Summary: <p>I was pleasantly surprised to see a Wordpress site fall into a pentest scope this past week. One helpful tool to get familiar with when attacking Wordpress sites is <a href="https://wpscan.org" rel="nofollow noreferrer noopener" target="_blank">wpscan</a>, which is built right into Kali - or you can grab it from <a href="https://github.com/wpscanteam/wpscan" rel="nofollow noreferrer noopener" target="_blank">GitHub</a>. Get familiar with the command line flags as they can help you conduct a more gentle scan that recovers from site errors/disconnections more easily. Specifically, read up on these options:</p> <ul> <li> <p><code>--throttle <milliseconds></code> - for example, I've been using <code>--throttle 1000</code> in order to be a bit less intense on my target site</p> </li> <li> <p><code>--request-timeout</code> and <code>--connect-timeout</code> help your scan recover smoothly from site errors/timeouts</p> </li> </ul><p>Also, if you find yourself in a situation where you're testing a <em>production</em> Wordpress sight (not recommended), consider setting up a free up/downtime alert via a free service like <a href="https://uptimerobot.com/" rel="nofollow noreferrer noopener" target="_blank">Uptime Robot</a> so you can get emails if the site ever poops out. That certainly beats hitting F5 in Firefox every 10 seconds :-)</p>
