A recent trend with some WordPress Plugins (and Google Chrome Extensions) is malicious parties will purchase existing plugins (extensions) and inject malicious code into new versions to infect sites and software, this is called “Supply Chain Attacks”. This is a personal unpaid review of Gravity Scan.
Recently WordFence wrote a blog post about Supply Chain Attacks found cases where older plugins are being purchased by malicious people in order to infect WordPress sites. Wordpress CMS apparently runs 29% of the websites on the internet.
I have blogged here about setting up WordPress via Command line and setting up an Ubuntu server for as low as 42.5 a month on Vultr.
What can you do to protect your WordPress sites from “Supply Chain Attacks”? First, install the WordFence plugin (I blogged about it here). Wordfence gives you a great set of security settings and reports to keep your site safe. The Wordfence dashboard page on your site is a good place to stay up to date.
Gravity scan is also made by the WordFence people to enable external audits and reports.
Sign up at https://www.gravityscan.com/ Verify your email and log in.
At login, you will be prompted to add a domain.
A site scan will automatically be started.
Post Scan Actions
Speed Up future scans by downloading the Install Gravity Scan Accelerator (by clicking “Not instaled” under “Accelerator” in scan results) and follow the instructions to download, upload and verify the accelerator.
Read the Gravity Scan AcceleratorInstall Instructions here.
tip: I had to run the following command to make the
sudo chown www-data.www-data /www/gravityscan-agent-#############################################.php
I also clicked “Trust Badge” link and added the script code to my site and verified it.
I now have a scan badge in my site footer.
Future scans are all good to go.
New Scan Options
It looks as if the accelerator gives more server-side verifications of checks of WordPress and PHP versions etc.
Gravity Scan also offers a non-free (paid) version where you can enable more options, enable scan schedules and set up SMS alerts and more for $4.95 a month per site.
To be honest I am happy with performing manual scans and I’d rather pay for a premium WordFence subscription first.
Hang on Gravity scan required a Pro membership to see High and Critical issues 🙁
More to come.
- Run and Ubuntu Security scan with Lynis
- WordFence security plugin for WordPress
- Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
- Setting up additional server storage on cloud servers (block storage on Vultr)
Hope this helps someone.
Donate and make this blog better
Ask a question or recommend an article
v1.0 Initial Version