Checking the Password Strength of WordPress Users with WPScan

Last updated on September 20th, 2018 by Robert Abela. Filed under WordPress Security Readings

Checking password strength with the WPScan tool

As a WordPress site administrator you are responsible for your site’s security. Most probably you have already done a lot to beef up WordPress security, but what about the users? Are they all using a strong password? Typically users are not fond of strong passwords, and the only way you can really ensure they use strong passwords is by enforcing WordPress password policies.

Even if you use a plugin to enforce strong user passwords on your site, it is still recommended to do the occasional check and scan your site for weak passwords. It is like launching a controlled brute force attack against your WordPress site. This article explains how to use the free WPScan tool to do such a scan.

WordPress Users Password Dictionary

To launch a password strength test with the WPScan tool you need a good password dictionary. WP White Security.com has a WordPress user password dictionary which contains one million commonly used passwords. Download the WordPress Password Dictionary to use it in your WordPress password security audits.

Checking the Password Strength of a Single User with WPScan

If you already know the username use the below command to check the strength the WordPress password with WPScan WordPress Security Scanner:

ruby wpscan –url www.local.com –wordlist wpw_pwd_dictionary.txt –username admin

The above WPScan command and arguments are explained below:

–url: This argument is used to specify the URL of the target WordPress site. In this example we launched a password brute force attack against www.local.com.

–wordlist: Use this to specify the name of the password dictionary file. In this example the name of the password dictionary is wpw_pwd_dictionary.txt. There is no need to specify a directory path if the password dictionary is in the same directory of the WPScan scanner.

–username: Use this to specify the WordPress username. In our example the password brute force attack was launched against the admin account.

The below screenshot shows the output of the WPScan tool, when starting the password brute force attack against the admin WordPress user. It also show the result of the scan, which shows that the admin account was using the password adminpass.

Brute force password attack against WordPress admin account with WPScan WordPress Security Scanner

A WPScan WordPress password brute force attack might be a little bit slow, especially if you are using a large password dictionary file like ours. To speed up the process you can configure WPScan to use multiple threads by using the –threads argument. In the below example we launch a password brute force attack with WPScan using 50 threads.

ruby wpscan –url www.local.com –wordlist wpw_pwd_dictionary.txt –username admin –threads 50

WP White Security.com Webmaster Tip: By using multiple threads you increase the load on your website, which might disrupt its operation. Be careful.

Password Strength Test of Multiple WordPress Users with WPScan

To check the password strength of multiple or all of the WordPress users with the WPScan WordPress Security Scanner, use the same commands used in the previous examples but without the –username argument. Example follows:

ruby wpscan.rb www.local.com –wordlist wpw_pwd_dictionary.txt

If the target WordPress site has a large number of users the password brute force attack / password strength check might take a very long time and might affect the performance of the website or blog. In such case, it is recommended to first enumerate the WordPress users with WPScan and then choose the users of whom you would like to check the strength of their passwords.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

2 comments

Atinder 10/08/2015

Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.

Robert Abela 19/08/2015

Hello Atinder,

Strictly speaking all they need to do is or change the login slug and implement HTTP authentication and you are done against brute force attacks. No need to spend money in CDNs etc.

Leave a Reply

Your email address will not be published. Required fields are marked *