Wordpress

Overview

WordPress is the world's most popular CMS, making it a frequent target for attackers. WordPress-specific attacks target vulnerable plugins, themes, misconfigured user roles, XML-RPC, and the wp-config.php file.

Tools like WPScan automate enumeration of WordPress versions, plugins, themes, and vulnerable users.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Wordpress:

wpscan --url https://target.com --enumerate u,vp,vt,dbe

wpscan --url https://target.com --passwords rockyou.txt --usernames admin

wpscan --url https://target.com --enumerate vp --api-token <token>

POST /xmlrpc.php <methodCall><methodName>system.listMethods</methodName></methodCall>

GET /wp-json/wp/v2/users

GET /.wp-config.php.bak

GET /wp-content/uploads/

Tools & Techniques

Recommended tools for Wordpress:

• WPScan: comprehensive WordPress vulnerability scanner
• XML-RPC: enumerate users via wp.getUsersBlogs
• XML-RPC multicall: distributed password brute-force
• Theme/Plugin version disclosure via readme.txt
• REST API: user enumeration via /wp-json/wp/v2/users
• Content discovery: /wp-content/plugins/ and /wp-content/themes/

Prevention & Mitigation

Security recommendations to prevent Wordpress:

• Keep WordPress core, themes, and plugins updated
• Remove unused themes and plugins
• Change default admin username and use strong passwords
• Disable XML-RPC if not needed (or block multicall)
• Implement Web Application Firewall (WAF)
• Set correct file permissions (755 dirs, 644 files)
• Disable file editing via the admin panel

References

Additional resources:

• https://wpscan.com/
• https://developer.wordpress.org/advanced-administration/security/
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/WordPress