WordPress VIP hosts many of the largest sites on the web, and as such these sites are likely targets of cyber attacks. Sites hosted by WordPress VIP can’t afford to have a vulnerability live for a single minute. That’s a tough ask for site managers given that there are more than 38,000 known WordPress vulnerabilities, and more vulnerabilities are discovered daily.
Facebook, Merck, Salesforce, and CNN are examples of large sites hosted by WordPress VIP. As these sites tend to be complex they are often running many plugins at once and consider new plugins often.
WordPress VIP has tapped WPScan for alerts of vulnerabilities since 2021. WPScan is made use of in two ways:
- Customers have an overview of all vulnerabilities and available updates from their VIP Dashboard; plugins are regularly checked against the WPScan database, and new vulnerabilities are quickly displayed. From the Plugins panel, the customer can create a pull request to update their plugins.
- VIP customers manage their codebase through a fully integrated GitHub code repository. When a pull request for code changes is created, prior to deployment, a VIP bot scans new and updated plugins or themes and checks these against the WPScan database. Vulnerabilities and available updates are highlighted right there in the pull request, allowing developers to fix any issues before the code is deployed.
Here is an example screenshot of Bot feedback for a pull request based on a Vulnerability and Update Scan:
Guðmundur Haraldsson, Philosopher of Code on WordPress VIP
“WordPress VIP constantly strives to help customers to be proactive in maintaining the security of their online websites and applications. With the Vulnerability and Update Scan, customers now get a notification before deployment if one of their open-source WordPress plugins or themes have known security vulnerabilities.”
Why WordPress Vulnerability Scanning is Essential
The combination of scanning code before it is deployed and scanning deployed code for new vulnerabilities provides comprehensive coverage for VIP customers.
WordPress VIP knows that discovering pre-existing vulnerabilities in code after it has been deployed is both too late and creates disruption to their customers’ development planning. Scanning the plugin and theme code on the GitHub pull request provides customers with time to include mitigation in their regular development processes, rather than reacting to an undue emergency. Scanning pull requests with data from WPScan makes it easier for VIP customers to ensure they only deploy secure and up-to-date code.
Providing a promptly updated view of vulnerabilities and updates, broken down by CVS level, allows customer teams to plan work into their development cycles according to their priorities.
This initiative from WordPress VIP represents a major step forward in the fight against cyber attacks. By integrating WPScan, WordPress VIP is providing its customers with the tools they need to keep their sites secure and up-to-date, even in the face of a constantly evolving threat landscape.
