Want/How to Hack WordPress? Check Out WPScan

I’ve been looking for ways to ethically hack WordPress as it’s not the easiest platform to hack. I recently came across a free tool called WPScan, courtesy of EthicalHack3r. This tool is built for Linux and essentially looks for any passwords in a given list. Originally called “WordPress Brute Force Tool,” this is a great tool to use for consulting purposes.

Take note that by default it can provide you a list of usernames per site as well as plugins/themes being used, which is a good start. However, you would need to provide a password list file for WPScan to read from. WPScan doesn’t just extract passwords.

The purpose of this is to advise someone to make his/her passwords and system secure as it can easily be compromised.

Video of WPScan in Action

    Video of the first PoC

    In case the files aren’t available, here’s WPScan directly downloadable from this site.

    Tip: If on Ubuntu, you cannot install “typhoeus,” a pre-requisite to WPScan because a file “mkmf” is not found, you need to uninstall/reinstall ruby 1.8 dev:

    sudo apt-get remove ruby1.8-dev
    sudo apt-get install ruby1.8-dev

    Finally, to prevent anyone from continuously hacking your WordPress site, here’s a plugin to “lock down” someone trying to “brute force” his way in by tracking the IP address it’s coming from: http://www.bad-neighborhood.com/login-lockdown.html

      Here are some additional resources on WordPress hacking:

        Comments

        comments

        Recent Posts
        • Harami

          Lalalajpat Rai

        • zhalo

          hello? rafi? i need some help please

        • Eetheart

          The link is broken. Can we get a new one??