I was pleasantly surprised to see a WordPress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking WordPress sites is wpscan, which is built right into Kali – or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options:
-
--throttle <milliseconds>
– for example, I’ve been using--throttle 1000
in order to be a bit less intense on my target site -
--request-timeout
and--connect-timeout
help your scan recover smoothly from site errors/timeouts
Also, if you find yourself in a situation where you’re testing a production WordPress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats holding your breath and hitting F5 in Firefox every 10 seconds 🙂
Share on socials: