WPScan WordPress Security Scanner can be used to discover a lot about a target WordPress installation, such as enumerate installed plugins, themes and also enumerate the WordPress users. You might need to enumerate a list of WordPress users for reporting purposes or to ensure that all the WordPress users are using strong passwords. In this blog post we will explain how to enumerate WordPress users with WPScan and explain the options available related to WordPress users enumeration.
Before we start I would like to point out that there are mainly two reasons why one would need or want to enumerate WordPress users with WPScan. The first one is to test the security of your WordPress. For example after securing your WordPress usernames to ensure that an attacker cannot discover them. The second one is during an attack, i.e. where one would need to enumerate all the WordPress usernames to have a more targeted WordPress brute force attack. Having said that please note that this article is for educational purposes and to help you improve the security of your WordPress.
Enumerate All WordPress Users with WPScan
To enumerate the users of a target WordPress blog or website with WPScan WordPress Security Scanner, you can use the below command:
ruby wpscan –url www.local.test –enumerate u
The –url argument is used to specify the target website, which in this example it is www.local.test.
The –enumerate argument is used to trigger the WPScan enumeration module and the u is to enumerate WordPress users. E.g. if you would like to enumerate all of the target’s WordPress plugins, you can use the following argument: –enumerate p.
If the WordPress users enumeration process is too slow, you can use the –threads argument to enable multi-threading. In the example below, we configure WPScan to enumerate all the WordPress users on www.local.test using 50 threads.
ruby wpscan –url www.local.test –enumerate u --threads 50
In the below screenshot is an example of WPScan being used to enumerate the users of a test website.
Enumerating a specific number of WordPress Users with WPScan
If the target WordPress has a large number of users, it is recommended to split the process of enumerating users. E.g. instead of enumerating 1000 users at once, you can enumerate 100 at a time. To do so specify the range of user id’s in square brackets next to the u switch as in the below example:
ruby wpscan –url www.local.test –enumerate u[1-100]