hackingwordpress attacking_common_applications

WordPress is a system that was created to build and manage blogs. It's now widely used for any kind of website. There are ton of plugins making it fast and easy to create websites πŸš€.

  • Learning websites πŸ§‘β€πŸŽ“: search for "LMS" plugins
  • Manga websites πŸ“š: search for "madara" or "MangaStream"
  • ...

☠️ Note that most themes/plugins are paid.

Useful links?

WordPress Pentester Notes ☠️

hackingwordpress attacking_common_applications webenumerationv2 colddboxeasy allinonemj blocky wordpress

There are two paid solutions to attack WordPress: Jetpack and WPScan. WPScan is providing a CLI tool for free and for non-commercial use available here (8.0k ⭐).

# before every scan, update the local metadata database
$ wpscan --update # may be automatically performed

You can enumerate themes, plugins, and usernames. By default, without -e, it will scan using -e vp,vt,tt,cb,dbe,u,m.

# Look into the HTML, /wp-content/themes/... for themes
$ wpscan --url URL -e t
$ wpscan --url URL -e vt # vulnerable themes
# Look into /wp-content/plugins/pluginname/... for plugins
# Use the README in each plugin to find the version
$ wpscan --url URL -e ap # all plugins
$ wpscan --url URL -e p  # popular plugins
$ wpscan --url URL -e vp # vulnerable plugins
# Find users (look for ID in posts...)
$ wpscan --url URL -e u
$ wpscan --url URL --enumerate u # same

You may have to add --random-user-agent to by-pass a simple WAF:

$ wpscan [...] --random-user-agent

You can use WPScan/hydra/... to bruteforce the login form. When using the tool, you may also use xmlrpc instead of the login page.

$ wpscan --url URL -P wordlist -U username # ", username2, etc."
$ wpscan [...] --password-attack xmlrpc    # use xmlrpc, faster
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -V
$ hydra -l username -P wordlist domain http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:F=is incorrect.' -V

⚠️ Don't use WordPress RPC API if you haven't tested that it works.

You can select a mode between aggressive/passive when scanning. Some results might not be visible according to the mode selected, so you should try both if you can.

$ wpscan --url URL -e t --plugins-detection aggressive
$ wpscan --url URL -e t --plugins-detection passive

You can increase the number of threads:

$ wpscan [...] -t 5 # default

The CLI can be unleashed with WPScan API that will retrieve vulnerabilities when scanning. The limit is 25 requests per day. See Optional: WordPress Vulnerability Database API. You can also browse vulnerabilities manually: WordPress, Plugins, and Themes.

# To list vulnerabilities, add a "v" before the enumerated type
# ex: vulnerable plugins
$ wpscan --url URL -e vp

To do it manually

  • WordPress version is in the source code (<meta name="generator" content="WordPress X.Y.Z">)
  • Plugin and Theme names/versions are often loaded from the source code (link/script). The URL may include the version.
  • Both WordPress, Plugins, and Themes may have a readme.html
  • Look for links to user accounts, iterate /?author=<id>, or use /wp-json/wp/v2/users for versions before 4.7.1
  • You can try to look in /robots.txt for something unexpected

Exploit WordPress

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

WordPress Hardening

  • Remove unused themes, and plugins
  • Hide username
  • Disable register
  • Use security plugins (change login page URL, ban IPs...)
  • Admins can write HTML in comments, it will be executed, but not normal users
  • Deactivating plugins doesn't remove its files
  • Auto-update? (themes and plugins too)
  • Install only trusted themes/plugins
  • sucuri-scanner, better-wp-security, wordfence


  • wp-config.php > can enable debug with "WP_DEBUG"
  • set the main page > settings > reading > static page
  • usually apache (/var/www/html) and mysql


  • Elementor


  • CMA, CDA
  • /wp-admin/, login.php, wp-login.php
  • xmlrpc.php (XML API)
  • wp-content/uploads/, wp-content/plugins/, wp-content/themes/
  • wp-includes
  • select user_login,user_pass from wp_users;
  • 10 levels of access, 5 (actually 6 with SA) roles