How to Use wpscan tool in Kali Linux

Wpscan is a WordPress security scanner used to test WordPress installations and WordPress-powered websites. This is a command line tool used in Kali Linux. This tool can be used to find any vulnerable plugins, themes, or backups running on the site. It is usually used by individual WordPress site owners to test their own websites for vulnerabilities and also by large organizations to maintain a secure website. This tool can also be used to enumerate users and perform brute-force attacks on known WordPress users. In this article, We are going to take you through different commands of wpscan tool, the most commonly used attacks on WordPress sites, and tips to defend against them. The below functionalities of this tool can be used from the point of view of a hacker or even just someone who wants to test if their WordPress site is secure enough.

Wpscan is usually pre-installed in kali Linux. Otherwise, Click here to read the installation process of the Wpscan tool.

Different commands and applications of wpscan:

For this example,  we will be using a vulnerable version of WordPress i.e WordPress 5.0-powered website. We will be scanning this website for vulnerabilities using wpscan.

Wpscan commands:

1)  –url : (basic scan) 

The following command performs a vulnerability scan of the entire WordPress site scanning for any vulnerable plugins, themes, and backups.

command:   wpscan –url IP_ADDRESS_OF_WEBSITE

 

 

We can see the results of the scan wherein otherwise hidden files such as robots.txt and a readme file are listed out and we can also see the version of the WordPress site used. It also lists all the plugins, themes, and config backups the website uses. If we find any vulnerable/outdated plugins or themes, make sure to remove them and install the updated ones to avoid giving the opportunity to hackers to take advantage of outdated software to hack into your system  

2) –help: (help options)

command: wpscan --help

It’s a common practice in Linux to use the “–help” option to get the complete list of the usability of the tool using different switches for different functionalities.

 

 

3) -e u: (enumerating website users)

command:   wpscan –url IP_ADDRESS_OF_WEBSITE -e u

This lets the wpscan tool enumerate the WordPress site for valid login usernames. After the scan, it would give all the usernames the tool has enumerated which are valid users of the WordPress site and are often times brute forced to gain unauthorized access to the WordPress admin/author dashboard.

 

 

4) -U -P: (brute-forcing password for the identified user)

command:   wpscan –url IP_ADDRESS_OF_WEBSITE -U USER_NAME -P PATH_TO_WORDLIST

As we managed to enumerate some usernames for the WordPress site above, let’s try to brute-force the user “kwheel”.

• Brute forcing: It is a technique where a wordlist is used against a tool that effectively finds the matching password for the given username.
• Wordlist: The password cracking tool uses a wordlist, which is nothing but a text file containing a set of commonly used passwords. Ex: 12345678, qwerty, pizza123,etc.

Now let’s try to brute force the user “kwheel”. 

rockyou.txt is a quite commonly used wordlist for brute force attacks.

successful brute force attack

As you can see, we have cracked the password for the user “kwheel”. The password is “cutiepie1” which is rather easy to crack as it is not a complex password.  To protect against such brute force attacks, make sure not to use common passwords, nicknames, date of birth, pet names, etc.