I’ve been looking for ways to ethically hack WordPress as it’s not the easiest platform to hack. I recently came across a free tool called WPScan, courtesy of EthicalHack3r. This tool is built for Linux and essentially looks for any passwords in a given list. Originally called “WordPress Brute Force Tool,” this is a great tool to use for consulting purposes.
Take note that by default it can provide you a list of usernames per site as well as plugins/themes being used, which is a good start. However, you would need to provide a password list file for WPScan to read from. WPScan doesn’t just extract passwords.
The purpose of this is to advise someone to make his/her passwords and system secure as it can easily be compromised.
Video of WPScan in Action
Video of the first PoC
In case the files aren’t available, here’s WPScan directly downloadable from this site.
Tip: If on Ubuntu, you cannot install “typhoeus,” a pre-requisite to WPScan because a file “mkmf” is not found, you need to uninstall/reinstall ruby 1.8 dev:
sudo apt-get remove ruby1.8-dev
sudo apt-get install ruby1.8-dev
Finally, to prevent anyone from continuously hacking your WordPress site, here’s a plugin to “lock down” someone trying to “brute force” his way in by tracking the IP address it’s coming from: http://www.bad-neighborhood.com/login-lockdown.html
Here are some additional resources on WordPress hacking: