I was pleasantly surprised to see a WordPress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking WordPress sites is wpscan, which is built right into Kali – or you can grab it from GitHub. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options:

• --throttle <milliseconds> – for example, I’ve been using --throttle 1000 in order to be a bit less intense on my target site

• --request-timeout and --connect-timeout help your scan recover smoothly from site errors/timeouts

Also, if you find yourself in a situation where you’re testing a production WordPress sight (not recommended), consider setting up a free up/downtime alert via a free service like Uptime Robot so you can get emails if the site ever poops out. That certainly beats holding your breath and hitting F5 in Firefox every 10 seconds 🙂