Hi Jeroen,

Nice work, I've been thinking of making something like this (particularity since the urgent security patch included in 3.6.1 last week).

I currently use Wordfence (Wordpress Plugin) which emails me when Wordpress or a Plugin needs updating. Wordfence is a capable (small scale) solution for me at the moment, but your method is far more scalable.

What I would like to see would be a "UserParameter" based version of this that executes the php script via a bash script. This way the "zabbix-check.php" file could be located in a secure directory (not publicly accessible on the http server). Of course this solution requires a Zabbix Agent to be installed on the server (which is often not possible), and I'm not sure if the Wordpress require() files would be accessible from an alternate directory.

Anyway, A few solutions to lock down the "zabbix-check.php" file on the public web server (though it is relatively low risk anyway), would be to add an IP filter to the PHP script, or to a .htaccess file in the same directory.

Thanks for your contribution, I love finding these solutions on the Zabbix forums.

-Timbo

I thought about that

Hi Timbo,

I thought about that and it is pretty easy to build, but it means I would have to enable external command execution in the zabbix_agentd. This sounds to me like a serious security hazard. What's to prevent someone from executing other (hazardous) external commands?

I know the agent filters on IP so that is a preventive measure.
but then I have to supply bu paramter, let's say, the path to where that wordpress instance is installed.

What I do not like with my current solution is that I can not see the reply text (which also contains the current version number). I would rather have something like nagios with an errorlevel return code and additional text.

What I also can not find is where to throttle this scenario check.
I mean, every time I call this url it also checks with the api.wordpress server for a version check. To me, once a day is a LOT better then every minute or so.

All ideas to this topic are very welcome.

Kind regards,

Jeroen Baten

Hi Jeroen,

UserParameters do not allow the execution of arbitrary (on the fly) code/commands. A UserParameter is hard coded in the zabbix_agentd.conf file, and the Zabbix Server would have to request the specific key to retrieve the value.Though I believe any UserParameter scripts are executed anytime a request is made from the Zabbix Server (typically as often as 60sec).

See:


As opposed to "Remote commands" which can execute commands on the fly. See:


So from my understanding, UserParameters are quite safe and can keep your scripts away from the public. But you are right about the repetitive calls, as far as I'm aware, you cannot set a UserParameter to only be triggered once a day.

The IP filter comment was related to this comment on your website:
So I wasn't worried about the agent, I was merely offering a method to hide the broadcast of the Wordpress version. Changing the file name is security through obscurity, not very strong.

I don't follow, you mean you cannot see it in "Latest Data"? What kind of Item have your created to collect this information?

This depends on how you've set item up, typically you would set the "Update interval (in sec)" in the Item that is collecting the information. It's not ideal, but could you add code to your PHP script saying only execute the call to the api.wordpress server between 2am-3am?

Also, it looks like the output from your script will be something like this:
"Currently: 3.6.1, no update needed"

You may want to consider changing that to a 1 or 0 (On/Off, Up-to-date/Not up-to-date). There are a number of reasons for doing this, the primary I guess is that it takes up waaay less space on the DB. Though it can make it easier to create triggers and reduces information leak too (people won't be able to see your WP version, just a 1 or 0).

Another method might be to simply display the current Wordpress version i.e. 3.6.1 (from the api.wordpress server), then create a trigger on change of that version. So when it changes from 3.6.1->3.6.2 you'll be notified. But again, we're broadcasting your Wordpress version.

Then there's the option of a Cron Job + bash script + Zabbix Sender + Zabbix Trapper. But as the Wordpress site is most likely public, there is risk associated with accepting Zabbix Sender information from public networks.

-Timbo