πŸ“˜Part I – Introduction

What is WordPress?

WordPress is the most widely used Content Management System (CMS) in the world. Launched in 2003, it began as a simple blogging platform but has grown into a powerful framework used for:

  • Personal blogs and portfolios

  • Company websites

  • News portals

  • Online shops (via WooCommerce)

  • Membership sites and forums

Today, WordPress powers over 40% of all websites on the internet.

Key Characteristics

  • Open-source: Free to use, modify, and distribute.

  • Technology stack: Built with PHP and typically paired with MySQL or MariaDB for its database.

  • User-friendly: Non-technical users can manage websites via an easy admin dashboard.

  • Extendable: Over 60,000 plugins and thousands of themes provide customization and features.

  • APIs: REST API and XML-RPC allow programmatic interaction, automation, and integrations.

This popularity makes WordPress not just a useful platform for web development, but also a prime target for attackers and pentesters.

Why Hack WordPress?

With such a massive user base, WordPress is one of the most attacked platforms in the world. Both malicious hackers and ethical hackers (pentesters, researchers, bug bounty hunters) have strong reasons to study it.

Why Attackers Target WordPress

  • Scale: Exploit one bug in a plugin, potentially compromise thousands of sites.

  • Sensitive data: User credentials, emails, financial data.

  • Privilege escalation: From normal user β†’ admin β†’ full server control.

  • Weaponization:

    • Host phishing kits or malware.

    • Inject spam links into posts.

    • Use compromised servers in botnets.

Why Pentesters Study WordPress

  • Real-world relevance: Most companies or clients use it.

  • Training ground: Great for learning web app pentesting (SQLi, XSS, RCE).

  • Certifications & Bug Bounties: Many CTFs, HackTheBox machines, and bug bounty programs involve WordPress.

  • Defensive hardening: By learning how it breaks, you can better secure it.

πŸ‘‰ In this book, we will always approach hacking WordPress ethically, using labs, Hack The Box machines, and safe environments to practice.

WordPress Architecture & Attack Surface

To hack WordPress effectively, you must understand how it is structured. WordPress is modular, which means vulnerabilities can appear in different layers.

Core

  • Contains the main WordPress files (/wp-admin/, /wp-includes/).

  • Rarely has critical vulnerabilities since patches are quickly released.

  • Still important: outdated installations remain common.

Themes

  • Define the look and feel of a site.

  • Can include PHP code in templates (e.g., functions.php, 404.php).

  • Poorly coded or outdated themes may lead to RCE (Remote Code Execution) or LFI (Local File Inclusion).

Plugins

  • Extend functionality (SEO tools, contact forms, e-commerce, etc.).

  • Biggest attack surface: most WP hacks come from plugins.

  • Common flaws:

    • SQL Injection

    • Cross-Site Scripting (XSS)

    • Arbitrary File Upload

    • Authentication Bypass

Database (MySQL / MariaDB)

  • Stores all posts, users, settings.

  • Weak credentials or SQL injection can expose sensitive data.

Authentication

  • wp-login.php, XML-RPC, and REST API endpoints.

  • Targets: brute force, credential stuffing, weak passwords, session hijacking.

File Uploads & Media

  • /wp-content/uploads/ is often writable.

  • Misconfigurations may allow malicious PHP uploads.

Hosting & Server Config

  • Misconfigured Apache/Nginx, PHP versions, or file permissions.

  • Outdated software may open additional attack vectors.

External Integrations

  • Payment gateways, analytics, email services, APIs.

  • Vulnerable third-party code can compromise WordPress.

PreviousHomeNextβš™οΈ Lab Setup Guide

Last updated