As a WordPress site administrator you are responsible for your site’s security. Most probably you have already done a lot to beef up WordPress security, but what about the users? Are they using strong passwords?
Users are not fond of strong passwords. The only way you can ensure they use strong passwords is by enforcing WordPress password policies.
Even then, you should still occasionally scan your site for weak passwords. It is like launching a controlled brute force attack against your WordPress site. This article explains how to use the free WPScan tool to do such a scan.
WordPress Users Password Dictionary
To launch a password strength test with the WPScan tool you need a good password dictionary. WP White Security.com has a WordPress user password dictionary which contains one million commonly used passwords. Download the WordPress Password Dictionary to use it in your WordPress password security audits.
Checking the Password Strength of a Single User with WPScan
If you already know the username use the below command to check the strength the WordPress password with WPScan WordPress Security Scanner:
ruby wpscan –url www.local.com –wordlist wpw_pwd_dictionary.txt –username admin
Below is an explanation of the above WPScan command and arguments:
–url: This argument is used to specify the URL of the target WordPress site. In this example we launched a password brute force attack against www.local.com.
–wordlist: Use this to specify the name of the password dictionary file. In this example the name of the password dictionary is wpw_pwd_dictionary.txt. There is no need to specify a directory path if the password dictionary is in the same directory of the WPScan scanner.
–username: Use this to specify the WordPress username. In this example we launched the password brute force attack against the admin account.
The below screenshot shows the output of the WPScan tool. From the below we can see that the password brute force attack against the admin WordPress user is finished. The screenshot also shows the result of the scan – the admin account uses the password adminpass.
WPScan WordPress brute force attacks might a while. The scan duration mainly depends on the size of the password dictionary file. To speed up the process you can configure WPScan to use multiple threads by using the –threads argument. In the below example we launch a password brute force attack with WPScan using 50 threads.
ruby wpscan –url www.local.com –wordlist wpw_pwd_dictionary.txt –username admin –threads 50
Password Strength Test of Multiple WordPress Users with WPScan
To check the password strength of multiple WordPress users with the WPScan WordPress Security Scanner, use the same commands used in the previous examples. However, do not use the –username argument. Example follows:
ruby wpscan.rb www.local.com –wordlist wpw_pwd_dictionary.txt
If the target WordPress site has a large number of users the password brute force attack / password strength check might take quite long to complete and might affect the performance of the website or blog. In such case, it is recommended to first enumerate the WordPress users with WPScan and then choose the users of whom you would like to check the strength of their passwords.
Help your WordPress users use strong passwords
Security is not a one time fix, but a continuous process. So even when you enforce strong WordPress passwords with policies, implement a firewall and take other WordPress security measures, you should always run the occasional security scans with WPScan.