Testing websites for vulnerabilities can help identify bugs that can ultimately lead to actions that you can take to secure it. Preventing hackers from accessing your website is a top priority. You should always test your website for vulnerabilities to prevent someone from hacking into your website. Here we will show you how to hack a WordPress site with WPScan in Kali Linux.
If you are not familiar with WordPress then you should know that it is a open-source content management system based on PHP and mySQL. WordPress websites can easily be hacked by logging in with the administrator account. You can easily learn how to hack a WordPress site with WPScan in Kali Linux by finding the administrators username and using brute force to find the password.
If you have a WordPress website you can use WPScan to test for vulnerabilities. WPScan is a blackbox vulnerability scanner specifically for WordPress websites. Unfortunately it isn’t supported on Windows but it does come pre-installed on a few Linux distributions including BackBox Linux, Kali Linux, Pentoo, SamuraiWTF, and BlackArch. You can visit WPScan for installation instructions.
HOW TO HACK A WORDPRESS SITE WITH WPSCAN IN KALI LINUX – USING WPSCAN
We must point out that we don’t approve of the use of WPScan to hack into unauthorized websites. You should only use WPScan for hacking your own website to test for vulnerabilities. If you are a certified penetration tester and you have permission to hack into a website then that is fine as well.
DON’T USE WPSCAN IN AN UNETHICAL MANNER
Once you have WPScan installed you can run it from a terminal session. WPScan tests for a variety of vulnerabilities but we will only be using it to locate the usernames that are affiliated with the website. After the usernames are obtained we will use brute force to figure out the password.
Before you can access a WordPress website you will need a username. Unfortunately many people use “admin” or “administrator” as their usernames and this is a bad habit to get into. The username should be difficult to guess. We could attempt to hack into a website as “admin” but it’s best to scan the website to find all usernames.
If you have your terminal session open and ready to go you can issue the first command. This command is used to search a WordPress site for all users and then displays them by their Id. Go ahead and type the following:
wpscan --url http://yourwebsite.com --enumerate user
Be sure to replace “yourwebsite.com” with the website that you are testing. When you press “Enter” it will begin scanning. When it is finished it will display all the usernames affiliated with the website.
USING BRUTE FORCE TO CRACK THE PASSWORD
As you can see in the image above it found 3 users. By default WordPress assigns the admin user the Id of 1. There is no Id of 1 here which means that user was most likely removed and a new administrator was added to the website. As a rule of thumb it’s best to start at the top and work your way down when it comes to brute forcing the password. It’s more likely for the admin to have lower number rather than a higher number for the Id.
USING A WORDLIST TO CRACK THE PASSWORD
Learning how to hack a WordPress site with WPScan in Kali Linux involves brute force. If you are not familiar with the term “Brute Force” it is basically a trial and error method that tries usernames and passwords repeatedly until finds a match. Since you already have the usernames we just need a password list.
With WPScan you can attach a word list which is a text file with several lines of various passwords. When you use WPScan to brute force it is attempting to log into that website several times using the username and password file that you attach to it. This is why it is crucial to use strong passwords when you create accounts.
You can create your own word list or you can download one from the internet. There are several word lists on the web that you can download and use. Some operating systems come with wordlists already stored in a certain directory. For example, Kali Linux has word lists stored at the following location: /usr/share/wordlists. Keep in mind that the larger the word list is, the longer it takes to brute force. If you have a word list with over a million passwords it could take several hours to brute force.
CREATING YOUR OWN WORD LIST
If you want to create your own word list then you can easily create one and save it to a location for you to use with WPScan. If you wanted to create a word list and save it to the Desktop then you can navigate to the Desktop using the following command:
Then you can use nano to create a text file that stores the passwords by typing:
Then type in one password for each line. When you have finished placing all your passwords in the file you can save it by typing “Ctrl+x“, then “y“, then “Enter“.
USING THE BRUTE FORCE COMMAND
Now that you have your usernames and a password list you can now attempt to brute force your way into the website. Use the following command:
wpscan --url http://yourwebsite.com --wordlist /root/Desktop/wordlist.txt --username handyman
Remember to change “yourwebsite.com” with the website that you are testing and make sure the path to your word list is correct as well as the username. When WPScan has finished scanning it will present you with the username and password. Since we had “password1” in our word list and it was the correct password for the user “handyman” our hacking attempt was successful.
HOW TO HACK A WORDPRESS SITE WITH WPSCAN IN KALI LINUX – ERRORS AND WARNINGS
It is important to note that if a WordPress site has security plugins installed it may be more difficult to hack. Certain security plugins will block specific IP addresses if they attempt to login too many times unsuccessfully. So keep in mind that it may not be possible to use WPScan to brute force your way into a WordPress site.