How to hack a WordPress website with WPScan

8

This tutorial in the category WordPress hacking shows you how to scan WordPress websites and blogs for possible vulnerabilities and enumerate WordPress users. WordPress user enumeration is the first step in the brute force attack in order to gain access to a WordPress account and is used to retrieve a list of account names. We will also show you how to hide usernames from WPScan so you can avoid easy user enumeration and brute force attempts. We will conclude this tutorial with a demonstration on how to brute force root passwords using WPScan in Kali Linux. WPScan is a black box WordPress vulnerability scanner and a must have tool for any WordPress web developer to scan for vulnerabilities and solve issues before they get exploited by hackers. Together with Nikto, a great webserver assessment tool, this tool should be part of any penetration test targeting a WordPress website or blog.

WPScan comes pre-installed on the following Linux distributions:

The latest version is WPScan 2.8 and the database currently contains:

  • Total vulnerable versions: 98
  • Total vulnerable plugins: 1.076
  • Total vulnerable themes: 361
  • Total version vulnerabilities: 1.104
  • Total plugin vulnerabilities: 1.763
  • Total theme vulnerabilities: 443

The Windows operation system is currently not supported by WPScan. The latest version is available for download at the following website (Linux & Mac): http://wpscan.org/

WPScan update

Start with the following command to update the WPScan vulnerabilities database:

wpscan –update

Scanning WordPress vulnerabilities

Then use the following command to scan the target website for possible vulnerabilities:

wpscan –url [wordpress url]

WPScan WordPress vulnerability scanner

How to enumerate WordPress users

The WordPress user enumeration tool is used the retrieve a list of registered WordPress users for the target host. User enumeration is the first step when an attacker wants to gain access to a specific target by brute forcing. The enumeration tool scans the target on posts, pages and custom types for authors and usernames.

Use the following command to enumerate the WordPress users:

wpscan –url [wordpress url]–enumerate u

WPscan WordPress vulnerability scanner root account

How to brute force the root password

Use the following command to brute force the password for user root:

wpscan –url [wordpress url]–wordlist [path to wordlist]–username [username to brute force]–threads [number of threads to use]

WPscan hacks root password

How to avoid WordPress User Enumeration

If you want to avoid WordPress user enumeration, you should avoid using the username as nickname and display name which is shown publicly in WordPress. The best option is to choose an administrator username which consists of random characters and use a different nickname. WPScan scans for usernames in the URL’s so if you won’t use the username it cannot be scanned by WPScan. Another way to prevent user enumeration is to use a different account to publish posts and answer to replies.

How to avoid Wordpres password brute forcing

The best way to keep attackers using brute force methods out is to limit the login attempts for and IP address. There are several plug-ins available for WordPress to limit login attempts. The latest WordPress versions have this option by default. Make sure you limit entries to a maximum of 3 and increase lock out time a lot after 2 lock outs (which is 6 password attempts).

WordPress hacking Video Tutorial

Thanks for watching and please subscribe to my YouTube channel for more hacking tutorials :)

Enumeration Arguments

Fin below an overview of enumeration arguments which can be used for scanning:

–enumerate | -e [option(s)] Enumeration.
option :
u – usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p – plugins
vp – only vulnerable plugins
ap – all plugins (can take a long time)
tt – timthumbs
t – themes
vt – only vulnerable themes
at – all themes (can take a long time)
Multiple values are allowed : “-e tt,p” will enumerate timthumbs and plugins

If you’re interested in learning more about web penetration testing you can follow any of these online courses:


Online Hacking Courses


Web Penetration Tester

You will learn hacking tools, methodologies and techniques. This is a both practical and theoretical step-by-step course. Read more…
Web Penetration Tester

How to be an Independent security researcher

If you are a web developer, Bug Hunter or any it security researcher then this course will be very help full.
Read more…

How to be an Independent security researcher

Share.

8 Comments

  1. Nice but what wordlist did you use, I am trying one called rockyou.txt but I am not sure the best to try

    thanks

  2. hi, there is a security plugging for non listing users there is a scrip for stopping it, how do i use it tnx

  3. I want to start testing my clients websites but when i run wpscan on the usernames with brute force it drops the connection for a period of time. is there a way to have wpscan keep testing and checking passwords in the text file?

Leave A Reply