Z
zebbern
@mayurrathi
⭐ 40.7k GitHub stars

Wordpress Penetration Testing

Wordpress Penetration Testing is an code AI skill with a core value of This skill should be used when the user asks to \"pentest WordPress sites\", \"scan WordPress for vulnerabilities\", \"enumerate WordPress users, themes, or plugins\", \"exploit WordPress vu. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

This skill should be used when the user asks to \"pentest WordPress sites\", \"scan WordPress for vulnerabilities\", \"enumerate WordPress users, themes, or plugins\", \"exploit WordPress vu...

Last verified on: 2026-07-08

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-08
Risk Level High
mkdir -p ./skills/wordpress-penetration-testing && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/wordpress-penetration-testing/SKILL.md -o ./skills/wordpress-penetration-testing/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# WordPress Penetration Testing


Purpose


Conduct comprehensive security assessments of WordPress installations including enumeration of users, themes, and plugins, vulnerability scanning, credential attacks, and exploitation techniques. WordPress powers approximately 35% of websites, making it a critical target for security testing.


Prerequisites


Required Tools

- WPScan (pre-installed in Kali Linux)

- Metasploit Framework

- Burp Suite or OWASP ZAP

- Nmap for initial discovery

- cURL or wget


Required Knowledge

- WordPress architecture and structure

- Web application testing fundamentals

- HTTP protocol understanding

- Common web vulnerabilities (OWASP Top 10)


Outputs and Deliverables


1. **WordPress Enumeration Report** - Version, themes, plugins, users

2. **Vulnerability Assessment** - Identified CVEs and misconfigurations

3. **Credential Assessment** - Weak password findings

4. **Exploitation Proof** - Shell access documentation


Core Workflow


Phase 1: WordPress Discovery


Identify WordPress installations:


bash
# Check for WordPress indicators
curl -s http://target.com | grep -i wordpress
curl -s http://target.com | grep -i "wp-content"
curl -s http://target.com | grep -i "wp-includes"

# Check common WordPress paths
curl -I http://target.com/wp-login.php
curl -I http://target.com/wp-admin/
curl -I http://target.com/wp-content/
curl -I http://target.com/xmlrpc.php

# Check meta generator tag
curl -s http://target.com | grep "generator"

# Nmap WordPress detection
nmap -p 80,443 --script http-wordpress-enum target.com

Key WordPress files and directories:

- `/wp-admin/` - Admin dashboard

- `/wp-login.php` - Login page

- `/wp-content/` - Themes, plugins, uploads

- `/wp-includes/` - Core files

- `/xmlrpc.php` - XML-RPC interface

- `/wp-config.php` - Configuration (not accessible if secure)

- `/readme.html` - Version information


Phase 2: Basic WPScan Enumeration


Comprehensive WordPress scanning with WPScan:


bash
# Basic scan
wpscan --url http://target.com/wordpress/

# With API token (for vulnerability data)
wpscan --url http://target.com --api-token YOUR_API_TOKEN

# Aggressive detection mode
wpscan --url http://target.com --detection-mode aggressive

# Output to file
wpscan --url http://target.com -o results.txt

# JSON output
wpscan --url http://target.com -f json -o results.json

# Verbose output
wpscan --url http://target.com -v

Phase 3: WordPress Version Detection


Identify WordPress version:


bash
# WPScan version detection
wpscan --url http://target.com

# Manual version checks
curl -s http://target.com/readme.html | grep -i version
curl -s http://target.com/feed/ | grep -i generator
curl -s http://target.com | grep "?ver="

# Check meta generator
curl -s http://target.com | grep 'name="generator"'

# Check RSS feeds
curl -s http://target.com/feed/
curl -s http://target.com/comments/feed/

Version sources:

- Meta generator tag in HTML

- readme.html file

- RSS/Atom feeds

- JavaScript/CSS file versions


Phase 4: Theme Enumeration


Identify installed themes:


bash
# Enumerate all themes
wpscan --url http://target.com -e at

# Enumerate vulnerable themes only
wpscan --url http://target.com -e vt

# Theme enumeration with detection mode
wpscan --url http://target.com -e at --plugins-detection aggressive

# Manual theme detection
curl -s http://target.com | grep "wp-content/themes/"
curl -s http://target.com/wp-content/themes/

Theme vulnerability checks:

bash
# Search for theme exploits
searchsploit wordpress theme <theme_name>

# Check theme version
curl -s http://target.com/wp-content/themes/<theme>/style.css | grep -i version
curl -s http://target.com/wp-content/themes/<theme>/readme.txt

Phase 5: Plugin Enumeration


Identify installed plugins:


bash
# Enumerate all plugins
wpscan --url http://target.com -e ap

# Enumerate vulnerable plugins only
wpscan --url http://target.com -e vp

# Aggressive plugin detection
wpscan --url http://tar

🎯 Best For

  • QA engineers
  • Developers writing unit tests
  • Claude users
  • Software engineers
  • Development teams

💡 Use Cases

  • Generating test cases for edge conditions
  • Writing integration test suites
  • Code quality improvement
  • Best practice enforcement

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Wordpress Penetration Testing to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

Is Wordpress Penetration Testing compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Wordpress Penetration Testing?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Wordpress Penetration Testing?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/wordpress-penetration-testing/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills