Skip to main content

WordPress

Checklist

  • Run wp-scan
  • Check XML-RPC
  • Check WP-JSON
  • Brute Force Users
    • Fuzz example.com/?author=HERE
    • Request example.com/wp-json/wp/v2/users
  • Brute Force Passwords Of Known Users
    • wpscan –url https://www.example.com --wordlist wordlist.txt --username admin
  • Check For Directory Listing
    • https://www.example.com/wp-includes
    • https://www.example.com/wp-content/uploads