Checking the Password Strength of WordPress Users with WPScan

Last updated on July 25th, 2019 by Robert Abela. Filed under WordPress Admin Tips

Checking password strength with the WPScan tool

As a WordPress site administrator you are responsible for your site’s security. Most probably you have already done a lot to beef up WordPress security, but what about the users? Are they using strong passwords?

Users are not fond of strong passwords. The only way you can ensure they use strong passwords is by enforcing WordPress password policies.

Even then, you should still occasionally scan your site for weak passwords. It is like launching a controlled brute force attack against your WordPress site. This article explains how to use the free WPScan tool to do such a scan.

WordPress Users Password Dictionary

To launch a password strength test with the WPScan tool you need a good password dictionary. WP White has a WordPress user password dictionary which contains one million commonly used passwords. Download the WordPress Password Dictionary to use it in your WordPress password security audits.

Checking the Password Strength of a Single User with WPScan

If you already know the username use the below command to check the strength the WordPress password with WPScan WordPress Security Scanner:

ruby wpscan –url –wordlist wpw_pwd_dictionary.txt –username admin

Below is an explanation of the above WPScan command and arguments:

–url: This argument is used to specify the URL of the target WordPress site. In this example we launched a password brute force attack against

–wordlist: Use this to specify the name of the password dictionary file. In this example the name of the password dictionary is wpw_pwd_dictionary.txt. There is no need to specify a directory path if the password dictionary is in the same directory of the WPScan scanner.

–username: Use this to specify the WordPress username. In this example we launched the password brute force attack against the admin account.

The below screenshot shows the output of the WPScan tool. From the below we can see that the password brute force attack against the admin WordPress user is finished. The screenshot also shows the result of the scan – the admin account uses the password adminpass.

Brute force password attack against WordPress admin account with WPScan WordPress Security Scanner

WPScan WordPress brute force attacks might a while. The scan duration mainly depends on the size of the password dictionary file. To speed up the process you can configure WPScan to use multiple threads by using the –threads argument. In the below example we launch a password brute force attack with WPScan using 50 threads.

ruby wpscan –url –wordlist wpw_pwd_dictionary.txt –username admin –threads 50

Password Strength Test of Multiple WordPress Users with WPScan

To check the password strength of multiple WordPress users with the WPScan WordPress Security Scanner, use the same commands used in the previous examples. However, do not use the  –username argument. Example follows:

ruby wpscan.rb –wordlist wpw_pwd_dictionary.txt

If the target WordPress site has a large number of users the password brute force attack / password strength check might take quite long to complete and might affect the performance of the website or blog. In such case, it is recommended to first enumerate the WordPress users with WPScan and then choose the users of whom you would like to check the strength of their passwords.

Help your WordPress users use strong passwords

Security is not a one time fix, but a continuous process. So even when you enforce strong WordPress passwords with policies, implement a firewall and take other WordPress security measures, you should always run the occasional security scans with WPScan.

WordPress Hosting, Firewall and Backup

This Website is:


Atinder 10/08/2015

Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

Robert Abela 19/08/2015

Hello Atinder,

Strictly speaking all they need to do is or change the login slug and implement HTTP authentication and you are done against brute force attacks. No need to spend money in CDNs etc.

Leave a Reply

Your email address will not be published. Required fields are marked *