You are currently viewing WordPress Enumeration Before Exploitation: A Step-by-Step Guide for Security Professionals

WordPress Enumeration Before Exploitation: A Step-by-Step Guide for Security Professionals

WordPress Enumeration Before Exploitation: A Step-by-Step Guide for Security Professionals

When it comes to assessing the security posture of a WordPress site, enumeration is often the first and most critical phase before any exploitation attempts. Enumeration allows security professionals to
collect information about the target system, identify potential weaknesses, and reduce the risk of “blind” attacks that can cause unnecessary noise or damage.

In this post, we’ll walk through a step-by-step approach to WordPress enumeration, focusing on ethical and responsible penetration testing practices.

Why Enumeration Matters

WordPress powers more than 40% of all websites worldwide. This dominance makes it a prime target for attackers. However, not every WordPress site is the same—different plugins, themes, configurations, and versions introduce unique attack surfaces.

Enumeration provides:

  • A map of the terrain (users, plugins, themes, versions).
  • Clues for known vulnerabilities that may apply.
  • A safer approach to testing, minimizing accidental disruptions.

Step 1: Reconnaissance

Before touching the target directly, start with passive
reconnaissance:

  • Use search engines to find cached pages and indexed directories.
  • Check WHOIS information for ownership and hosting details.
  • Use services like BuiltWith orĀ Wappalyzer to detect if the target is indeed running WordPress and which plugins may be exposed.

Step 2: Identify the WordPress Version

Knowing the WordPress version helps determine if the site is vulnerable to specific exploits. Common methods include:

  • Meta tags: 
    <meta name="generator" content="WordPress 6.5" />
  • Readme files: /readme.html sometimes reveals the version.
  • RSS feeds: Version numbers often appear in RSS generator tags.

Using WPScan:

wpscan --url https://targetsite.com --enumerate v

Step 3: User Enumeration

Usernames are the keys to authentication attacks (like brute force).
Common methods include:

  • Author archives: Visiting /?author=1 may redirect to
    /author/admin/.
  • REST API: 
    curl https://targetsite.com/wp-json/wp/v2/users
  • XML-RPC interface: Can leak usernames.

WPScan example:

wpscan --url https://targetsite.com --enumerate u

Step 4: Plugin Enumeration

Plugins are the most common entry points for attackers.

  • Check /wp-content/plugins/ (if directory listing is enabled).
  • Inspect page source code for plugin-related scripts and
    stylesheets.
  • Using WPScan: 
    wpscan --url https://targetsite.com --enumerate p

Step 5: Theme Enumeration

Themes can contain insecure code or outdated frameworks. Look for:

  • /wp-content/themes/ for directory listings.
  • CSS files with version comments.
  • Source code references.

Using WPScan:

wpscan --url https://targetsite.com --enumerate t

Step 6: Detecting Exposed Configuration Files

Misconfigured sites sometimes leave sensitive files accessible:

  • wp-config.php~ (backup files).
  • .bak, .old, or .zip archives.
  • Debug logs (debug.log) left in wp-content/.

Step 7: Brute Force Attack Surface Assessment

Check whether login endpoints are exposed and protected:

  • /wp-login.php or /wp-admin/ should enforce rate limiting.
  • Check if XML-RPC is enabled.

Step 8: Correlating with Vulnerability Databases

Cross-reference your findings with:

Conclusion

Enumeration is not just a prelude to exploitation—it’s the foundation
of any responsible WordPress penetration test.

By systematically gathering information on versions, users, plugins,
themes, and configurations, security professionals can:

  • Pinpoint the most likely weaknesses.
  • Avoid unnecessary noise during testing.
  • Provide actionable insights for remediation.

In short: successful exploitation begins with meticulous
enumeration.

WordPress Enumeration Cheat Sheet (Pre-Exploitation)

# Set your target once
export TARGET="https://targetsite.com"

# Quick Fingerprinting
curl -I $TARGET
whatweb -a 3 $TARGET
httpx -u $TARGET -title -tech-detect -web-server -status-code -location -ip

# Version Enumeration
curl -sL $TARGET | grep -iPo '(?<=<meta name="generator" content=")WordPress[^"]+'
wpscan --url $TARGET --enumerate v

# User Enumeration
curl -s "$TARGET/wp-json/wp/v2/users"
wpscan --url $TARGET --enumerate u

# Plugin Enumeration
curl -sL $TARGET | grep -oP 'wp-content/plugins/[^/"' ]+' | sort -u
wpscan --url $TARGET --enumerate p

# Theme Enumeration
curl -sL $TARGET | grep -oP 'wp-content/themes/[^/"' ]+' | sort -u
wpscan --url $TARGET --enumerate t

# Sensitive Files Check
curl -s -o /dev/null -w "%{http_code}" "$TARGET/wp-config.php.bak"

Pro Tips

  • Throttle noisy tools (--delay, --rate options).
  • Always cross-check versions against WPScan DB or NVD.
  • Log everything neatly for clean reporting.
Tags: , ,

Leave a Reply