I needed to track vulnerable WordPress plugins across all the websites on our hosting network without installing Wordfence all over the place, so I built a tool. But instead of coding it by hand, I used this project as an opportunity to learn about AI coding agents.
The problem
We host several hundred WordPress sites, and our back-end systems auto-backup & auto-update every website daily. But auto-update often fails with premium plugins. This can lead to dozens of websites running out-of-date software, and it only takes one-or-two of those to get hacked (via a known vulnerability) and somebody’s going to have a really bad day… and it’ll land on my desk to do the clean up.
Given that auto-updating all these premium plugins was a non-starter, I figured I’d create a way to monitor all plugin versions and compare them against public vulnerability lists. Then I could reach out to our clients with specific information they can act on. I wanted to do this without installing a bloated security plugin on every site (Wordfence is a bit of a monster when it comes to database pollution).
Creating the tool
When creating a software project, I usually start by modelling the data writing some code. But as this was going to be a stand-alone project that I wanted to share on Github, I wanted to try vibe-coding it. So I configured the Cline AI agent & Gemini Pro in VS Code and started issuing prompts.
After about a week of evening-vibing we’ve ended up with this:
VULNZ: A self-hosted vulnerability database for WP plugins
There are two components to VULNZ:
- A NodeJS/express web app & API backed by MariaDB database. This holds a list of plugins, release-versions and vulnerabilities, as well as a list of websites. Each website has plugin releases linked to it, each of which may (or may not) have vulnerabilities associated with it.
- An optional (lightweight) WordPress plugin you can install on your site and link to the VULNZ API with an API Key.
In our case, we don’t need the WP plugin because our back-end automation uses WPI CLI to extract each wesbite’s plugins daily. We use HTTPie to push these to our VULNZ installation from our cron jobs.
VULNZ in day-to-day use
The front-end of the VULNZ web app has a search interface so we can quickly lookup plugins. It’s not super useful, but is occasionally handy. I may expand this in the future to include CVE cross-reverencing, but I do like its current simplicity.
Browse the Headwall Hosting VULNZ database
For the moment, we populate vulnerabilities from the Wordfence public vulnerability feed. I created a script to grab this (large) JSON dump, parse it and insert vulnerabilities into VULNZ via the API. I’ll expand this to pull from other sources in the future, but the Wordfence list is a solid start.
Important: I didn’t want to just “steal” copyright data and repackage it as my own, so each vulnerability is simply a plugin’s slug, release-version and a link to the external disclosure disclose URL. So in our case, every vulnerability is just a link to the relevant page on wordfence.com.
It’s now super quick to get a list of all potentially vulnerable sites on our network. And the big win is that VULNZ will email my clients directly every Monday morning, if any of their hosted websites are carrying vulnerable plugins.
Reflections on vibe coding
I held-out against vibe-coding and AI-assit for ages, but this experiment has flipped my perception 180 degrees. I created a complete tool from start-to-finish with robust security, API documentation and some nice-to-have functionality… in the space of a week. This would’ve taken 2-4 weeks if I’d hand-coded it. That can be difficult when you’re juggling the day-to-day tasks of running a business and looking after clients too.
I was able to micro-manage the AI coding agent so it generated code I was happy to sign-off, with suitable coding conventions and best practice.
Rather than feeling threatened by the growth of AI-assisted software development, I now see it as empowering. Larger-scale projects are now easily within my grasp, and it gives me access to incorporating technologies without needing to learn the in-depth semantics of new languages and paradigms.
Onwards with VULNZ
I’ll be making updates to VULNZ over the next few months – mostly regarding the reporting, and adding new vulnerability sources.
Let me know if you decide to self-host VULNZ on your WordPress network. If you want to see additional features or if you have any questions about it, drop me a line in the comments or contact me directly.