πPart II β Enumeration
Enumeration is the first step after discovery. Once a target is identified as WordPress, the next move is to gather as much information as possible about its version, plugins, themes, users, and configurations. This information helps attackers (and pentesters) plan exploitation attempts.
Keep in mind:
Your site URL: https://[ip-vm]/wordpress/
Admin Panel: https://[ip-vm]/wordpress/wp-admin
π Fingerprinting WordPress (fingerprinting)
Fingerprinting means detecting whether a website is running WordPress and what version it uses.
Techniques:
Look for common paths:
/wp-login.php/wp-admin//wp-content//xmlrpc.php/wp-login//wp-admin.php/login/
β οΈ Important Note
If you followed my WordPress setup, remember that the admin panel is not located at:
https://[VM-IP]/wp-admin
Instead, you must access it through:
https://[VM-IP]/wordpress/wp-admin
This is because we installed WordPress inside the /wordpress/ directory rather than the web root.
Inspect HTML source code for:
meta name="generator" content="WordPress x.x.x"Right click on the wordpress site -->
inspect-->ctrl+f-->meta
WordPress-specific CSS/JS paths (e.g.,
/wp-includes/)
In the top red box (search bar labeled meta), you can confirm the presence of WordPress.
In the second red box, youβll see the
/wordpress/directory, which tells you the site is not in the root folder.In the third red box, you can identify the WordPress version, which is useful for enumeration and vulnerability research.
Use online services/tools:
Wappalyzer is a browser extension that helps you quickly identify the technologies used by a website.
Detects CMS platforms (e.g., WordPress, Joomla, Drupal).
Shows frameworks, JavaScript libraries, analytics tools, and more.
Can often reveal the WordPress version, which is valuable during enumeration.
Easy to use and highly recommended for both beginners and professionals.
Output:
π¨ Finding Themes & Plugins (themes-plugins)
Themes and plugins are often the weakest link in WordPress security. Many vulnerabilities stem not from WordPress Core itself but from outdated or poorly coded themes and plugins. Thatβs why detecting them during enumeration is so important.
Note for your lab setup: You wonβt see any plugins here because we didnβt install any in our WordPress lab environment. In a real-world target, however, plugins are usually present and are prime attack vectors.
π Manual Methods
Themes usually live in:
Plugins usually live in:
Example:
Page Source Inspection
Open the website in a browser β right-click β
View Source.Look for
wp-content/plugins/orwp-content/themes/references in:CSS/JS includes
Image paths
Comments left by developers
Extract Versions from Assets
Change "https://wordpress.org/support/article/pages/" to your target.
π οΈ WPScan & Other Tools (wpscan-tools)
WPScan is the go-to framework for WordPress enumeration. It leverages a large vulnerability database and makes detection efficient.
π Install WPScan
π§ Basic Usage
Enumerate Plugins:
Enumerate Users:
Other Useful Tools:
whatweb β quick tech fingerprinting
nmap + http-wordpress-enum.nse β plugin/theme enumeration
gobuster / dirsearch β brute-forcing hidden paths
Recommended HTB Boxes for WordPress Enumeration
A WordPress instance running on the machine, with accessible directories like /plugins/ for enumeration.
Features a vulnerable WordPress installation along with a specific vulnerable plugin that you can identify during enumeration.
A retired HTB machine hosting WordPress. Enumeration tools can reveal key details like user accounts and version numbers.
Last updated