www.i4info.org

Would you like to react to this message? Create an account in a few clicks or log in to continue.
www.i4info.org

i4info Provides the best hacking Material. Latest hacking tutorials and tools are available here. It is the best place for hackers.

Latest topics

» Teen Patti Gold Hack & 3 Patti Chips Code Extra Bonus 2017
How to hack a WordPress website with WPScan EmptySat Apr 29, 2017 10:50 am by ubedullah

» Group hackers
How to hack a WordPress website with WPScan EmptySat Apr 15, 2017 2:37 pm by Group Hackers

» Hacker Needed
How to hack a WordPress website with WPScan EmptySat Apr 15, 2017 3:57 am by Group Hackers

» Hacker Needed
How to hack a WordPress website with WPScan EmptySat Apr 15, 2017 1:45 am by Group Hackers

» Hacker Needed
How to hack a WordPress website with WPScan EmptyThu Apr 13, 2017 11:10 pm by Group Hackers

» Hacker Needed
How to hack a WordPress website with WPScan EmptyTue Apr 11, 2017 2:07 pm by Group Hackers

» Hacker Needed
How to hack a WordPress website with WPScan EmptyTue Apr 11, 2017 2:21 am by Group Hackers

» Hacker Needed
How to hack a WordPress website with WPScan EmptyTue Apr 11, 2017 2:06 am by Group Hackers

» Hacker Needed
How to hack a WordPress website with WPScan EmptyTue Apr 11, 2017 1:35 am by Group Hackers

November 2024

MonTueWedThuFriSatSun
    123
45678910
11121314151617
18192021222324
252627282930 

Calendar Calendar

Affiliates


free forum

Forumotion on Facebook Forumotion on Twitter Forumotion on YouTubeForumotion on Google+

Visitors Counter


Flag Counter


    How to hack a WordPress website with WPScan

    Admin
    Admin
    Admin


    Posts : 474
    Reputation : 8
    Join date : 2014-12-10
    Age : 32
    Location : Pakistan

    How to hack a WordPress website with WPScan Empty How to hack a WordPress website with WPScan

    Post by Admin Sun Jun 12, 2016 1:45 pm

    How to hack a WordPress website with WPScan Wpscan

    This tutorial in the category WordPress hacking shows you how to scan WordPress websites and blogs for possible vulnerabilities and enumerate WordPress users. WordPress user enumeration is the first step in the brute force attack in order to gain access to a WordPress account and is used to retrieve a list of account names. We will also show you how to hide usernames from WPScan so you can avoid easy user enumeration and brute force attempts. We will conclude this tutorial with a demonstration on how to brute force root passwords using WPScan in Kali Linux. WPScan is a black box WordPress vulnerability scanner and a must have tool for any WordPress web developer to scan for vulnerabilities and solve issues before they get exploited by hackers. Together with [You must be registered and logged in to see this link.], a great webserver assessment tool, this tool should be part of any penetration test targeting a WordPress website or blog.

    WPScan comes pre-installed on the following Linux distributions:

    The latest version is WPScan 2.8 and the database currently contains:

    • Total vulnerable versions: 98

    • Total vulnerable plugins: 1.076

    • Total vulnerable themes: 361

    • Total version vulnerabilities: 1.104

    • Total plugin vulnerabilities: 1.763

    • Total theme vulnerabilities: 443


    The Windows operation system is currently not supported by WPScan. The latest version is available for download at the following website (Linux & Mac): [You must be registered and logged in to see this link.]

    WPScan update


    Start with the following command to update the WPScan vulnerabilities database:

    wpscan –update

    Scanning WordPress vulnerabilities


    Then use the following command to scan the target website for possible vulnerabilities:

    wpscan –url [wordpress url]

    How to hack a WordPress website with WPScan WPscan-Wordpress-vulnerability-scanner

    How to enumerate WordPress users


    The WordPress user enumeration tool is used the retrieve a list of registered WordPress users for the target host. User enumeration is the first step when an attacker wants to gain access to a specific target by brute forcing. The enumeration tool scans the target on posts, pages and custom types for authors and usernames.

    Use the following command to enumerate the WordPress users:

    wpscan –url [wordpress url]–enumerate u

    How to hack a WordPress website with WPScan WPscan-Wordpress-vulnerability-scanner2

    How to brute force the root password


    Use the following command to brute force the password for user root:

    wpscan –url [wordpress url]–wordlist [path to wordlist]–username [username to brute force]–threads [number of threads to use]

    How to hack a WordPress website with WPScan WPscan-Wordpress-vulnerability-scanner3

    How to avoid WordPress User Enumeration


    If you want to avoid WordPress user enumeration, you should avoid using the username as nickname and display name which is shown publicly in WordPress. The best option is to choose an administrator username which consists of random characters and use a different nickname. WPScan scans for usernames in the URL’s so if you won’t use the username it cannot be scanned by WPScan. Another way to prevent user enumeration is to use a different account to publish posts and answer to replies.

    How to avoid Wordpres password brute forcing


    The best way to keep attackers using brute force methods out is to limit the login attempts for and IP address. There are several plug-ins available for WordPress to limit login attempts. The latest WordPress versions have this option by default. Make sure you limit entries to a maximum of 3 and increase lock out time a lot after 2 lock outs (which is 6 password attempts).

      Current date/time is Sat Nov 23, 2024 10:42 am