As a WordPress administrator or webmaster you are responsible for the security of the WordPress blog or website you manage. Most probably you have already done a lot to beef up WordPress security, but what about all the WordPress users on the corporate multi user blog? Are they all using a strong password?
Many business bosses and managers demand administrator access on their corporate WordPress websites. To make the WordPress administrator life even more miserable, typically such people are not so fond of strong passwords. At this stage there are two things you need to do to ensure all WordPress users use strong passwords.
- Install WP Password Policy Editor, a plugin that allows you to configure strong password policies for your WordPress users.
- Scan your WordPress (launch a controlled brute force attack) for weak passwords with WPScan, as explained below.
WordPress Users Password Dictionary
To launch a password strength test, or WordPress password brute force attack you need a good password dictionary. WP White Security.com has a WordPress user password dictionary which contains more than 3000 commonly used passwords. Download the WordPress Password Dictionary to use it in your WordPress password security audits.
Checking the Password Strength of a Single User with WPScan
If you already know the username of the WordPress user, use the command below to check the strength of his or her WordPress password with WPScan WordPress Security Scanner:
ruby wpscan –url www.test.local –wordlist pwd_dict.txt –username admin
The above WPScan command and arguments are explained below:
–url: This argument is used to specify the URL of the target WordPress blog or website. In this example we launched a password brute force attack against www.test.local
–wordlist: Used to specify the name of the password dictionary file. In this example the name of the password dictionary is pwd_dict.txt and is in the same directory of WPScan.
–username: Used to specify the WordPress username. In our example a password brute force attack was launched against the admin account.
The below screenshot shows an example of a WPScan session being used to launch a password brute force attack against the admin WordPress account. From the below screenshot you can also see that WPScan guessed the admin account password.
A WPScan WordPress password brute force attack might be a little bit slow, especially if you are using a large password dictionary file like ours. To speed up the process you can configure WPScan to use multiple threads by using the –threads argument. In the below example we launch a password brute force attack with WPScan like in the above example, but this time it is using 50 threads.
ruby wpscan –url www.test.local –wordlist pwd_dict.txt –username admin –threads 50
WP White Security.com Webmaster Tip: By using multiple threads you increase the load on your website and might disrupt the operations of your website. If you are not sure about such WordPress security audits, consult with a WordPress Security Consultant.
Password Strength Test of Multiple WordPress Users with WPScan
To check the password strength of multiple or all of the WordPress users with WPScan WordPress Security Scanner, use the same commands used to check the password strength of a single user without the –username argument. Example follows:
ruby wpscan.rb www.test.local –wordlist pwd_dict.txt
If the target WordPress has a large number of users, e.g. visitors are allowed to register to the website as subscribers, launching a password brute force attack / password strength check against all WordPress users might take a very long time and might affect the performance of the website or blog. In such case, it is recommended to first enumerate the WordPress users with WPScan and then choose the users of whom you would like to check the strength of their passwords.
WP White Security.com Security Tip: You should only check the passwords strength of WordPress users who have a contributor, author, editor and administrator role. Subscribers (new user registrations are disabled on WordPress by default.