While there are several facets of WordPress security which as a WordPress administrator you can control, users’ passwords are unfortunately not one of them. Users aren’t generally fans of strong passwords. Strong passwords are hard to remember, unless your users follow best practices and use a password manager.
To make matters worse, the vast majority of users use easy to guess passwords and also re-use them across accounts. As Have I Been Pwned demonstrates, many users’ accounts would have been leaked in at least one data breach. This means that while your WordPress website may be secure, if a user is using an easy-to-guess password, it’s not unrealistic to think that they could very well bypass your WordPress security.
To such an extent, as a WordPress administrator, one of your best defenses against such an attack is to enforce password complexity requirements, also commonly known as a password policy. However, even then, you’re still likely to want to audit your WordPress password strength from time to time. This article covers how to do just this using the free and open source WPScan tool.
WordPress password dictionary attack
Before diving into how we can use WPScan to find weak WordPress passwords, let’s first briefly cover what a dictionary attack is. There are several methods you can use to crack passwords. Some are online methods and some other are offline.
In an online method the attackers try to log in using a login form on the target. They keep on trying until they find a username and password combination that works. In an offline attack the attackers try to crack password hashes which they downloaded from a hacked target on their servers.
Offline password cracking is orders of magnitude faster. However, hopefully, an attacker does not have a copy of your WordPress database. So they will need to opt for an online attack. An attacker can try to pull off a bruteforce attack, which involves them trying all possible combinations of a password.
In almost any case bruteforce attacks take way too long to be practical. So attackers usually opt for something simpler and faster which yields better results — a dictionary attack. A dictionary attack is usually as simple as an attacker trying a list of common passwords against a username. If they are lucky, they’ll hit the right one and be allowed in.
Attackers have a lot of passwords available at their disposal as a result of all the data breaches major websites have faced over the years. In our example, we’ll make use of the rockyou.txt password dictionary.
Auditing password strength of a single WordPress user with WPScan
Assuming you already know the username of the account you would like to audit, You can simply run the following WPScan command to get started.
wpscan –url http://example.com –passwords rockyou.txt –usernames andy
The following provides an explanation of what the above command does:
- –url: The URL of the WordPress website to scan. In the above example, we are scanning http://example.com
- –passwords: Takes a list of password files (comma separated) to use during the password attack. In this example, we use a txt dictionary
- –usernames: Specifies one or more usernames (comma separated) to run this attack against. In the above example, the scan targeted the user andy
WPScan WordPress brute force attacks might take a while to complete. The scan duration mainly depends on how large the password dictionary file is. By default, WPScan sends 5 requests at the same time. To speed up the process you can increase the number of requests WPScan sends simultaneously by using the –max-threads argument.
The example below launches WPScan using a maximum of 50 threads:
wpscan –url http://example.com –passwords rockyou.txt –usernames andy –max-threads 50
Auditing password strength of a multiple WordPress users with WPScan
WPScan can also be used to audit the password strength of multiple users. You can either specify the users using a comma-separated list, or, alternatively, you may also omit the –usernames argument entirely and let WPScan enumerate users for you. In the example below, WPScan will test the passwords of the users andy, maxine, paul and jackie.
wpscan –url http://example.com –passwords rockyou.txt –usernames andy,maxine,paul,jackie
Note that you have a large number of users running a password audit using WPScan will likely take a while. It could also impact the website’s performance, especially if left running for a long period of time.
Video: Using WPScan to test WordPress passwords strength
In the video below we demonstrate the above scenarios and highlight the WPScan output to showcase its capabilities.
Help your WordPress users use strong passwords
Security is a continuous effort, and enforcing strong password policies is one way to reduce the likelihood of unauthorised access to your WordPress website. You should also encourage your users to use a password manager.
Of course, running WPScan and enforcing strong passwords is far from a complete WordPress security solution. However, it is a good place to start.