My Blog

Reminder: This is for educational purposes only, it is not for any criminal act or illegal activities.

Wpscan tool is a tool to scan a WordPress blog. It is used for enumerating user, plugins, themes, and even bruteforce passwords from a word list. It is already installed in Kali Linux.

First, you need to find a target to attack. In this tutorial, I used my own blog to attack.

Open Terminal to and type wpscan -h for help and scroll down to look for more commands.

Enumerate the users using the command wpscan –url target.com/target’s ip address -e u. I typed wpscan –url 2101693845cindy.blog.binusian.org -e u and obtained cindycbasrie

Checking the username whether is it correct in the login page 2101693845cindy.blog.binusian.org/wp-login.php.

Get password list, for example rockyou.txt which is located in /usr/share/wordlists as rockyou.txt.gz, so you need to decompress the file first. Rockyou.txt contains over 14 million passwords.

However, my wpscan tool killed the bruteforce process using this word list, so I used another word list containing some passwords (I put 5 passwords into the word list I made. I typed wpscan –url 2101693845cindy.blog.binusian.org -U cindycbasrie -P wordlist.txt to begin bruteforce.

It was a success and showed that the combination of username and password is cindycbasrie and password.

I also changed my password to something that is not in the word list, so do not think of trying to bruteforce my blog 🙂