Blogeek

Wordpress Plugin Scanner

I’ve read some articles regarding how to make our Wordpress blog safer. It’s said that by adding a blank index.html file in the plugin directory, we can avoid any bad guys from viewing what kind of plugins we are using.

Well if you think from the script kiddies bad guys’ perspective, do they need to know what kind of plugins running in the victim’s blog? If they get a WP exploit from the net, sure they will fire up any WP blog they found. If the exploit doesn’t work, they will find another blog.

One more thing, adding a blank html page in the plugin folder will not hide your plugin list. We still can guess using the plugin’s fingerprint. Let’s take gravatar plugin for example. If you install this plugin ,it will add a gravatar.php file in the plugin folder. So, even though you can’t see the list you still can browse to http://www.site.com/wp-content/plugins/gravatar.php.

See if it does exist or not. If it doesn’t exist you will get 404 error page [some blogs will redirect to root directory].

Instead of guessing the plugin one by one, I created a program to do it automatically.

Wordpress Plugin Scanner \’0′/

This software is made using VB6, works using the concept written above. Using a list of signatures, it will guess the plugin files in the plugin folder if it’s hidden with index.html.

[Pros]
-Scan automatically.
-You can add your own plugin signatures.

[Cons]
-Slow because it’s not multithreading.
-Buggy. Sometimes you’ll get connection error, depends on your internet and the blog’s server connection.

[Screenshot]

Download it here [+ source code]

Actually I made this to kill time so please don’t expect too much from it. Later I’ll add this to the project section.

P/s If you really want to hide your plugin list, use .htaccess instead of index.html. It’s all the same. My plugin folder? I leave it open to public. Lol.

Tags: wordpress plugin scanner