[Release] WordFence CLI Integration for HestiaCP - Advanced WordPress Security Scanning

Hey HestiaCP community!

I’m excited to share a new tool I’ve developed that brings WordFence’s powerful CLI scanning capabilities directly to your HestiaCP control panel. This integration allows you to perform comprehensive WordPress security scans right from your command line, including:

• Malware scanning with high-performance Vectorscan engine
• Vulnerability detection in WordPress core, themes, and plugins
• Database scanning for malicious content
• Automatic file remediation
• Custom path scanning

All scan results are saved in CSV format for easy analysis and reporting.

The tool is open-source and available on GitHub:

Installation is straightforward, just a single command to get started. Check out the README for detailed instructions and usage examples.

Feel free to try it out and let me know if you have any questions or suggestions for improvements!

Thanks for that awesome job. Please let us speak about some points of interest.

Key Risks Identified

1. Third-Party Docker Image from Docker Hub

Image isscbta/wordfence-cli:with-vectorscan-amd64 is from an unverified user.

There is no guarantee about its contents.

Recommendation: Build the image locally from a verified Dockerfile.

→ You could share it

2. Unverified External Scripts

Several wget downloads from GitHub are piped directly to executable files.

No checksum verification or signature checking is implemented.

Recommendation: Review each script before execution or use a trusted, pinned version.

→ You could create signs and checksums to verify it’s content.

3. Configuration Data Extraction from a Running Container

Configuration is read from within a temporary container’s home directory.

Recommendation: Avoid relying on state from containers that aren’t trusted or verified.

4. Unrestricted Access to Host Directories

The container has full read-write access to /var/www.

This is not necessary for the intended function.

Recommendation: Mount all host directories as read-only. None of the scanning or CLI operations require write access.

→ why he’s needing a write action?

Security Hardening Recommendations

Always mount host volumes with :ro flag, e.g.:

docker run -v /var/www:/var/www:ro ...

Drop unneeded capabilities and use security profiles:

--read-only --cap-drop=ALL --no-new-privileges

Only use signed or checksum-verified images and scripts.

Avoid running setup scripts or containers with root privileges unless strictly required.

→ It is not necessary to run it as root. You could run as hestia user or a specific user and set a group to read necessary folder. E.g. only Wordpress installations

This is indeed a very exciting and valuable project great work @isscbta. Integrating WordFence CLI scanning into HestiaCP opens up a lot of possibilities for advanced WordPress security management, and it’s great to see this kind of innovation in the community.

That said, @eXe’s concerns are 100% valid and should definitely be addressed. Security is always the first priority, especially when dealing with automated scans, elevated permissions, and external Docker containers. Things like checksum verification, container hardening, and minimal access principles are essential if this is to be adopted widely.

I’d love to see this evolve further and potentially be considered for inclusion in the official HestiaCP repo under a plugins or addons section specifically targeting WordPress users. We already ship with ClamAV, but it’s quite resource heavy and not widely used in shared hosting environments.

If you’re open to collaboration, I’d be happy to work together on improving the security posture and packaging this in a way that aligns with HestiaCP’s standards. Let’s make this something that’s not only powerful but also secure by design.

Hi all,

Thanks a lot for taking the time to check out the project and share your thoughts

To give a bit of context, this tool was originally developed for internal use within our own business. It has proven extremely effective, especially in situations where severe infections used to completely compromise WordPress sites. With this tool, we’ve been able to clean them up quickly and efficiently.

Even without a premium Wordfence license, the CLI scanner detects most malware on infected sites, which already makes it a huge asset in day-to-day operations.

That said, I fully understand your concerns regarding security. You’re absolutely right, and I want to clarify that the main focus of this tool was never on security best practices but rather on functionality and practicality for our in-house workflows.

Let me address a few of the points raised:

1. Docker image: The custom image is based on the official Wordfence CLI image and extended only to include the Vectorscan engine. I agree it would make sense to improve this part for public use, either by sharing a Dockerfile or by rebuilding locally with proper verification in mind. I suggest checking this - wordfence-cli/docs/Installation.md at main · wordfence/wordfence-cli · GitHub
2. Other concerns: Yes, the rest of the issues you pointed out are mostly valid and solvable. With some collaboration, I’m sure we can improve on these fronts.

As I mentioned, this script is something I built primarily for my own needs, and it’s doing its job well in our environment. I’m sharing it with the community in the hope it might help others too. I didn’t initially plan to turn this into a fully standalone, production-grade public project, but if there’s genuine interest and contributors willing to help, I’d be more than happy to work on making it more secure and user-friendly together.

In the meantime, I’ll continue improving the tool on the functionality side. For example, we recently added a CLI wrapper that combines hyperscan and remediation in a single step, making it easy to automatically clean infected files right after scanning.

@alber Absolutely, I’m definitely open to collaboration. Feel free to send me a private message here on the forum so we can discuss the next steps and figure out how to move forward together.