7MS #264: Hacking Wordpress
I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into Kali - or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options:
-
--throttle <milliseconds>- for example, I've been using--throttle 1000in order to be a bit less intense on my target site -
--request-timeoutand--connect-timeouthelp your scan recover smoothly from site errors/timeouts
Also, if you find yourself in a situation where you're testing a production Wordpress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats holding your breath and hitting F5 in Firefox every 10 seconds :-)