Tuesday , 17 January 2017

How to do Penetration Test for WordPress Website

How-to-do-Penetration-Test-for--WordPress-WebsiteHow to do Penetration Test for  WordPress Website :-

Penetration testing is process of evaluating the security of Computer system or network System by simulating an attack .In this article i am going to show you How to perform penetration test for WordPress website with Kali Linux.

Navigate to Applications > Kali Linux > Web Applications > CMS identification > select wpscan .


or enter the following command on the Terminal root@kali:~#wpscan -h


1. Check the Installed Plugins :-

Open the Terminal and enter the following command

root@Kali:~# ruby /user/bin/wpscan  – – url www.example.com –enumerate p

In this test, i performed this test on the one of the most popular computer education site to check the installed plugins. WP-Scan found the 15 active plugins.


2. Check the Running WordPress version :-

Open the terminal and enter the following command

 root@Kali:~# ruby /user/bin/wpscan – – url www.yourtargetsite.com 

it detects the WordPress version running on a site is 3.6.1 .


3. Finding Username :-

Open the Terminal and enter the following command to enumerate the Username of WordPress site.

root@Kali:~# ruby /user/bin/wpscan  – – url www.yourtargetsite.com – – enumerate u

As you seen in the below image, it,s find out two users on the WordPress site.


4. Perform Brute-force attack on “admin ” User only :-

Open the terminal and enter the following command to perform Brute force attack on the admin user.

root@Kali:~# ruby /user/bin/wpscan  – – url www.yourtargetsite.com – -wordlist yourwordlist.txt – -username admin

Where youwordlist.txt is your wordlist location. Check my article How to Create Wordlist with crunch in Kali Linux and How to Merge Multiple Wordlist Into One Wordlist .

5. Brute Force attack on Enumerated User :-

Open the terminal and enter the following command

root@Kali:~# ruby /user/bin/wpscan  – – url www.yourtargetsite.com – -wordlist yourwordlist.txt – -threads 50

6. Use HTTP and Socks 5 Proxy during Pen-testing :-

To use a HTTP Proxy enter the following command :-

root@Kali:~# ruby /user/bin/wpscan  – – url www.yourtargetsite.com – -proxy

To use a Socks 5 proxy ( cURL >= v7.21.7 needed )

root@Kali:~# ruby /user/bin/wpscan  – – url www.yourtargetsite.com – -proxy socks5://

If you want to test other CMS application on your Local machine.

Open your web browser and visit the Turnkey Linux website at http://www.

There are many applications listed here, and I would recommend trying them all
so that you can find vulnerabilities and test your skills against these applications;
however, for this recipe, we will examine WordPress. In the Instant Search box,
type WordPress:-


On the WordPress download page, select the ISO image and once the download

completes, follow the instructions in the Getting comfortable with VirtualBox recipe
to install the Turnkey Linux WordPress virtual machine:


or Install WordPress on the Local computer. check my article Installing WordPress on Your Windows Desktop .

Also Check :-

How to Improve the Security of your WordPress Blog

How to set up two-step verification for WordPress

How to Secure your WordPress login page

How To Speed Up WordPress Load Times

How to Fix the Website Ahead Contains Malware in your website

Note :- This tutorial is for Education Purpose Only.

Hope you like my post.How to do Penetration Test for  WordPress Website. Please Share with others.

Use Facebook to Comment on this Post

About Syed Balal Rumy

A 27 year Tech Geek and a blogger from India ( Bihar ) , live in New Delhi. I am MCITP , CEHv8 , CCNA , CCNA Security , CCNP Security , Security + and CCSA certified. Loves to write tech articles based on my real experiences.

Powered by themekiller.com anime4online.com animextoon.com apk4phone.com