Jun 29, 2017
I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is wpscan, which is built right into Kali - or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options:
--throttle
- for example, I've been using
--throttle 1000
in order to be a bit less intense on
my target site
--request-timeout
and
--connect-timeout
help your scan recover smoothly from
site errors/timeouts
Also, if you find yourself in a situation where you're testing a production Wordpress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats hitting F5 in Firefox every 10 seconds :-)