Penetration Testing for WordPress Websites

Estimated read time 11 min read

WordPress, a content management system (CMS) that powers 810 million websites, is a frequent target for cybercriminals. Whether your WordPress site serves as an e-commerce platform, a blog, or a portfolio, safeguarding it must be a priority. The security strategy to do this, is penetration testing — a systematic process of probing for vulnerabilities that an attacker could exploit.

Start your ethical penetration testing on WordPress websites, with this detailed roadmap for both beginners and seasoned professionals.

Starting The WordPress Penetration Testing

Setting up Kali Linux for Your WordPress Security Audit

Kali Linux is an indispensable resource for anyone serious about cybersecurity. Tailored explicitly for penetration testing, this Linux distribution comes loaded with a host of cybersecurity tools.

Installing Kali Linux sets the stage for a comprehensive WordPress security audit, giving you a rich suite of utilities at your fingertips. The installation is pretty easy and you can decide to run it LIVE or in an Virtual Environment1.

Quick Kali Linux installation guide

To start, install Kali Linux with VirtualBox.

  1. Download and install Virtual Box on your computer.
  2. Download Kali Linux 64 bit.
  3. To host Kali Linux, create a VirtualBox virtual machine and choose Debian 64 bit as the operating system (OS).
  4. Boot into the new virtual machine.
  5. Boot into Kali and select the install option.
  6. Open VirtualBox and Kali Linux will be visible. Please select it and click Start.

The Importance of Consent in WordPress Penetration Testing

Before you embark on this cybersecurity journey, it’s paramount to secure explicit permission from the website owner if you’re not auditing your own site. Failure to do so not only breaches ethical boundaries but also carries legal issues. Ensure you have written consent to avoid these complications.

Mastering the Ultimate WordPress Security Checklist with Over 300 Test Parameters

As you prepare for the testing process, having an exhaustive checklist can be invaluable. A well-curated checklist, featuring more than 300 test parameters, ensures that you cover all your bases. From SQL injection to Cross-Site Scripting (XSS), this free OWASP checklist2 will serve as your roadmap for thorough vulnerability assessment.

The Triad of WordPress Penetration Testing

The Initial Phase: WordPress Penetration Testing Mapping

Utilizing NMAP for Network Discovery

NMAP, or Network Mapper, serves as your initial reconnaissance tool. Its powerful features enable you to identify active devices on a network, open ports, and other crucial network attributes that can be leveraged for more targeted attacks later.

The GUI Advantage with Zenmap

If you’re more comfortable with graphical interfaces, Zenmap is the GUI version of NMAP. It provides the same functionalities but with the ease of a graphical interface, making it accessible for those less familiar with command-line tools.

ReconDog: Your Companion for Information Gathering

ReconDog3 is another asset in your toolkit for the mapping phase. It specializes in gathering a diverse range of information, from DNS details to the detection of potential Honey pots.

WPintel Chrome Plugin for WordPress-Specific Intelligence

WPintel4 is a Chrome plugin designed to simplify WordPress vulnerability scanning. It can identify WordPress versions, enumerate users, and even discover installed themes and plugins.

WPintel Chrome Plugin for WordPress-Specific Intelligence
WPintel Chrome Plugin for WordPress-Specific Intelligence

The Role of Open Source Intelligence (OSINT)

OSINT tools are designed to collect publicly available information. These tools can dig up useful details about the domain, subdomains, and even employee details in some cases, aiding in social engineering attacks.

Whois: Unmasking Domain Ownership

Drop to the Kali Linux terminal and run the command whois for domain-specific information or whois ip-address to get details about the IP address hosting the WordPress site. This command reveals ownership info, which can be crucial for social engineering attacks.

Social Mention: Your Social Media Search Engine

Social Mention scans through various social media platforms for specific keywords. Use this tool to search for brand names or usernames you encounter on the WordPress site. Understanding social presence can add another dimension to your penetration testing strategy.

Intel Techniques: A Treasure Trove of OSINT Tools

The Intel Techniques website offers an array of OSINT search tools. These tools are effective for username searches and discovering the identities of individuals who appear on the WordPress site.

Using OSINT in WordPress Pentesting
Using OSINT in WordPress Pentesting

Recon-ng: The Command-Line OSINT Swiss Army Knife

Recon-ng comes bundled with Kali Linux and serves as an all-in-one command-line tool for OSINT analysis. Its modular approach allows for extensive customization, making it a versatile asset in your toolkit.

Maltego Chlorine: Advanced OSINT Analysis

Maltego Chlorine is an open-source version of the advanced Maltego OSINT tool. Although you’ll need to register for an API key, the platform offers powerful features, including ‘machines’ that can graphically display results. For instance, the ‘company stalker’ machine can find email addresses associated with a specific domain. Note that the free edition limits you to 12 results.

Netcraft: Discover Subdomains and Web Technologies

Netcraft is an excellent tool for finding subdomains and discovering the technologies a website is using. Input your target domain, and the tool provides a comprehensive report, including the web server software and other details.

IP to Virtual Host Lookup Tools

Websites like Hacker Target’s Reverse IP Lookup can provide insights into what other websites are running on the same IP address as your target. This information can be invaluable for understanding the broader attack surface.

The Discovery Phase: Identifying Vulnerabilities

WPScan: The WordPress Security Scanner

WPScan is a specialized tool for WordPress security scans. It can uncover vulnerabilities in the WordPress core5, as well as in installed themes and plugins.

Its robust database is continually updated with the latest vulnerabilities, making it a must-have tool for WordPress penetration testing.

wpscan --url

Nikto: The Web Server Vulnerability Scanner

Nikto is a venerable tool in cybersecurity. Although not specific to WordPress, it is highly effective in identifying various vulnerabilities that could be present in the web server hosting the WordPress site.

Burp Suite: The Swiss Army Knife of Web Security Testing

Burp Suite is an all-in-one tool for web security testing. It can automate scans, crawl web pages, and even aid in manual testing, making it a versatile asset6 for the discovery phase.

The Art of Fuzzing: Sending Random Data to Find Weak Spots

Fuzzing is a technique that involves sending random or malformed data to the target system to observe how it reacts.

This method can be incredibly effective in discovering vulnerabilities that other, more conventional testing methods may miss.

The Final Frontier: Exploitation

Metasploit: The Exploitation Framework

Once you’ve identified vulnerabilities, the next step is exploitation. Metasploit is the go-to framework for this phase. Its extensive database of exploits and payloads makes it an indispensable tool for any penetration tester.

Essential WordPress Basics for Penetration Testers

Understanding Main WordPress Files

Being conversant with the WordPress file structure gives you a strategic advantage in your testing. Core files like wp-config.php, .htaccess, and the wp-content directory often contain sensitive information and should be the focus of your review.

You Have To Validate User Permissions

User roles and permissions are a critical aspect of WordPress security. Excessive permissions can open the door for various attacks, including privilege escalation.

Therefore, a thorough review of user roles is essential in a comprehensive penetration test.

By performing this check, you can identify automated accounts that have passed the security checks. This allows you to enhance those checks to also block the newly automated accounts.

Wordpress User Permissions Pentesting
WordPress User Permissions Pentesting

The Understated Importance of Passive Enumeration

Determining the WordPress Version

The WordPress version can be a significant tell for a potential attacker. Older versions often have known vulnerabilities that are patched in newer releases. Identifying the version can provide insights into which exploits might be most effective.

Enumerating Plugins and Themes

Plugins and themes extend the functionality of WordPress but can also introduce vulnerabilities. Passive enumeration of these components can provide a list of potential targets for further exploration. Visit the forum of the themes and plugins — there is a big chance someone has reported faulty code.

Extracting Versions Across the Board

It’s not just the WordPress core that needs scrutinizing. The versions of plugins, themes, and even the web server can offer clues to potential vulnerabilities.

The Nitty-Gritty of Active Enumeration

A Closer Look at Plugins and Themes

Active enumeration takes a deeper dive into the plugins and themes installed on the WordPress site. This phase could involve actual interaction with these components to unearth vulnerabilities that passive enumeration might miss.

User Enumeration and Its Pitfalls

The Trap of Login Username Enumeration

Usernames are often the weakest link in a security chain. By exploiting careless username enumeration practices, an attacker can amass a list of usernames to attempt brute force login attacks.

XML-RPC: A Double-Edged Sword

XML-RPC facilitates remote procedure calls over XML. While useful, it can be a launching pad for brute force attacks if not properly configured and secured.

wp-cron.php: An Avenue for Denial of Service (DoS) Attacks

The wp-cron.php file is responsible for scheduled tasks in WordPress. If poorly configured, it can be exploited to launch a Denial of Service (DoS) attack, rendering the website unusable.

/wp-json/oembed/1.0/proxy and SSRF: A Cautionary Tale

Server-Side Request Forgery (SSRF) is another serious vulnerability. The WordPress REST API, if misconfigured, can be manipulated to perform unauthorized requests7 to internal or external services.

SSRF: The Broad Spectrum of Server-Side Request Forgery

SSRF isn’t limited to WordPress APIs. Various services and plugins can also be susceptible to SSRF attacks, making it a crucial aspect to cover in your penetration testing.

Automatic Tools: The Future of Penetration Testing

Automated tools like WPScan, Nikto, and Burp Suite can significantly speed up the process of vulnerability identification and exploitation. However, these should complement, not replace, manual testing for a thorough security audit.

Wordpress Websites Security Testing

Deep Dive into Cookie Options

Strictly Necessary Cookies: Off-Limits for Testing

These cookies are essential for the WordPress site to function correctly. As such, they should generally be left untouched during your testing activities.

Performance and Analytical Cookies: A Treasure Trove of Data

These cookies collect non-essential data about how users interact with the website. While they may seem harmless, they can sometimes be exploited to gather sensitive information or even hijacked for malicious purposes.

Targeting Cookies: Not as Innocent as They Seem

Targeting cookies are primarily used for advertising and user tracking. However, if not properly secured, they can become a vector for various security attacks, including Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).

Common WordPress Security Pitfalls and How to Avoid Them

The Dangers of Outdated WordPress Code

Using outdated WordPress code is akin to leaving your front door unlocked. Each new update typically includes security patches that resolve known vulnerabilities. Failing to update is an open invitation to cybercriminals.

The Risks of Outdated Themes and Plugins

Just like outdated WordPress core files, older versions of themes and plugins can expose your site to a host of security issues. Regular updates are your first line of defense against potential attacks.

Old Versions of PHP and Web Servers: A Ticking Time Bomb

Outdated PHP versions or web server software can also be vulnerable to exploitation. Staying current with the latest versions is a simple yet effective way to bolster your website’s security.

curl -s -D – -o /dev/null | grep -i “Server|X-Powered-By”

WordPress Username Enumeration: An Open Book to Attackers

Usernames are often overlooked in security audits. However, easy-to-guess or enumerable usernames can facilitate brute force attacks, making it a crucial aspect to address in your penetration testing.

You might also like:

Web Server Misconfigurations: The Silent Killers

Directory Listing and Its Security Implications

The Hazard of Enabled Directory Listing

Directory listing may seem like a harmless feature, but it can expose sensitive files and directories to attackers. Disabling directory listing should be a standard practice in web server configuration.

Backup Files: A Goldmine for Attackers

Backup files often contain sensitive information and can be a treasure trove for cybercriminals. Secure them appropriately to prevent unauthorized access.

Temporary Files: Not So Temporary After All

Temporary files, often overlooked, can contain a wealth of sensitive information. Proper file permissions and regular clean-ups are crucial for securing these files.

Exposed MySQL Databases: An Open Invitation

An exposed MySQL database can spell disaster. Secure your databases with strong passwords, and limit access to authorized IPs to minimize risks.

Running Unnecessary Services: Less Is More

Every additional service running on your server increases your attack surface. Disable any service not crucial for your website’s functionality to minimize potential entry points for attackers.

Penetration testing is an ongoing process, not a one-off task. With the cybersecurity landscape constantly evolving, staying proactive in identifying and patching vulnerabilities is key.

  1. ↩︎
  2. ↩︎
  3. ↩︎
  4. ↩︎
  5. ↩︎
  6. ↩︎
  7. ↩︎
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours