WordPress is a open source tool used for blogging & other beautiful websites design. WordPress is a CMS (Content management System) that works through Php & Sql. Here we are going to conduct Wordpress testing using wpscan.
WordPress testing using wpscan
WordPress is so much used by everyone that many questions have arrived in the security of this technology.
WordPress testing using wpscan. WPScan is pen testing tool that is used for checking the vulnerability of a WordPress website. It was developed by Ryan Dewhurst and sponsored by Sucuri. It is pre-installed with many distributions of linux such as BackBox Linux, Kali Linux, Pentoo, SamuraiWTF, BlackArch. WPScan do not support windows.
WPScan can enumerate theme, plugins, users, HTTP proxy but it does not check the source code of the page.
Commands Used in Pen testing WordPress site
One by one all the commands are written below. There are many things which you need to do for the testing of WordPress site.
Enumerate WordPress version, theme and plugin
• wpscan –url http://tutorials.gbhackers.com/test/ –enumerate p
• wpscan –url http://tutorials.gbhackers.com/test/ –enumerate t
Enumerate WordPress users
• wpscan –url http://tutorials.gbhackers.com/test/ –enumerate u
How to pentest your WordPress website
Launch a brute-force attack
wpscan –url http://tutorials.gbhackers.com/test/ –wordlist /root/Desktop/password.txt –username kcwto
If you are still using TimThumb, even after a very serious vulnerability, you have one more reason to be concerned.
wpscan –url http://tutorials.gbhackers.com/test/ –enumerate tt
Store the output in a separate File
wpscan –url http://tutorials.gbhackers.com/test/ –debug-output 2>debug.log
Pen testing is an art that depends on the analysis & knowledge of the hacker. The commands given here are the basics of testing. You must be aware about every aspect of the site for which the test is conducted.
Write us in the comment box for any help. Thank You.