

Show HN: Vulnerability scans for WordPress. No installation or code required. - xSwag
https://scanbeast.com/

======
junto
Would cool to have some kind of free trial. Even if it did something like:

    
    
      6 vulnerabilities found
    
      Wordpress Core vX.x:
       1. CVS0001 - click here to resolve
       2. CVS0002 - click here to resolve
       3. CVS0003 - sign up to resolve
    
      Wordpress Plugins:
      - W3 Cache vX.x
        1. CVS0004 - click here to resolve
    
      - Jetpack vX.x
        1. CVS0005 - click here to resolve
        2. CVS0006 - sign up to resolve
     
      - ...
    

You get two Wordpress core fixes and two plugin fixes for free. The rest you
have to pay for.

It would be a good on-boarding process. It get to see that there are indeed
vulnerabilities, and I get a few solutions provided for free, but to resolve
the rest I need to sign up.

As someone with a single WordPress personal site the starter level is too
expensive. Have you considered a per resolution fee? I.e. You find five
vulnerabilities with my site. I pay $X.XX per fix?

~~~
xSwag
Hi, thanks for the feedback. I've asked for credit card details to prevent the
abuse of this service since you can scan any website.

However, I'm currently in the process of working with the Google Analytics API
to provide free scans for verified websites where the user can prove ownership
-- this should roll out in about a week or so. Would you like me to drop you a
PM when I release this feature?

~~~
junto
Yes please, I'm @junto on Twitter.

------
BrandonMarc
Have you ever used McAfee Secure (formerly known as HackerSafe)? Security
scanning service for websites, looks for 1000's of different vulnerabilities,
rates by severity, provides a badge. It's actually quite extensive (and not
cheap), but it would be worth researching and seeing what you can emulate.

Their reputation is such that the credit-card vendors trust their results for
PCI compliance testing ... a major thing in e-commerce and online payment.

I believe a special filename & contents is required somewhere, to prove you do
indeed own the site you're scanning.

Perhaps you're not interested in competing with them yet, but it's something
to consider.

------
BorisMelnik
The fact that this is funded by Google bug bounties is really impressive.

I'll tell you right now, this is something we'd use. I manage a ton of
WordPress sites, adn they are always getting hacked. Not root level server
hacks, but annoying database link injections and redirects.

Some other really nasty attacks going on especially with the latest patch that
fixed the XMLRPC hack which wrecked thousands of sites.

Would love to see more information on your site about what exactly it does,
what access it needs (is it a plugin) and what actions can be taken both
proactive and reactive.

Very useful and very cool!

------
jtokoph
Anyone else getting a request to connect with a client SSL certificate? I'm
unsure why it's asking for it.

~~~
xSwag
StartSSL has an issue with Apple computers. I'll be getting a better SSL cert
once I get more customers and revenue.

------
otto12
As a non-technical WP user with a couple of sites - this is great.

I could easily see people building there own business off of this service.

I will set up a test and see what the interest is in my local market.

There are so many angles to try.

Nice little marketing project for my evening hours.

------
xSwag
Hi everyone, this is the MVP I have been working on. It's almost 5am in the UK
right now and I just wanted to launch as soon as possible and stop
procrastinating (and waiting for my A-level results). It's funded entirely by
my Google bug bounties, so thank you Google. I have not done any design stuff
for it yet -- the site is very bare bones but functional.

Current solutions to vulnerability scanning such as WPscan are good but not
user-friendly -- which is what I believe what WordPress users want. I've
already got my first 5 customers prior to launch that wanted this product
which I think is a good start, hopefully there is a market for this stuff.

I would love to hear any sort of feedback.

~~~
mpnordland
So why does the site request my personal TLS cert?

------
ozh
I'd try this, but if I could sign up without entering credit card details.

------
BrandonMarc
Is there a mirror? Site seems down ...

~~~
xSwag
Sorry about that, server got knocked offline. Should be back soon.

