In this tutorial, we will cover some beginner level penetration testing of WordPress website. Before going further please go through the Disclaimer.
“This article is only for an Educational and testing purpose. Any actions and or activities related to the material contained on this Website is solely your responsibility.The misuse of the information on this website can result in criminal charges brought against the persons in question. The authors and Securityleaks will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.”
WordPress is an online open source website creation tool written in PHP.It is the easiest and most powerful blogging and website content management system in existence today. It’s a web publishing software you can use to create your own website and blog.Today it powers nearly 30 percent of the entire web from blogs to biggest new sites online. Word press requires a security improvement, so the penetration testing of WordPress is essential to find the vulnerabilities and to secure WordPress website as well as blog.
WordPress Penetration with Wpscan
Wpscan is created by open source volunteers led by Ryan Dewhurst. It is written in Ruby and is vulnerable scanner designed specifically for WordPress. It is very simple to use and effective. It is WordPress vulnerability scanner which comes preinstalled with Black Arch Linux, Kali Linux, Pentoo, Black Box Linux and it will not support windows.Some Commands of Wpscan are listed below.
To Enumerate WordPress Website Scan
ruby wpscan.rb —url www.aahousekeeping.com
This command will perform a quick scan of the website to identify the active theme and basic issue.
Checking Vulnerable Plugins
ruby wpscan.rb —url www.aahousekeeping.com –enumerate vp
Red exclamation icons are vulnerable plugins and references to further information.These Plugins should be updated removed and dispatched for further requirement.
To Enumerate WordPress version Plugins and themes
ruby ./wpscan.rb —url www.aahousekeeping.com –enumerate p
ruby ./wpscan.rb –url www.aahousekeeping.com –enumerate t
To Enumerate WordPress Users
ruby ./wpscan.rb –url www.aahousekeeping.com –enumerate u
To Launch a brute-Force attack
ruby ./wpscan.rb —url www.example.com –wordlist password.txt –username admin
To Enumerate Timthumbs
ruby ./wpscan.rb –url www.aahousekeeping.com –enumerate tt
Penetration testing is the act of analyzing your word press website to find vulnerabilities that an attacker might exploit here we have shown some commands of WordPress pentesting commands executed through wpscan scanner and some important commands that need to be on the WordPress powered website.
Stay tuned for advanced tutorials.