First of course there is the HackerTarget.com scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered.

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing for:

Additionally username’s can also be gathered through some WordPress themes, RSS feeds, and author page URI’s such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed… don’t they?

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.

Enjoy the web scanning from the leading open source web scanning tool.

Head over to Cirt.net for full details.

Go here for a full run down on the new features.

Or here for some comprehensive documentation.

We are currently testing the new release before adding it to the HackerTarget.com scan suite.