Beginner | How To Do Penetration Testing of Your WordPress Websites

In this tutorial, we will cover some beginner level penetration testing of WordPress website. Before going further please go through the Disclaimer.

“This article is only for an Educational and testing purpose. Any actions and or activities related to the material contained on this Website is solely your responsibility.The misuse of the information on this website can result in criminal charges brought against the persons in question. The authors and  Securityleaks will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.”

WordPress is an online open source website creation tool written in PHP.It is the easiest and most powerful blogging and website content management system in existence today. It’s a web publishing software you can use to create your own website and blog.Today it powers nearly 30 percent of the entire web from blogs to biggest new sites online. Word press requires a security improvement, so the penetration testing of WordPress is essential to find the vulnerabilities and to secure WordPress website as well as blog.


WordPress Penetration with Wpscan

Wpscan is created by open source volunteers led by Ryan Dewhurst. It is written in Ruby and is vulnerable scanner designed specifically for WordPress. It is very simple to use and effective. It is WordPress vulnerability scanner which comes preinstalled with Black Arch Linux, Kali Linux, Pentoo, Black Box Linux and it will not support windows.Some Commands of Wpscan are listed below.

To Enumerate WordPress Website Scan

ruby wpscan.rburl

This command will perform a quick scan of the website to identify the active theme and basic issue.

Checking Vulnerable Plugins

ruby wpscan.rburl –enumerate vp

Red exclamation icons are vulnerable plugins and references to further information.These Plugins should be updated removed and dispatched for further requirement.

To Enumerate WordPress version Plugins and themes

  • Plugins

ruby ./wpscan.rb —url –enumerate p

  • Themes

ruby ./wpscan.rb –url –enumerate t


To Enumerate WordPress Users

ruby ./wpscan.rb –url –enumerate u

To Launch a brute-Force attack

ruby ./wpscan.rb —url –wordlist password.txt –username admin


To Enumerate Timthumbs

ruby ./wpscan.rb –url –enumerate tt

Penetration testing is the act of analyzing your word press website to find vulnerabilities that an attacker might exploit here we have shown some commands of WordPress pentesting commands executed through wpscan scanner and some important commands that need to be on the WordPress powered website.

Stay tuned for advanced tutorials.

Ashwini Gurne

Ashwini Gurne is a software developer and also a contributor for Security leaks. As a contributor, her aim is to work on latest technologies and to spread cyber awareness among general public.

Leave a Reply

Your email address will not be published. Required fields are marked *