eaf5ca1eb9ce1ac6f8785

See more details on using hashes here.

File details

Details for the file wpwatcher-2.2.3.dev1-py3-none-any.whl.

File metadata

  • Download URL: wpwatcher-2.2.3.dev1-py3-none-any.whl
  • Upload date:
  • Size: 39.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/49.2.0 requests-toolbelt/0.9.1 tqdm/4.48.0 CPython/3.8.5

File hashes

Hashes for wpwatcher-2.2.3.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 383a799271999976490bc473cacd6e473ebae4a593fe9513c1a09d30345dfaeb
MD5 e3596253fad598ddd5966701b7b9b0b2
BLAKE2b-256 d285c82baf7d4ddd9dc2868d3398bc5de6c619ac8a974cbdbaa5c07ebcca9773

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page