A recent trend with some WordPress Plugins (and Google Chrome Extensions) is malicious parties will purchase existing plugins (extensions) and inject malicious code into new versions to infect sites and software, this is called “Supply Chain Attacks”. This is a personal unpaid review of Gravity Scan.
Update Feb 2018: Gravity Scan is shutting down 🙁
Recently WordFence wrote a blog post about Supply Chain Attacks found cases where older plugins are being purchased by malicious people in order to infect WordPress sites. WordPress CMS apparently runs 29% of the websites on the internet. Wordfence is a firewall and Gravity Scan is vulnerability scanner, they complement each other.
I have blogged here about setting up WordPress via Command line and setting up an Ubuntu server for as low as 42.5 a month on Vultr.
What can you do to protect your WordPress sites from “Supply Chain Attacks”? First, install the WordFence plugin (I blogged about it here). Wordfence gives you a great set of security settings and reports to keep your site safe. The Wordfence dashboard page on your site is a good place to stay up to date.
WordFence is a Firewall, Gravity scan is a vulnerability and malware scanner. Read more here.
Gravity scan is also made by the WordFence people to enable external audits and reports.
Sign up at https://www.gravityscan.com/ Verify your email and log in.
At login, you will be prompted to add a domain.
tip: You may want to whitelist Gravity scan servers. Read my guide about securing Ubuntu in the cloud.
sudo ufw allow from 22.214.171.124/27 to any port 443
A site scan will automatically be started.
Post Scan Actions
Speed Up future scans by downloading the Install Gravity Scan Accelerator (by clicking “Not instaled” under “Accelerator” in scan results) and follow the instructions to download, upload and verify the accelerator.
Read the Gravity Scan Accelerator Install Instructions here.
tip: I had to run the following command to make the
sudo chown www-data.www-data /www/gravityscan-agent-#############################################.php
I also clicked “Trust Badge” link and added the script code to my site and verified it.
I now have a scan badge in my site footer.
Future scans are all good to go.
New Scan Options
It looks as if the accelerator gives more server-side verifications of checks of WordPress and PHP versions etc.
Gravity Scan also offers a non-free (paid) version where you can enable more options, enable scan schedules and set up SMS alerts and more for $4.95 a month per site.
To be honest I am happy with performing manual scans and I’d rather pay for a premium WordFence subscription first.
Hang on Gravity scan requires a Pro membership to see High and Critical issues 🙁
I decided not to go pro to reveal issues.
A few months later
I started receiving scan results with severity Critical (but I can’t see results until I start a trail (and enter payment details)).
Time to start a trial
I started a trial and full details were shown, the critical error was my fault
Publically accessible file (fixed with a chmod command)
Current Scan Results
Remote Scan Options
Daily Scans, Alter levels, Malware, Vulnerability and status checks. Definitely, install the Accelerator as it found my local backup of WordPress.
- Found a publically readable file
- Found a past copy of my WordPress site (and all known issues with the old WordPress backup).
- Can setup daily remote scans.
- You have to go pro.
- Cant read my NGINX version (“Nginx version not detected, Gravityscan is unable to detect any associated vulnerabilities.“). I logged a ticket. Surely they can add a shell to”nginx -v” to the scan accelerator.
- No word fence discount bundle?
- Gravity scan and Word fence on twitter are slow to respond.
More to come.
- Run and Ubuntu Security scan with Lynis
- WordFence security plugin for WordPress
- Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
- Setting up additional server storage on cloud servers (block storage on Vultr)
Hope this helps someone.
Donate and make this blog better
Ask a question or recommend an article[contact-form-7 404 "Not Found"]
V.1.5 Gravity Scan shutting down
v1.4 Added remote scan options
v1.3 Pros and Cons and current results.
v1.2 Added more
v1.1 Fixed a few issues
v1.0 Initial Version