Pentesting A Wordpress Website Using WPSCAN

October 6, 2017

Ever thought of quickly testing a WordPress website for known vulnerabilities and expired plugins or themes? Well, here is a blog on one of such fantastic tool


What is WordPress and why is it famous?

WordPress is an online, open source website creation tool. It makes website creation super easy and is very user-friendly. Nowadays people tend to use WordPress more instead of learning to code in HTML, CSS, and Javascript to create the website. The reason is even a non-technical guy can learn how to use WordPress and can create a website in a couple of hours. That’s why it is famous and most of the personal blogs, websites for various startups, are mostly on WordPress.


But how am I supposed to know if a website is created on WordPress?

Don’t worry, you don’t have to get very technical for that. There are several tools already available for it. The tool I personally use is:

Just install any of these add-ons for your favorite browser and when you visit a website it will show all the technologies that have been used on the website. For websites created through WordPress, it will show an icon W. In this way, you will be able to find out which part of the Website is on WordPress.

Note that in many cases, the whole website might be built on a different framework, but a part of the website like Blog Section can be on WordPress. So keep watching the addon.

Why is it important to test vulnerabilities in a WordPress website? Won’t the people who manage WordPress take care of that?

Yes, WordPress will make sure that no one will be able to use your site in a way that it isn’t meant to. WordPress security engineers maintain their own database of vulnerabilities and they patch it in the next upcoming version. So you just have to make sure that you keep the version of your WordPress updated and don’t use any old plugins or themes.

So where do I need to start then?

While browsing the target, you came to know that this domain is on WordPress platform. The first thing you can do is try adding wp-admin in the URL at the end.

For example, let’s consider that the domain is on WordPress platform(by looking at the addon). Now you just have to do to get the below form

This page is what users use to login to their respective accounts. So how to crack the username and password? We all know that cracking the password is every hacker’s dream.

This is where a tool like Wpscan comes into play. Wpscan has several different options to get the vulnerabilities in a WordPress website and also brute-force a user login.

How to download and install Wpscan?

Using Wpscan is rather pretty easy. Just go to this page and download Wpscan the way most suitable for you. If you have downloaded the zip or tar file just extract them and you are good to go. Wpscan comes pre-installed in Kali Linux, so need to do all of these. Just jump to the next section.

Important commands

For all the below commands to work, you need to go the folder where you have extracted the Wpscan zip file using terminal.

Command 1: Update WPScan’s databases.

ruby wpscan.rb --update

This command is the first command to use when you are using Wpscan for the first time. It will update the full Wpscan database which contains the whole vulnerabilities and exploits list for WordPress websites.

Command 2: To enumerate all the usernames

ruby wpscan.rb --url --enumerate u

Let’s break the command step by step.

Since wpscan.rb is a ruby file, we need to use ruby to run it. Then we are using --url option with the target’s URL. And for the last part, the --enumerate is the argument and we are giving ‘u’ as the option to enumerate all the usernames available.

If the site owner isn’t using any plugin to stop the attackers from enumerating the usernames, this command will list out all the available usernames registered on the WordPress.

Command 3: Password brute-force attack

ruby wpscan.rb --url --wordlist darkc0de.lst --threads 50

Knowing only usernames won’t do us any good. We need to know the password before thinking of it as a critical vulnerability.

Here, we are using two new arguments. The first argument is --wordlist and with it, you need to give the full path to where you have downloaded the wordlist file. If you have the wordlist in the folder of Wpscan you just need to write the name of the wordlist. The --thread argument is the number of threads to use for multi-threading. Greater the number the faster will be the Wpscan but it depends on your computer architecture also. So it’s better to use it between 20-50.

It has been said that “Human is the weakest link in any company’s security”. We as humans tend to use passwords which are easy to remember. Many times admin use passwords like their date of birth, letmein, password, 123456789 and many other which can be cracked with a little use of social engineering and in many cases by brute force attack. This command uses dictionary-based attack and in case such passwords are used it will be very easy to crack.

A good place to download passwords lists is here. It’s very useful, don’t forget to $git clone.

Command 4: Enumerating vulnerable plugins

ruby wpscan.rb --url --enumerate vp

This command is specially used to find the vulnerable plugins in the WordPress website. vp option denotes vulnerable plugins. The wpscan will also give you the reference to where you can read about the vulnerability. The vulnerabilities will have different color flags on them. The Red flag means that this vulnerability is the most critical whereas Green means it’s the least.

Command 5: Enumerating vulnerable themes

ruby wpscan.rb --url --enumerate vt

This command checks for vulnerable themes within the website. vt denotes vulnerable themes. Here also, try to find vulnerabilities with the Red sign because they are the most critical vulnerability which if exploited could be lethal for a company.

Important points

  • First of all, don’t try to use this on any WordPress site you come across. Many times after a certain number of incorrect logins, or wpscan, the site may permanently block your IP, so that you won’t be able to access it and not to forget it would be illegal.
  • Don’t think that you will get results every time. Brute Forcing username and password will be useless if the admin is using a password with the strong password policy( to use each of small and capital letters, numbers, and special characters).
  • Check each and every vulnerability and try to exploit those. Even one vulnerability can lead to the breaking of the whole system.

There are many more commands and arguments available for Wspcan. To see the complete list available, check out the Wpscan official page.

Your WordPress site got hacked?

Here is a good resource by Umbrella Host, about how to clean a hacked WordPress site. Make sure to refer it, whenever you need:

How to Clean a Hacked WordPress Website