Security Testing WordPress

Several new WordPress security assessment tools have emerged recently, which is beneficial given the rapid increase in the number of WordPress installations.

First of course there is the HackerTarget's own WordPress Security Scan, externally facing and coming in at a fairly high level. The system downloads some of your pages, does analysis, checks a few additional links and gives you a tidy little report detailing any security issues discovered. Our Professional services provide an independent security review of your WordPress powered site with our WordPress Assessment.

Need an expert?
We will identify and validate ways to improve your security
WordPress Assessment

Our scan does not perform brute forcing of accounts, passwords or plugins. Brute Forcing is more appropriate in a targeted pen-test or black-box vulnerability assessment.

Simply put brute forcing:

  • Plugins is achieved by testing URL's:$pluginname
  • Usernames can be brute forced with a POST request to the login form (Incorrect username)
  • Passwords can be brute forced (with valid username) by hitting the login form

Additionally username's can also be gathered through some WordPress themes, RSS feeds, and author page URI's such as /blog/author/admin/.

These tools and scripts that can be utilized in your Penetration Testing of WordPress.

Metasploit has a module for enumerating usernames and brute forcing passwords. It is solid and convenient; everyone has Metasploit installed... don't they? 😉

An NSE (nmap scripting engine) script was released for Nmap that does plugin brute forcing.

Just in the last few days a new tool hit the tubes wpscan. Still under development it does a few different checks including brute forcing for accounts.

All the tools referenced above are dedicated towards external testing of wordpress installations. There are other options that involve installation of plugins into the wordpress installations for deeper monitoring.