There are numerous tools specialized for attacking WordPress. Some of them can be run from Windows or macOS, but in general, doing things from Linux and Kali, in particular, is a good idea. When you launch a penetration attempt on a WordPress site, you are primarily looking for
- The WordPress version number – If you know which version of WordPress you are attacking, you know what exploits to try first, as thousands are out in the wild and publically accessible in exploit databases
- The active theme and its version number – for the same reasons as above
- A list of plugins that are installed and activated – most successful WordPress hacks rely on weaknesses in third-party plugins
- A list of usernames and their credentials – if you know the name of one or several admin accounts, things get easier
- The URL to login page – typically found under /wp-login.php, but what if some clever site admin has changed the path – where do you actually log in?
- Leftover configuration and database files
- Enabled directory listing in folders you aren’t supposed to have access to
- A way to download the wp-config.php – the crown-jewel, as it contains key information, such as database URL, username, and password in clear text
- Some clever method to exploit xmlrpc.php – enabled by default in newer versions of WordPress – it might be open to XXE attacks or can be used for brute-forcing passwords if you know a username
WPScan comes preinstalled with Kali, has been around for quite some time, and it works just fine in most Linux distributions too. Despite its complexity, it is one of the more straightforward tools to use. It is extraordinarily powerful, especially since it is updated on a daily basis with the latest known exploits. It can be used to accomplish most things in the list above. A standard pentest goes like this:
wpscan --url http://target.com
We advise you, however, to carefully examine its many options and check out a tutorial or two on Youtube. You’re gonna like it.
WPSeku is a newer program and preferably used in conjunction with WPScan. It is at the time of writing not bundled with Kali, so you will need to install it manually. In our experience, it is sometimes able to discover more than any other public script. It is still in the early beta phase but works surprisingly good. It is a must-have in your WordPress penetration-toolbox. A standard pentest goes like this:
./wpseku.py -t http://target.com
Are you aware of other WordPress-specific programs that should be included here? Please drop us a line down below. Thanks!