Open
Anonymous #9653
2 years ago
I wanted to open a new suggestion for the Vulnerability Checker Extension but it has a very similar goal like this one. So instead I will post it here as a comment:
The current handling of API requests is not very efficient. There is one request for every WP Core, Plugins and Themes on each site. This is why the API credits get eaten up very quickly.
In our scenario we run very similar setups on all sites for easier maintainability. So for 20 sites we use three themes and about 20 different plugins which are used across most sites.
And thanks to MainWP we also update themes and plugins on all sites at the same time. So in this example we have 1 WP Core, 3 themes and 20 plugins all within the same version. So in general there are only 24 different combinations which need to be checked for vulnerabilities.
It would be a great improvement for the Vulnerability Checker Extension to have a more efficient implementation of WPScan API requests. This could be achieved by collecting the theme/plugin/version combinations first before doing any API calls. Then all duplicates could be removed and then only for each unique combination an API request needs to be made.
And if there are more than 50 combinations the initial suggestion could be added on top. So the extension could rotate and check 50 combinations per day.
Stin Priza coop
2 years ago
great idea, maybe instead of scanning each site with lots of duplicates plugins/core/themes amongst those, it can scan versions -one at a time-, and just copy report to each site running the same plugin-core-theme/version. it would save a lot of api calls since most administrators prefer specific plugins for similar functionalities across managed wp sites.
+1.
Matt Jewel
last month
WPScan now started to send annoying automated emails when you hit the API limit. I would highly appreciate a more efficient implementation like described above from Anonymous #9653.
I think it should be quite simple by running the theme/plugin/version slug through array_unique() before sending the request to the WPScan API.
Thanks
Matt Jewel
last month
WPScan now started to send annoying automated emails when you hit the API limit. I would highly appreciate a more efficient implementation like described above from Anonymous #9653.
I think it should be quite simple by running the theme/plugin/version slug through array_unique() before sending the request to the WPScan API.
Thanks
Sanja Tosanovic
2 years ago
Since the vulnerability database began charging for API access with only 50 free per day, the value of the extension has really been limited. It would be nice if a feature could be added so that we could enter the number of API requests we get per day (50 for free or some other for those who pay), and have the extension stop after exhausting each of those API calls and then queue up the remaining ones to begin on the following day when the credit is refreshed. This would allow the system to ‘rotate’ through sites each day as API credits were available and provide at least some level of scanning instead of nothing.
Another options would be to be able to include this as part of the maintenance extension so users could just set maintenance tasks for each site they wish to scan and have them run on different days when the API credit is refreshed.