• Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Facebook Twitter Instagram
Trending
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
  • Vulnerability Scanning with OpenVAS 9 part 3: Scanning the Network
  • Vulnerability Scanning with OpenVAS 9 part 2: Vulnerability Scanning
Facebook Twitter YouTube Tumblr Instagram Pinterest
Hacking Tutorials
  • Home
  • About Us
  • General
  • Wireless
  • Web
  • Scanning
  • Metasploit
  • Hacking Courses
    • OSCP
    • The Virtual Hacking Labs
    • Certified Ethical Hacker (CEH)
    • Hacking Books
  • More
    • Exploit tutorials
    • Pentesting Exchange
    • Networking
    • Malware Analysis
    • Hacking Metasploitable 2/3
    • Digital Forensics
  • Contact
Hacking Tutorials
You are at:Home » web-application-hacking » How to hack a WordPress website with WPScan
wpscan Wordpress vulnerability scanner

How to hack a WordPress website with WPScan

22
By Hacking Tutorials on June 3, 2015 Web Applications

This tutorial in the category WordPress hacking will teach you how to scan WordPress websites for vulnerabilities, enumerate WordPress user accounts and brute force passwords. Enumerating WordPress users is the first step in a brute force attack in order to gain access to a WordPress account. WPScan has the option to scan a target website to retrieve  a list of account names. IN this tutorial we will also look at how to hide usernames from WPScan so you can avoid the enumeration of user accounts and limit the effectiveness of brute force attempts. We will conclude this tutorial with a demonstration on how to brute force root passwords using WPScan on Kali Linux. WPScan is an automated black box WordPress vulnerability scanner. This tool is a must have for any WordPress developer to scan for vulnerabilities and solve issues before they get exploited by hackers. Together with Nikto, a great webserver assessment tool, this tool should be part of any penetration test targeting a WordPress website or blog.

WPScan comes pre-installed on the following Linux distributions:

  • BackBox Linux
  • Kali Linux
  • Pentoo
  • ArchAssault
  • BlackArch

The latest version is WPScan 2.8 and the database currently contains:

  • Total vulnerable versions: 98
  • Total vulnerable plugins: 1.076
  • Total vulnerable themes: 361
  • Total version vulnerabilities: 1.104
  • Total plugin vulnerabilities: 1.763
  • Total theme vulnerabilities: 443

The Windows operation system is currently not supported by WPScan. The latest version is available for download at the following website (Linux & Mac): https://wpscan.org/

WPScan update

Start with the following command to update the WPScan vulnerabilities database:

wpscan –update

Scanning WordPress vulnerabilities

After updating the vulnerability database use the following command to scan the target website for the most popular and recent vulnerabilities:

wpscan –url [wordpress url]

WPScan WordPress vulnerability scanner

How to enumerate WordPress users

The WordPress user enumeration tool is used the retrieve a list of registered WordPress users for the target host. User enumeration is the first step when an attacker wants to gain access to a specific target by brute forcing. The enumeration tool scans the target on posts, pages and custom types for authors and usernames.

Use the following command to enumerate the WordPress users:

wpscan –url [wordpress url]–enumerate u

WPscan WordPress vulnerability scanner root account

How to brute force the root password

Use the following command to brute force the password for user root:

wpscan –url [wordpress url]–wordlist [path to wordlist]–username [username to brute force]–threads [number of threads to use]

WPscan hacks root password

How to avoid WordPress User Enumeration

If you want to avoid WordPress user enumeration, you should avoid using the username as nickname and display name which is shown publicly in WordPress. The best option is to choose an administrator username which consists of random characters and use a different nickname. WPScan scans for usernames in the URL’s so if you won’t use the username it cannot be scanned by WPScan. Another way to prevent user enumeration is to use a different account to publish posts and answer to replies.

How to avoid Wordpres password brute forcing

The best way to keep attackers using brute force methods out is to limit the login attempts for and IP address. There are several plug-ins available for WordPress to limit the number login attempts for a specific username and IP, such as Wordfence. The latest WordPress versions have the option to limit login attempts by default. Make sure you limit entries to a maximum of 3 and increase lock out time a lot after 2 lock outs (which is 6 password attempts).

WordPress hacking Video Tutorial

Thanks for watching and please subscribe to my YouTube channel for more hacking tutorials :)

Enumeration Arguments

Fin below an overview of enumeration arguments which can be used for scanning:

–enumerate | -e [option(s)] Enumeration.
option :
u – usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p – plugins
vp – only vulnerable plugins
ap – all plugins (can take a long time)
tt – timthumbs
t – themes
vt – only vulnerable themes
at – all themes (can take a long time)
Multiple values are allowed : “-e tt,p” will enumerate timthumbs and plugins

If you’re interested in learning more about web penetration testing you can follow any of these online courses:

Hacking Courses on Udemy


Bug Bounty – An Advanced Guide to Finding Good Bugs

Real World Bug Bounty Techniques

Website Hacking / Penetration Testing & Bug Bounty Hunting

Become a bug bounty hunter! Hack websites & web applications like black hat hackers and secure them like experts.

Share on:

  • Email
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleTox Ransomware infection and removal instructions
Next Article Websploit Directory Scanner – Scanning webserver directories

Related Posts

Installing Rogue-jndi on Kali Linux

Log4Shell VMware vCenter Server (CVE-2021-44228)

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

22 Comments

  1. Nassim on May 13, 2016 5:24 pm

    Thank you fer this verry well article and your work.

    Reply
  2. johndoe on June 4, 2016 6:04 pm

    Nice but what wordlist did you use, I am trying one called rockyou.txt but I am not sure the best to try

    thanks

    Reply
    • Hacking Tutorials on June 4, 2016 6:08 pm

      There are many wordlist available for download but you can also make your own using tools like Crunch. Check out this tutorial: http://www.hackingtutorials.org/general-tutorials/crunch-password-list-generation/

      Reply
  3. xav13r on June 25, 2016 6:22 am

    hi, there is a security plugging for non listing users there is a scrip for stopping it, how do i use it tnx

    Reply
  4. HImanshu on August 15, 2016 8:17 am

    Getting error
    ” local_vulnerable_files.xml: checksums do not match ”

    Need help

    Thanks

    Reply
  5. htfhtf on August 19, 2016 3:15 am

    which version used in this article?

    Reply
  6. psyadi on September 4, 2016 6:11 pm

    I want to start testing my clients websites but when i run wpscan on the usernames with brute force it drops the connection for a period of time. is there a way to have wpscan keep testing and checking passwords in the text file?

    Reply
    • Hacking Tutorials on September 11, 2016 10:20 am

      Most recent WordPress installations contain some sort of brute force protection to ban IP’s with too many failed login attempts.

      Reply
    • Force on September 10, 2018 12:42 pm

      You are on a wrong way if you want to test your clients with wpscan. Wpscan is just a application and isn’t very strong, I`d recommend you using other Tools than wpscan

      Reply
  7. Owl on December 7, 2016 12:47 pm

    Hi all,

    Thank for all these tutorials they are really useful.

    I am having the following issue when I use socks 5:

    Every argument works fine for me and I am able to retrieve usernames but when I add the argument ‘–proxy socks5://127.0.0.1:9000’ it always give me a ‘target seems to be down’.

    Any idea of what could be going on? I am a 100% sure that the server is up as I can reach it without the –proxy argument.

    Cheers,
    Owl

    Reply
  8. jamal on March 26, 2017 2:45 pm

    how can i install wordPress in windows or kalli for pen testing please ?

    Reply
    • Hacking Tutorials on March 26, 2017 6:04 pm

      On Kali Linux you have an Apache web server installed. You can start Apache using the following command:
      service apache2 start

      Then download WordPress to the following directory:
      /var/www/html

      From here you need to follow the WordPress installation manual. The manual includes which dependencies are needed, how to configure SQL and the database etc.

      On Windows I would recommend you to use XAMPP.

      Reply
  9. warolv on May 23, 2017 11:02 pm

    Great article!

    Reply
  10. Leafy on October 22, 2017 6:53 pm

    If you create a website on WordPress, would it be legal and within the ToS to try hacking your own site?

    Reply
    • Hacking Tutorials on October 23, 2017 9:17 am

      If you’re installing WordPress on a server that you own, or even better install it locally, it’s perfectly legal.

      Reply
  11. kadeshar on November 27, 2017 6:08 pm

    Plugins is not good way to protect against brute force. Plugins still using processor to block any attempts. The best way is using .htaccess and lock REST API (ofcourse if you dont use it)

    Reply
    • Hacking Tutorials on November 27, 2017 8:48 pm

      Thank you for your comment! This article needs an update after 2 years, I will definitely take your suggestions into account.

      Reply
  12. Andre on February 2, 2018 12:07 pm

    Hi everyone, the problem is the reliable word list! do you know where to find some good word list? thank you

    Reply
    • Hacking Tutorials on February 2, 2018 1:19 pm

      Hi,

      Checkout SecLists for a lot of good wordlists: https://github.com/danielmiessler/SecLists

      Best regards,
      Hacking Tutorials

      Reply
  13. papapa on September 25, 2018 3:01 pm

    the target is responding with 403
    any solve??

    Reply
  14. Yesonlinpk on October 27, 2018 7:04 am

    A good article, its informative and the key points are helpful to prevent WordPress website from hacking. It will be great if you share some other methods of hacking WordPress site, besides brute forcing.

    Reply
  15. Tahir Khan on April 16, 2020 10:35 pm

    Hi,
    Is there any way to not use wordlist file instead we generate and test at a same time?

    Reply

Leave A Reply Cancel Reply

Top Tutorials
By Hacking TutorialsOctober 29, 20220

CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

By Hacking TutorialsJanuary 10, 20220

Installing Rogue-jndi on Kali Linux

By Hacking TutorialsDecember 17, 20210

Log4Shell VMware vCenter Server (CVE-2021-44228)

By Hacking TutorialsSeptember 27, 20210

The Great Leak: Microsoft Exchange AutoDiscover Design Flaw

By Hacking TutorialsFebruary 4, 20200

CVE-2019-19781: Citrix ADC RCE vulnerability

By Hacking TutorialsNovember 1, 20188

Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations

Subscribe

Enter your email address to subscribe to Hacking Tutorials and receive notifications of new tutorials by email.

Join 828 other subscribers
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
Virtual Hacking Labs
Penetration Testin Course and Hacking Labs
Categories
  • Digital Forensics
  • Exploit tutorials
  • General Tutorials
  • Hacking Books
  • Hacking Courses
  • Malware Analysis Tutorials
  • Metasploit Tutorials
  • Networking
  • Pentesting Exchange
  • Scanning Tutorials
  • Web Applications
  • Wifi Hacking Tutorials
Downloads
  • directory_scanner.py (120567 downloads)
  • PEiD-0.95-20081103.zip (111422 downloads)
  • wifi_jammer.py (138165 downloads)
Recent Tutorials
  • CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability
  • Installing Rogue-jndi on Kali Linux
  • Log4Shell VMware vCenter Server (CVE-2021-44228)
  • The Great Leak: Microsoft Exchange AutoDiscover Design Flaw
  • CVE-2019-19781: Citrix ADC RCE vulnerability
  • Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations
Popular Tutorials
By Hacking TutorialsSeptember 1, 2016115

Review: Offensive Security Certified Professional (OSCP)

By Hacking TutorialsApril 18, 201738

Exploiting Eternalblue for shell with Empire & Msfconsole

By Hacking TutorialsMarch 17, 201637

Installing VPN on Kali Linux 2016 Rolling

Featured Downloads
  • directory_scanner.py (120567 downloads)
  • PEiD-0.95-20081103.zip (111422 downloads)
  • wifi_jammer.py (138165 downloads)
© Hacking Tutorials 2022

Type above and press Enter to search. Press Esc to cancel.

Go to mobile version