2

Hi I looked around on Google and this site for about the last hour and I couldn't find anything that gave a direct answer to my question. I changed the code around in a scanner that I used in the past, I've used other web hosts in the past to create my websites for testing, but this time I wanted to use WordPress for hosting. I wanted to know if anyone else has ever tested scripts or ran scanners against their own WordPress site and haven't gotten into legal trouble. The other hosts that I have used in the past didn't mind but I'm trying to figure out if it breaks any tos even if I am the owner of the site but wordpress would be hosting it. Just trying to see if anyone on here knows WordPress's Legal TOS well. Tried to write the question the best I could.

I'm fine with a short or long answer

salmaass
  • 39
  • 2
  • Can you ask the hosting provider directly? – schroeder Feb 16 '15 at 22:21
  • 2
    Attacking SaaS (software as a service) is often a bad idea as the system you're attacking isn't yours and also hosts other customers' data, and you may trigger some IDS alerts on their side which would require sysadmin time and thus monetary loss. –  Feb 16 '15 at 23:18

3 Answers3

2

Are you sure you need to have an externally hosted website? A lot of the testing I do happens on a virtual machine -- I install a flavor of linux, apache webserver, the software package, and fire away. With a virtual machine, you have the following assurances:

  1. You will not disrupt other people's websites.
  2. You will have access to all logs and all parts of the system.
  3. You will be able to conduct your work privately, a key part of the responsible disclosure process.
  4. You won't piss off your hosting provider or Wordpress.
  5. You don't have to pay money. (Whoo-hoo!)
Ohnana
  • 4,737
  • 2
  • 23
  • 39
1

I've used several scanners against my own web servers, both VPS and shared hosting. With shared hosting I informed the hosting company because it "could" create some traffic.

Als long as you have a go from the hosting party you should be fine. Regarding the VPS, I never informed them as the IP's are specifically for me.

Hope this helps.

Jeroen
  • 5,783
  • 2
  • 18
  • 26
1

It seems that you are talking about wordpress.com, where the website is hosted on the server of wordpress, not your own server.

Even if you registered a website at wordpress.com, if you scan/attack it you are attacking the wordpress.com server, which might not be a good idea. Here is what I could find out:

I looked at the TOS of wordpress.com, and the only thing even loosely related to your question is this part: you are responsible for maintaining the security of your account and blog.

Generally, a website doesn't have to put don't scan our website for vulnerabilities into their TOS for this to be illegal.

Automattic (the company responsible for wordpress) does take part in the hacker one bounty program. Their page announcing this does not contain a lot of information, and does not explicitly give you permission to scan their website. Neither does their page at hacker one. I would not assume that their participation in a bounty program means that they are fine with (extended) scanners targeting their server (mainly because of the traffic it generates).

tl;dr: I did not find any statement from the owner of wordpress.com that they allow you to scan their server for vulnerabilities. If this is just for fun/to test your scanner, I would just set up wordpress locally, and scan that (it will be faster as well). If it is to determine the security of wordpress.com, I would ask them via email if it is allowed (although I would not necessarily expect feedback).

tim
  • 29,018
  • 7
  • 95
  • 119