How to do Penetration Test for WordPress Website :-
Penetration testing is process of evaluating the security of Computer system or network System by simulating an attack .In this article i am going to show you How to perform penetration test for WordPress website with Kali Linux.
Navigate to Applications > Kali Linux > Web Applications > CMS identification > select wpscan .
or enter the following command on the Terminal root@kali:~#wpscan -h
1. Check the Installed Plugins :-
Open the Terminal and enter the following command
| root@Kali:~# ruby /user/bin/wpscan – – url www.example.com –enumerate p |
In this test, i performed this test on the one of the most popular computer education site to check the installed plugins. WP-Scan found the 15 active plugins.
2. Check the Running WordPress version :-
Open the terminal and enter the following command
| root@Kali:~# ruby /user/bin/wpscan – – url www.yourtargetsite.com |
it detects the WordPress version running on a site is 3.6.1 .
3. Finding Username :-
Open the Terminal and enter the following command to enumerate the Username of WordPress site.
| root@Kali:~# ruby /user/bin/wpscan – – url www.yourtargetsite.com – – enumerate u |
As you seen in the below image, it,s find out two users on the WordPress site.
4. Perform Brute-force attack on “admin ” User only :-
Open the terminal and enter the following command to perform Brute force attack on the admin user.
| root@Kali:~# ruby /user/bin/wpscan – – url www.yourtargetsite.com – -wordlist yourwordlist.txt – -username admin |
Where youwordlist.txt is your wordlist location. Check my article How to Create Wordlist with crunch in Kali Linux and How to Merge Multiple Wordlist Into One Wordlist .
5. Brute Force attack on Enumerated User :-
Open the terminal and enter the following command
| root@Kali:~# ruby /user/bin/wpscan – – url www.yourtargetsite.com – -wordlist yourwordlist.txt – -threads 50 |
6. Use HTTP and Socks 5 Proxy during Pen-testing :-
To use a HTTP Proxy enter the following command :-
| root@Kali:~# ruby /user/bin/wpscan – – url www.yourtargetsite.com – -proxy 17.0.0.1:8118 |
To use a Socks 5 proxy ( cURL >= v7.21.7 needed )
| root@Kali:~# ruby /user/bin/wpscan – – url www.yourtargetsite.com – -proxy socks5://127.0.0.1:9000 |
If you want to test other CMS application on your Local machine.
Open your web browser and visit the Turnkey Linux website at http://www.
turnkeylinux.org.
There are many applications listed here, and I would recommend trying them all
so that you can find vulnerabilities and test your skills against these applications;
however, for this recipe, we will examine WordPress. In the Instant Search box,
type WordPress:-
On the WordPress download page, select the ISO image and once the download
completes, follow the instructions in the Getting comfortable with VirtualBox recipe
to install the Turnkey Linux WordPress virtual machine:
or Install WordPress on the Local computer. check my article Installing WordPress on Your Windows Desktop .
Also Check :-
How to Improve the Security of your WordPress Blog
How to set up two-step verification for WordPress
How to Secure your WordPress login page
How To Speed Up WordPress Load Times
How to Fix the Website Ahead Contains Malware in your website
Note :- This tutorial is for Education Purpose Only.
Hope you like my post.How to do Penetration Test for WordPress Website. Please Share with others.
