WPScan WordPress Security Scanner – BackTrack 5 R3

Home Forums BulletProof Security Pro WPScan WordPress Security Scanner – BackTrack 5 R3

Viewing 15 posts - 1 through 15 (of 19 total)
  • Author
  • #7180
    Paulin Halenria


    • I know the tool wp-scan is able to enumerate the name of the users.
    • I know the bruteforce is blocked by BPS Login Security
    • I don’t know if BPS stopped the enumeration of the users.
    • I find it could be useful to be able with BPS to change the id of the admin user (I know other plugins are able do it)

    The source of my question is I got a lot of reports from locked account using my own login correctly typed with the same capitalization I used to store it.

    I’m protected by the login, I’m also protected by wp-fail2ban but I’d like to avoid having my account so often locked without loosing features.

    So I guess if BPS protects against enumeration it could be a good start, isn’t it ?

    AITpro Admin

    UPDATE: BPS Pro 13.3+ and BPS free 2.4+ versions have a malware scanner > BPS MScan Malware Scanner
    You can use the BPS MScan Malware Scanner to detect hacker files or code anywhere under your Hosting Account or database.

    Ok let me explain how this works.

    The best PenTest tool in the World is BackTrack 5 R3, which includes WPScan WordPress Security Scanner.

    See this YouTube video tutorial for more info on the capabilities of these tools:  http://www.youtube.com/watch?feature=endscreen&v=CdBb7643vCI&NR=1

    These tools ONLY work if you are using known usernames/user accounts.  The tools check against a list of known usernames and also has the capability to get known usernames from your website if the username is publicly displayed anywhere on your website.  If your username is not publicly displayed and is an obscure username such as:  XT4Y2VBPAS88G then your username will not be found.

    Usernames/User Accounts are displayed on your website by WordPress functions that display Author links, which will display your username/User Account in that author link.  You should modify your Theme code to NOT display author links.

    Using the WordPress 2012 Theme as an example:

    You will find this WP function in the functions.php file that will display your username/User Account.  If you comment out this function with 2 forward slashes then your username / User Account will no longer be publicly viewable/retrievable.  You can use the BPS Pro Pro-Tools String Finder tool to search your Theme to find this function.  Once it is found then edit the file.

    <?php comment_author_link(); ?>
    <?php //comment_author_link(); ?>

    If your username/User Account is known and is being used in Brute Force password attacks then you will first need to ensure that your username/User Account is not publicly displayed anywhere and then create a new Admin account and delete the old Admin account.  Be sure to associate all posts and pages with the new Admin account when deleting the old Admin account.

    AITpro Admin

    On a side note one of the things I am looking into for BuddyPress and bbPress is using md5 to obscure Member / author links.  By default BuddyPress/bbPress display the Member link, which makes it very easy to get the Admin account name for a BuddyPress/bbPress website.  As a fallback in case the Admin account is used in Brute Force attacks a secondary Admin account has been created that has never been used to post a Forum Topic.  This ensures that the username/User Account has never been displayed publicly and is a login account that will never get locked due to Brute Force password cracking attempts.

    Young Master

    Mhmm!!! I have learned something new today. Now I do understand why they say nothing is 100% secure.

    AITpro Admin

    We use and PenTest with BackTrack 5 R3.  BackTrack 5 R3 is very, very impressive and comes with a huge arsenal of PenTesting tools that in good hands can be used to find all website attack vulnerabilities/vectors to determine/implement effective countermeasures (Plugin Firewall, ARQ IDPS, Login Security, etc).   Like all PenTesting tools, when used in the wrong hands (crackers) BackTrack 5 R3 can of course be used to find website vulnerabilites and exploit them.

    Creating obscure usernames and secure passwords for FTP accounts and WordPress Login accounts and not displaying these usernames publicly is very effective at preventing the possibility that a user account will be cracked.

    Young Master

    Wow! Thank you for you explanations Edward. I want to change one of my admin usernames to obscure usernames but the problem here is that the default admin username created when wordpress was installed cannot be deleted.

    AITpro Admin

    Actually you can delete the default Admin username or any Admin accounts at any time.  What you need to do is this:
    Create your new Admin account.
    Log out of your site and log back in with the new Admin Account.
    Delete the old Admin account.  VERY IMPORTANT!  Make sure you select your new Admin account and Attribute all posts to: your new Admin account otherwise your posts will be deleted and then you will have to restore your database from a backup if you make this mistake.

    Young Master

    Silly me! I was trying to delete my admin account while am still logged in to it.

    AITpro Admin

    Yep, kind of like trying to take off your socks while you still have your shoes on. LOL



    installed wpscan successfully on my Linux Mint (with some minor problems, had to fix ruby and install rvm freshly) and its working.
    Now I will find out, where usernames are displayed.

    In case anybody tries to install it on an ubuntu based derivate, he might most probably run into the same problems as me cause the repositories use old and broken ruby stuff.

    So, simply start all over new, after uninstalling ruby and rvm with (in case You tried to follow the steps on wpscan already):

    $ sudo apt-get --purge remove ruby-rvm
    $ sudo rm -rf /usr/share/ruby-rvm /etc/rvmrc /etc/profile.d/rvm.sh

    following: https://rvm.io/rvm/install
    I made it with “Install RVM stable with ruby:”

    $ \curl -L https://get.rvm.io | bash -s stable --ruby

    Cheers and thanks for the thread.

    P.S.: How to use wp scan: https://github.com/wpscanteam/wpscan


    Hi for finding out usernames just run

    ruby wpscan.rb --url http://www.example.com --enumerate u

    in the shell.

    So, my result: I tested on the site where my username was found out to start login attempts from south african IP didnt show the real usernames, cause I hid it with the plugin “Edit author slug”…
    Now I really wonder how them hackers found my very complicated username…

    AITpro Admin

    Use the BPS Pro String Finder Pro-Tool and search for the word “author” in your themes folder.  The search results will display any theme code that is using any of the WordPress author links functions to display your username publicly.  Even if you change the publicly displayed username in your WordPress settings, the author links functions will show your actual username/user account publicly when you mouse over them/hover.  The BPS Pro Pro-Tools cURL scanning tool uses a similar script/scanner that hackers would use to scan your website for publicly displayed usernames/user accounts.

    You can use both Pro-Tools – String Finder – search for the WordPress author links functions.  The cURL Scanner to search for your username/user account name outputted in your website’s source code by searching your themes folder using your real/actual username/user account name.  Also just for good measure search your plugins folder too.  A plugin may be adding one of the WordPress author links functions to your website.

    Link to a previous post above in this Topic that explains what you are looking for – a WordPress author links function in a theme or plugin.



    when I do this my real username is only found at :
    Table : wp_bpspro_login_security and Table : wp_users

    So on using edit author slug, the username really becomes hidden.
    But how might they have found out on the clients’ site?

    Because clients’ site might only be related to sites (related in terms of a backlink in the footer) that run the same setup: Author plugin and BPS pro.
    And on the site which is backlinked we have no siters listed (like in webdesign portfolio, that use this username without this setup)

    Makes me wonder…

    AITpro Admin

    You used the DB String Finder Pro-Tool to search your database.  There is another Pro-Tool called the String Finder tool that searches files instead of your database.  Since you want to search files and not your database then use the String Finder tool.


    Mmh. Sorry.
    Okay, the username was not found inside the themes folder

Viewing 15 posts - 1 through 15 (of 19 total)
  • You must be logged in to reply to this topic.