WordPress Penetration Testing: A Hacker’s Playbook

Know what you hack

Think of WordPress as a house — we need to know all its entry points, weak spots, and security measures to properly test it. Let’s break this down into the juicy parts that actually matter for real-world pentesting.

🔴 Understanding the Battlefield

The WordPress Kingdom
Picture WordPress as a medieval castle with different layers of defense:

├── Public Face (wp-content)
│ ├── The Courtyard (themes)
│ ├── The Armory (plugins)
│ └── The Treasury (uploads)
├── The Keep (wp-admin)
└── The Foundation (wp-includes)

Think of wp-config.php as the castle’s secret vault — it holds all the keys to the kingdom. This is often your golden ticket if you can get your hands on it.

🔵 The Cast of Characters: User Roles

Let’s break down the power structure in a way that matters for exploitation:

👑 Administrator
- The king/queen of the castle
- Can do literally everything
- Your primary target for privilege escalation
- Usually hangs out in /wp-admin

🗡️ Editor
- The noble with limited powers
- Can’t touch system settings but rules over content
- Often has access to juicy features
- Potential stepping stone to admin

✍️ Author
- The knight who can publish their own stuff
- File upload capabilities = potential shell upload vector
- Limited but dangerous if exploited right

📝 Contributor & Subscriber
- The peasants of WordPress
- Limited access but never underestimate them
- Perfect for initial foothold

🔍 The Hunt Begins: Attack Vectors That Actually Work

1. The Lazy Admin’s Mistakes

- Default credentials (admin/admin)
- wp-admin accessible to the world
- Debug mode left on in production (check wp-config.php)
- Backups lying around (.sql, .zip, .tar.gz)

2. Plugin Paradise
This is where the fun begins! Plugins are like mini applications inside WordPress, each potentially a new door to kick down.

3. Theme Theater
Themes can be a goldmine for:
- File inclusion vulnerabilities
- Arbitrary file upload
- SQL injection in custom queries

🛠️ Your Hacking Toolkit

Reconnaissance Phase

Common Weak Spots

1. XML-RPC Interface
 — Often forgotten
 — Brute force paradise
 — System.listMethods to see what you can play with

2. REST API
/wp-json/wp/v2/users/
/wp-json/wp/v2/posts/

3. Upload Functions
 — Media uploader
 — Avatar uploaders
 — Theme/plugin editors

🎣 Social Engineering Angles

WordPress sites are often managed by:
- Small business owners
- Non-technical content creators
- Marketing teams

This means:
- Password reuse is common
- Security updates are delayed
- Default settings remain unchanged

🎯 Quick Wins Checklist

- [✓] Check /wp-content/debug.log
- [✓] Look for wp-config.php backup files
- [✓] Test default credentials
- [✓] Check user enumeration
- [✓] Scan for vulnerable plugins
- [✓] Test file upload restrictions
- [✓] Look for exposed .git folders

Tips

The best hackers aren’t those who know the most exploits, but those who understand how the system works and where people usually mess up.