General Info for Testing WordPress Sites
References
HackTricks on WordPress Testing WordPress’ Own API Docs Astra Blog on WordPress Testing
Other Pages in the bhis_kb:
(some of what’s here was copied from these)
- Isaac’s WordPress
- Phil’s XMLRPC bit
- Cameron’s got a bit in Web Apps
- Jack does, too: Web App Test Checklist
Scanning with wp-scan
wpscan should already be installed on DO kali nodes.
# run basic scan
wpscan --url <targetdomain.tld> --random-user-agent
# do all the fancy smancy stuff
wpscan --url <targetdomain.tld> --ua <Custom User agent> -e <enumeration options or none> --api-key <bhis api key>Sometimes it fails to detect wordpress if you don’t provide a “real” user agent string. Always Give A Real User Agent String to Any HTTP Scanner
Enumerate Users and API Routes
WordPress API lists WordPress admin usernames to unauthenticated users by default.
- Grab all the users with a single request to
/wp-json/wp/v2/users?per_page=20. - You can also get a list of routes that are published from the
/wp-json/end point.
Find Where a WordPress Site is Hosted
…among other things, “Access the essential information about any site, including hosting provider, domain details, and contact information.”
The “where hosted” thing is only so reliable. It says that microsoft.com is “not on WordPress.com, but they could be!” - for example. It’s not wrong, but microsoft.com is also (probably) not even running WordPress at all.
https://wordpress.com/site-profiler e.g. https://wordpress.com/site-profiler/blackhillsinfosec.com