
Main WordPress Files
index
license.txt contains useful information such as the version WordPress installed.
wp-activate.php is used for the email activation process when setting up a new WordPress site.
Login folders (may be renamed to hide it):
/wp-admin/login
/wp-admin/wp-login
/login
/wp-login
xmlrpc is a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.
The wp-content folder is the main directory where plugins and themes are stored.
wp-content/uploads/ Is the directory where any files uploaded to the platform are stored.
wp-includes/ This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.
wp-sitemap.xml In Wordpress versions 5.5 and greater, Worpress generates a sitemap XML file with all public posts and publicly queryable post types and taxonomies.
Post exploitation
The wp-config.php file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
Users Permissions
Administrator
Editor: Publish and manages his and others posts
Author: Publish and manage his own posts
Contributor: Write and manage his posts but cannot publish them
Subscriber: Browser posts and edit their profile
wpscan --url yourwebsite
Running the command above will perform a basic scan of your site. After a few minutes, you’ll have a whole bunch of “Interesting Findings” that WPScan discovered from your site’s code. That could include information like:
Headers to discover server information
Accessibility of xmlrpc.php
Accessibility of wp-cron.php
WordPress version
Active theme and its basic information
Active plugins and their basic information
Discoverable Config backups
When enumerating the WordPress version, installed plugins or installed themes, you can use three different "modes", which are:
passive
aggressive
mixed
If you want the most results use the "mixed" mode. However, if you are worried that the server may not be able to handle a large number of requests, use the "passive" mode. The default mode is "mixed", with the exception of plugin enumeration, which is "passive". You will need to manually override the plugin detection mode, if you want to use anything other than the default, with the --plugins-detection option.
WPScan can enumerate various things from a remote WordPress application, such as plugins, themes, usernames, backed up files wp-config files, Timthumb files, database exports and more. To use WPScan's enumeration capabilities supply the -e option.
The following enumeration options exist:
vp (Vulnerable plugins)
ap (All plugins)
p (Popular plugins)
vt (Vulnerable themes)
at (All themes)
t (Popular themes)
tt (Timthumbs)
cb (Config backups)
dbe (Db exports)
u (User IDs range. e.g: u1-5)
m (Media IDs range. e.g m1-15)
If no option is supplied to the -e flag, then the default will be: vp,vt,tt,cb,dbe,u,m
wpscan --url yourwebsite -e u
wpscan --url yourwebsite -e --passwords password.txt
You can probably guess what the “u” stands for.
WPScan will use a few different techniques to do its own guessing: determining usernames based on the information available publicly on your site (i.e. author names). WordPress will tip its hands in some subtle ways as WPScan probes those guesses. (The blacked out content below are discovered user IDs.)
Why does user enumeration work on WordPress?
By default, WordPress is prone to user enumeration. This is because of permalinks, a feature that provides permanent URLs to individual WordPress posts and pages.
Notably, WordPress lets you list all posts by a specific author’s username or ID, which could be exploited by attackers to identify valid usernames. This is where WPScan’s enumeration tool comes in handy, as it quickly checks if your WordPress site is susceptible to user enumeration.
Attackers strive to collect information about the targeted website, like usernames, plugin names, their versions, themes, and other factors. Knowing usernames alone might not enable an attacker to breach your site, but this information can aid them in crafting their attack strategy.
use auxiliary/scanner/http/wordpress_scanner
show options
set rhost
set targeturi (if it is in another directory)
run
use auxiliary/scanner/http/wordpress_login_enum
show options
set rhost
set targeturi (if it is in another directory)
run
Assuming we have no idea about any user credentials on the target machine, the first thing to do is enumerating and validating usernames. So set “bruteforce” option to false as shown below.
#function.php
if (!is_admin()) {
// default URL format
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die(); add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);
}
function shapeSpace_check_enum($redirect, $request) {
// permalink URL format
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die(); else return $redirect;
}
#.htaccess
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* ? [L,R=302]
</IfModule>
In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.
Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.
However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.
Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.
Create a new admin username and delete the old one.
Use the Username Changer plugin
Update username from phpMyAdmin
define( 'DISALLOW_FILE_MODS', true ); //disables both file editor and installer
Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.
You can do this by opening a text editor like Notepad and paste this code:
<Files *.php>
deny from all
</Files>
Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.
For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories
Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.
This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.
You will need to install and activate the Inactive Logout plugin. Upon activation, visit Settings » Inactive Logout page to configure plugin settings.
Simply set the time duration and add a logout message. Don’t forget to click on the save changes button to store your settings.
Benefits
There are a lot of different places to increase the security of a site, but the WordPress Security Team has said that “The weakest link in the security of anything you do online is your password,” so it makes sense to put energy into strengthening that aspect of your site.
Drawbacks
As the name implies, two-step authentication is adding a step to a process that can already be long and painful. While most very high-security logins are protected by two-step authentication today, most consumer applications barely offer it as an option if they offer it at all. This is because users are less likely to sign up for and log in to a service if it is more difficult.
Two-step authentication can also prevent legitimate logins. If a user forgets their phone at home and has two-step authentication enabled, then they won’t be able to access their account. This is one of the main reasons why smartphones have been useful for two-step authentication — users are more likely to be carrying their phones than almost anything else.
Plugins for Two-Step Authentication
You can search for two-step authentication plugins available in the WordPress.org plugin repository. Here are some of the most popular ones to get you started (in alphabetical order):
Duo
Google Authenticator
Rublon
Two-Factor
WordFence
Consider using a security plugin like Wordfence or Sucuri. These plugins can help with firewall protection, malware scanning, and other security features.
WordPress is one of the most popular content management systems on the web, powering millions of websites. However, its widespread use also makes it a prime target for hackers. In this comprehensive course, you will learn the ins and outs of WordPress security from both offensive and defensive perspectives.
The first part of the course will focus on ethical hacking techniques specific to WordPress. You will delve into the mindset of malicious actors, learning how they exploit vulnerabilities to compromise WordPress sites. Through hands-on labs and exercises, you will master common attack vectors such as Remote Code Execution (RCE), Local File Inclusion (LFI), and brute force attacks. By understanding how hackers operate, you will be better equipped to anticipate and defend against their tactics.
In the second part of the course, you will explore strategies for hardening WordPress sites against cyber threats. You will learn best practices for securing WordPress installations, themes, and plugins. Topics covered will include configuring secure user authentication, implementing HTTPS, and employing web application firewalls (WAFs) to safeguard against known vulnerabilities. Additionally, you will learn how to conduct security audits and implement security monitoring to detect and respond to suspicious activity.
By the end of this course, you will have the knowledge and skills to ethically hack WordPress sites to identify vulnerabilities and weaknesses, as well as the expertise to harden those sites to mitigate the risk of exploitation. Whether you are a WordPress developer, administrator, or security professional, this course will empower you to protect WordPress sites from cyber threats effectively.