Fri, 01 Jan 2010

Detecting stale versions of WordPress

I run a personal server that hosts web space for a few friends. Probably the most popular thing to do with the space is to install WordPress and run a personal blog.

A few days ago, I discovered some attackers were abusing one of the sites. Once we upgraded the site to the latest version of WordPress, the attack went away. So I wrote a tool that, every night, emails me a report of the locations of old versions of WordPress. A sample email:

Current version of WordPress: 2.9

oldroommate has WordPress 2.5 in /home/oldroommate/web/oldroommate.com/

Eek! WordPress 2.5 is old!

How it works

Each time it runs, it looks at wordpress.org to see what the current version is. The code to do that is written in Python and uses lxml.html. It prints the current version in the report, and it uses it when analyzing WordPress installs.

To analyze WordPress installs, it executes locate readme.html, looking for WordPress's tell-tale documentation file. For every such readme.html, if it matches a simple regular expression suggesting it's a WordPress readme file, it performs the following analysis:

It does some simple seding and greping looking for the version of WordPress described by that file.
If the version detected is older (as calculated by dpkg --compare-versions), it creates a one-line report like the one above about oldroommate.

If it found any installs of old WordPress, it prints a report like the one blockquoted above to stdout.

How to use it

To get emails, I run it with cron. You can add a stanza like this to your crontab (edit it with crontab -e):

@daily cd find-out-of-date-wordpress; ./look.sh

Ta-da, nightly reports.

To get a copy

Do a git clone:

git clone git://git.asheesh.org/find-out-of-date-wordpress.git

or browse its gitweb.

Feedback

I'm quite interested to hear what others do to avoid old web apps being attacked. If there's another bit of software that monitors web apps for needing upgrades, I'd love to hear about it! Obviously if you have feedback on this tidbit I wrote, let me know.

(To me, apt-get doesn't seem to be the answer. Web apps (especially PHP ones) don't usually seem to support keeping the code in one place with multiple different configuration files. And users get excited about the latest and greatest and don't want to wait for me to upgrade, and I can't blame them.)

If some of you don't like the Python dependency or anything else, I do welcome patches!

[] permanent link and comments

Comment form

The following HTML is supported: <a href>, , , , <blockquote>, , , <abbr>, <acronym>, <big>, <cite>, <code>, <dfn>, <kbd>, <pre>, , , , <tt>, <var>
I do not display your email address. It is for my personal use only.

Name:
Your email address:
Your website:

Comment:

Asheeshworld Notes you will like