WPScan to bruteforce password

WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Aside from finding usernames, WPScan can also find the password of the wordpress account. The command we use is wpscan -url website -U ‘username’ -P ‘wordlist file’. The wordlist file consists of words that might be the real password.

For this example, I am using the wordpress of my blog to try WPScan.

 

 

 

The image above shows that the password is found (real password is hidden).

 

Leave a Reply

Your email address will not be published. Required fields are marked *