WordPress Watcher - Automating WPScan to scan and report vulnerable Wordpress sites
Project description
WPWatcher
Automating WPScan to scan and report vulnerable Wordpress sites
Features
- Scan multiple sites with WPScan
- Parse WPScan output and divide the results in "Alerts", "Warnings", "Informations" and eventually "Errors"
- Handled VulnDB API limit
- Define reporting emails addresses for every configured site individually and globally (wiki/Email-reports)
- Define false positives strings for every configured site individually and globally (wiki/False-positives)
- Define WPScan arguments for every configured site individually and globally (wiki/WPScan-configuration)
- Send scan reports to Syslog server (wiki/Syslog-output)
- Save raw WPScan output into files
- Log file can also lists all the findings (wiki/Output)
- Speed up scans using several asynchronous workers
- Parse and follow URL redirection if WPScan fails and propose to ignore main redirect
- Scan sites continuously at defined interval and configure script as a linux service (wiki/Linux-service)
- Additionnal alerts depending of finding type (SQL dump, etc.) (match list)
- Keep track of fixed issues
- Simple library usage (wiki/Library-usage)
Prerequisites
- WPScan (itself requires Ruby and some libraries).
- Python 3
Install
With PyPi (stable)
python3 -m pip install 'wpwatcher' --upgrade
Installs WPWatcher without syslog output support
wpwatcher
should be in your PATH
.
Review the Wiki for more documentation.
Try it out
Simple usage
Scan 2 sites with default config.
wpwatcher --url exemple.com exemple1.com
More complete exemple
Load sites from text file , add WPScan arguments , follow redirection if WPScan fails , use 5 asynchronous workers , email custom recepients if any alerts with full WPScan output attached. If you reach your API limit, it will wait and continue 24h later.
wpwatcher --urls sites.txt \
--wpscan_args "--force --stealthy --api-token <TOKEN>" \
--follow_redirect \
--workers 5 \
--send --attach \
--email_to collaborator1@office.ca collaborator2@office.ca \
--api_limit_wait
WPWatcher must read a configuration file to send mail reports.
This exemple assume you have filled your config file with mail server setings.
Inspect a report in database
wpwatcher --show <site>
Configuration
Select config file with --conf File path
. You can specify multiple files. Will overwrites the keys with each successive file.
Create and edit a new config file from template.
wpwatcher --template_conf > wpwatcher.conf
vim wpwatcher.conf
To load the config file by default, move the file to the following location:
- For Windows:
%APPDATA%\.wpwatcher\wpwatcher.conf
or%APPDATA%\wpwatcher.conf
- For Mac/Linux :
$HOME/.wpwatcher/wpwatcher.conf
or$HOME/wpwatcher.conf
See: All configuration options
Configuration exemple
Sample configuration file with full featured wp_sites
entry, custom WPScan path and arguments, vuln DB api limit handling, email and syslog reporting
[wpwatcher]
wp_sites= [ {
"url":"exemple.com",
"email_to":["site_owner@domain.com"],
"false_positive_strings":[
"Yoast SEO 1.2.0-11.5 - Authenticated Stored XSS",
"Yoast SEO <= 9.1 - Authenticated Race Condition"],
"wpscan_args":["--stealthy"]
},
{ "url":"exemple2.com" } ]
wpscan_path=/usr/local/rvm/gems/default/wrappers/wpscan
wpscan_args=[ "--format", "json",
"--no-banner",
"--random-user-agent",
"--disable-tls-checks",
"--api-token", "YOUR_API_TOKEN" ]
api_limit_wait=Yes
send_email_report=Yes
email_to=["me@gmail.com"]
from_email=me@gmail.com
smtp_user=me@gmail.com
smtp_server=smtp.gmail.com:587
smtp_ssl=Yes
smtp_auth=Yes
smtp_pass=P@assW0rd
syslog_server=syslogserver.ca
syslog_port=514
Email reports
One report is generated per site and the reports are sent individually when finished scanning a website.
Questions ?
If you have any questions, please create a new issue.
Contribute
If you like the project and think you could help with making it better, there are many ways you can do it:
- Create new issue for new feature proposal or a bug
- Implement existing issues
- Help with improving the documentation
- Spread a word about the project to your collegues, friends, blogs or any other channels
- Any other things you could imagine
- Any contribution would be of great help
Running tests
pytest
Authors
- Florian Roth (Original author of WPWatcher v0.2)
- Tristan Landes
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for wpwatcher-2.4.7-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 4bda1986533fd9e00fe8970b7428633e79f879141bd444bba7b51cb39641193c |
|
MD5 | 24ccec2837dd362a3c3d627d280f303c |
|
BLAKE2b-256 | 81debfbaef927e50a5b7ef88edf1dd76824ff349d9681c7a3611d3cbd36522d7 |