Hacking WordPress with wpscan

WordPress is a free open source content management system. Thousands of Web sites run WordPress, and it is considered the top blogging platform in the world. According to Usage Statistics and Market Share of Content Management Systems for Websites (W3Techs. January 2015. Retrieved January 2015), 23% of the world’s top 10 million Web sites use WordPress.

So…let’s hack WordPress!

We are going to use WPScan to test our WordPress installation. This is a security scanner that attempts to find known security weaknesses within WordPress installations. The application is provided for free on the wpscan.org site, and the intended audience is security professionals or WordPress administrators. WPScan is used to determine the security posture of WordPress installations.

The main features of WPScan include:

  • Username enumeration (from the author)
  • Multi-threaded, weak password cracking
  • Version enumeration (from the generator meta tag)
  • Vulnerability enumeration, which is based on the installed version
  • Plugin enumeration using the To-Do plugin
  • It also includes a variety of other security checks

The syntax to get started with WPScan is:

wpscan –-url wordpress_url

Hacking WordPress with wpscan-1

Note: The first time you run it, you may find that you need to update the database.

Hacking WordPress with wpscan-2

You should be able to quickly determine the WordPress version, which plugins are installed, and what theme is active when you open the scanner.

The first thing we will do is look for lines beginning with a red plus (+). These are the known WordPress vulnerabilities.

Hacking WordPress with wpscan-3

If the correct vulnerability exists, you can enumerate a user list from WordPress with the following command:

wpscan –-url wordpress_url –-enumerate u

Hacking WordPress with wpscan-4

I ran the command, and you can see WPScan discovered usernames on this system:

Hacking WordPress with wpscan-5

Once user names have been collected, you then can attempt to brute force crack the associated passwords. In order to so, you will need a password list. Kali has a number of different wordlists at this location:

You can also download our custom word list from here: /usr/share/wordlists

WARNING: DO A SAVE AS OR YOUR BROWSER MAY CRASH

http://www.drchaos.com/public_files/chaos-dictionary.lst.txt

If you prefer, you can also use this link to get a tool to create your own word lists:

Dr. Chaos – Creating Custom Worldlists and Dictionary Files

To brute force crack passwords associated with usernames, use the following command:

wpscan –-url [wordpress_url] –-word list [path_to_world list] –-username [username to bruteforce] –threads [number of threads]

Hacking WordPress with wpscan-5

Some installations of WordPress will make it very difficult to brute force the password.

Hacking WordPress with wpscan-6

If this happens, we might need to rethink our approach.

The result? If you are lucky, you can see WPScan was able to crack the password with the results below.

Hacking WordPress with wpscan-7

Please note that not all versions of WordPress are vulnerable, and many hosted service providers are now providing automatic patching and upgrading. However, WPScan is a great way of testing your own environment and ensuring it is safe.

Happy blogging!

Tags: