Penetration Testing on WordPress

With real world example:

Image for post
Image for post


Word press is a content management system (CMS) that is free and used for website and blogs creation. WordPress has been developed in PHP and mostly use MySQL as an backend database

Word-Press has versatility by which we can create multiple website based on different platform such as blogs, E-Commerce and much more . It uses themes and plugins for different activities so there is not need to learn coding you can use the plugins and themes to create a full fledged website.

Benefits: Some benefits are mentioned below:

1. Easy implementation, in a single click we can install it. So any one can host application.

2. Open source and freely available also. WordPress has a distributed license known as GPL.

Penetration Testing on the Website Created on WordPress:-

WordPress File and Directory Structure:

So whenever user uploads any image on the website or installs themes of plugins where it get stored ? Word Press have lots of directories and files but here I am going to explain only those which may pose a threat if not handled properly.

1. Readme.html: This file located in root of WordPress application (can be accessed via that gives us information about installation, upgrades, system requirements and its resources and it can display WordPress versions. So it always advisable to remove readme.html after installation.

2. Wp-activate.php: This file confirm the activation key that is sent on registered email at the time of sign up. So if the key matches for the user it will display information to that user.

3. Xmlrp.php: By default it on and it’s an API. When WordPress application need to communicate with other or needs data transfers over http that time xmlrpc.php is needed. By using it we can access remote features.

It may pose a threat when Attacker can brute force its interface to log into the application and can made tracebacks to a botnet that causes DDOS.

4. Wp-mail.php: It is an inbuilt function, by using this, we can send the mail but it also allows us to send thousands of email that will count as spam so by sending spams attacker can let ISP marks your application server in blacklist which means that legit email will also go into the spam folder.

Word Press Configuration File:

These are also found in root directory. These files contain specific setting of WordPress application. You can not reach them directly as they are not publicly available

1. .htaccess: In WordPress it is used to deny or allow permissions to specific folder of the WordPress Installation such as disallowing access to /wp-content/uploads folder and much more.

2. Wp-config.php: It contain global setting for WordPress applications that tells us how to connect to application’s database and contains the credentials of the database such as username password and other specific keys

How to check its version of WordPress:

  1. Manually: Go to any WordPress based website and check source of the a page by pressing “ctrl +u”. After it, look for a Meta tag there. Meta Tag will have the version of the WordPress which is shown in the screenshot.
Image for post
Image for post

Note: It’s not necessary that every website discloses word press version.

2. Tool: If you just want to use a tool for the same you can use this simple python script for enumerating the version of the WordPress, you can even provide a list of websites to it if you have the websites in bulk and it will also look for the vulnerabilities in that specific version saving a lot of time of yours.

Command: Python <repository Name> -u <Application URL with https: whose version you want to check>

Image for post
Image for post

How to check its User / User enumeration:

  1. Manually: Go to any WordPress based website and then navigate to “wp-json/wp/v2/users” after the website URL. If you get a list of users then the WordPress is disclosing the users of the installation.
Image for post
Image for post

2. Tool: You can also use this simple script to do the same and it also supports scanning bulk websites for user enumeration.

Command: Python <repository Name> -u <Application URL with https: whose user you want to enumerate >

Image for post
Image for post

Checking Directory Listing :

In all the uploaded data goes to wp-content/uploads folder so if the website is allowing directory listing of that folder and attacker can grab all the images and other sensitive files from it. You can use this

to check the directory listing on a WordPress based website.

Command: <application URL>/wp-content/uploads/

Image for post
Image for post

If the directory listing is enabled on the website you will be able to see a directory structure like above screenshot.

Automated information gathering:

Manually scanning a website for plugins and other stuff can be hectic sometime but since most of the website prohibits automated scanning it is needed that we know how to do the testing manually but there is an easy way as well. we can use “wpscan” that is a tool which we can use to scan the WordPress based websites.

Lets have an demonstration of it on a WordPress application.

Command: wp-scan –help

Image for post
Image for post

It has lot of options, according to our requirements we can use it.

1. User Name enumeration

If we want to enumerate user in this application

Command: wp-scan –url <UrL of website> -e u

-e : For enumeration

U: For users

Image for post
Image for post

After inserting this command, identified user:

Image for post
Image for post

2. To check vulnerable plugins

If we want to check is application have vulnerable plugins or not ?

Command: wp-scan –url <URL of website> -e p

-e : For enumeration

p: For plugins

Image for post
Image for post

After inserting the above command, we can see plugin’s details :

Image for post
Image for post

In above screen shot you can see a plugin is out dated. Upon checking the vulnerability in the above plugin we can see that it has an remote shell upload vulnerability.

Image for post
Image for post

For reference, you can check this link


1. Disable access to wp-json.

2. Do not disclose information in Meta tag.

3. Do no set default credentials such as (admin/ admin) as login credentials.

4. Regularly Check plugins if anyone of them is outdated then update them ASAP

5. Always upgrade WordPress version and time to time.

Written by

Security enthusiast working to secure web for others

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store