.png)
5 hours ago
2 BOOK THIS SPACE FOR AD
ARTICLE AD
Know what you hack
Think of WordPress as a house — we need to know all its entry points, weak spots, and security measures to properly test it. Let’s break this down into the juicy parts that actually matter for real-world pentesting.
🔴 Understanding the Battlefield
The WordPress Kingdom
Picture WordPress as a medieval castle with different layers of defense:
├── Public Face (wp-content)
│ ├── The Courtyard (themes)
│ ├── The Armory (plugins)
│ └── The Treasury (uploads)
├── The Keep (wp-admin)
└── The Foundation (wp-includes)
Think of wp-config.php as the castle’s secret vault — it holds all the keys to the kingdom. This is often your golden ticket if you can get your hands on it.
🔵 The Cast of Characters: User Roles
Let’s break down the power structure in a way that matters for exploitation:
👑 Administrator
- The king/queen of the castle
- Can do literally everything
- Your primary target for privilege escalation
- Usually hangs out in /wp-admin
🗡️ Editor
- The noble with limited powers
- Can’t touch system settings but rules over content
- Often has access to juicy features
- Potential stepping stone to admin
✍️ Author
- The knight who can publish their own stuff
- File upload capabilities = potential shell upload vector
- Limited but dangerous if exploited right
📝 Contributor & Subscriber
- The peasants of WordPress
- Limited access but never underestimate them
- Perfect for initial foothold
🔍 The Hunt Begins: Attack Vectors That Actually Work
1. The Lazy Admin’s Mistakes
- Default credentials (admin/admin)
- wp-admin accessible to the world
- Debug mode left on in production (check wp-config.php)
- Backups lying around (.sql, .zip, .tar.gz)
2. Plugin Paradise
This is where the fun begins! Plugins are like mini applications inside WordPress, each potentially a new door to kick down.
3. Theme Theater
Themes can be a goldmine for:
- File inclusion vulnerabilities
- Arbitrary file upload
- SQL injection in custom queries
🛠️ Your Hacking Toolkit
Reconnaissance Phase
# Quick WordPress scanwpscan --url http://target.com --enumerate# Check for xmlrpc.php
curl -d ‘<?xml version=”1.0"?>’ http://target.com/xmlrpc.php# User enumeration
for i in {1..100}; do curl -s http://target,com/?author=$i; done
Common Weak Spots
1. XML-RPC Interface
— Often forgotten
— Brute force paradise
— System.listMethods to see what you can play with
2. REST API
/wp-json/wp/v2/users/
/wp-json/wp/v2/posts/
3. Upload Functions
— Media uploader
— Avatar uploaders
— Theme/plugin editors
🎣 Social Engineering Angles
WordPress sites are often managed by:
- Small business owners
- Non-technical content creators
- Marketing teams
This means:
- Password reuse is common
- Security updates are delayed
- Default settings remain unchanged
🎯 Quick Wins Checklist
- [✓] Check /wp-content/debug.log
- [✓] Look for wp-config.php backup files
- [✓] Test default credentials
- [✓] Check user enumeration
- [✓] Scan for vulnerable plugins
- [✓] Test file upload restrictions
- [✓] Look for exposed .git folders
Tips
Always check the wp-content/uploads folder structure2. WordPress runs on PHP — think like a PHP hacker
3. User enumeration can be gold for social engineering
4. Backup files often contain database credentials
5. Most vulnerabilities come from third-party code (e.g. plugins and themes, my first bug I found was because of a 3rd party plugin)
The best hackers aren’t those who know the most exploits, but those who understand how the system works and where people usually mess up.
Bengali (Bangladesh) · 
English (United States) ·