A couple of wordpress security assessment tools have popped up over the past couple of months, this has to be a good thing with the number of WordPress installations sky-rocketing.
First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered.
Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.
Simply put brute forcing for:
- Plugins is achieved by testing URL’s http://myexampleblog.cm/wp-content/plugins/$pluginname
- Usernames can be brute forced with a POST request to the login form (Incorrect username)
- Passwords can be brute forced (with valid username) by hitting the login form
Additionally username’s can also be gathered through some WordPress themes, RSS feeds, and author page URI’s such as /blog/author/admin/.
These tools and scripts that can be utilized in your Penetration Testing of WordPress.
Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed… don’t they?
An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.
Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.
All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.