While there are several facets of WordPress security which as a WordPress administrator you can control, users’ passwords are unfortunately not one of them. Users aren’t generally fans of strong passwords. Strong passwords are hard to remember, unless your users follow best practices and use a password manager.
To make matters worse, the vast majority of users use easy to guess passwords and also re-use them across accounts. As Have I Been Pwned demonstrates, many users’ accounts would have been leaked in at least one data breach. This means that while your WordPress website may be secure, if a user is using an easy-to-guess password, it’s not unrealistic to think that they could very well bypass your WordPress security.
To such an extent, as a WordPress administrator, one of your best defenses against such an attack is to enforce password complexity requirements, also commonly known as a password policy. However, even then, you’re still likely to want to audit your WordPress password strength from time to time. This article covers how to do just this using the free and open source WPScan tool.
WordPress password dictionary attack
Before diving into how we can use WPScan to find weak WordPress passwords, let’s first briefly cover what a dictionary attack is. There are several methods you can use to crack passwords. Some are online methods and some other are offline.
In an online method the attackers try to log in using a login form on the target. They keep on trying until they find a username and password combination that works. In an offline attack the attackers try to crack password hashes which they downloaded from a hacked target on their servers.
Offline password cracking is orders of magnitude faster. However, hopefully, an attacker does not have a copy of your WordPress database. So they will need to opt for an online attack. An attacker can try to pull off a bruteforce attack, which involves them trying all possible combinations of a password.
In almost any case bruteforce attacks take way too long to be practical. So attackers usually opt for something simpler and faster which yields better results — a dictionary attack. A dictionary attack is usually as simple as an attacker trying a list of common passwords against a username. If they are lucky, they’ll hit the right one and be allowed in.
Attackers have a lot of passwords available at their disposal as a result of all the data breaches major websites have faced over the years. In our example, we’ll make use of the rockyou.txt password dictionary.
Auditing password strength of a single WordPress user with WPScan
Assuming you already know the username of the account you would like to audit, You can simply run the following WPScan command to get started.
wpscan –url http://example.com –passwords rockyou.txt –usernames andy
The following provides an explanation of what the above command does:
- –url: The URL of the WordPress website to scan. In the above example, we are scanning http://example.com
- –passwords: Takes a list of password files (comma separated) to use during the password attack. In this example, we use a txt dictionary
- –usernames: Specifies one or more usernames (comma separated) to run this attack against. In the above example, the scan targeted the user andy
WPScan WordPress brute force attacks might take a while to complete. The scan duration mainly depends on how large the password dictionary file is. By default, WPScan sends 5 requests at the same time. To speed up the process you can increase the number of requests WPScan sends simultaneously by using the –max-threads argument.
The example below launches WPScan using a maximum of 50 threads:
wpscan –url http://example.com –passwords rockyou.txt –usernames andy –max-threads 50
Auditing password strength of a multiple WordPress users with WPScan
WPScan can also be used to audit the password strength of multiple users. You can either specify the users using a comma-separated list, or, alternatively, you may also omit the –usernames argument entirely and let WPScan enumerate users for you. In the example below, WPScan will test the passwords of the users andy, maxine, paul and jackie.
wpscan –url http://example.com –passwords rockyou.txt –usernames andy,maxine,paul,jackie
Note that you have a large number of users running a password audit using WPScan will likely take a while. It could also impact the website’s performance, especially if left running for a long period of time.
Video: Using WPScan to test WordPress passwords strength
In the video below we demonstrate the above scenarios and highlight the WPScan output to showcase its capabilities.
Help your WordPress users use strong passwords
Security is a continuous effort, and enforcing strong password policies is one way to reduce the likelihood of unauthorised access to your WordPress website. You should also encourage your users to use a password manager.
Of course, running WPScan and enforcing strong passwords is far from a complete WordPress security solution. However, it is a good place to start.
Well, recently Brute force Attacks has immensely increased, becoming a dangerous factor for all WordPress users, but it is a thing, which is fight-able, I mean, by using security methods, we can move brute force attacks out of the window. Although, it can be difficult for newbies, who just got started with WordPress, but he/she can learn by reading posts online and then can implement security.
In my view, implementing only three tricks works very well, Changing Login Slug, A content Delivery network (CDN) and a Security Plugin, which bans IP address after a few Login attempts.
Hello Atinder,
Strictly speaking all they need to do is or change the login slug and implement HTTP authentication and you are done against brute force attacks. No need to spend money in CDNs etc.
I have watched many tutorials and read many blogs, but I can’t determine at all what should be the file path of –passwords ?? I’m really confused with that. Everytime I try rockyou.txt or sometimes I write wp-admin or wp-content it says that Scan Aborted: –passwords The path ‘/usr/share/wordlists/pswrds.txt’ does not exist or is not a file.
So how can I get to know the real password path to go for ??
Hi Muhammad,
Thanks for reaching out and sharing your feedback!
The first thing you need to do is download a dictionary. Once you download the dictionary you can either copy it on the same server where WPScan is and specify it’s name in the command, otherwise, if it is copied somewhere else, specify the path to that password dictionary in the command.
Feel free to let me know after you’ve tried it.
Best wishes,
Rado