Last Updated on April 20, 2021 by monk
WordPress is undoubtedly the most popular CMS in the market today. A variety of factors like beginner-friendly interface, open-source structure, etc have contributed to the success. However, on the internet with great popularity comes great security breaches. Each month, new vulnerabilities are uncovered in WordPress which could have compromised your site. The key to protecting your website here is to find them before the hackers do by performing WordPress penetration testing. According to the book WordPress 3 Ultimate Security,
“Web security has no silver bullet. The threatscape is simply too vast, the vulnerabilities too numerous. Your risk stretches from the keyboard at your fingertips, through and out the back of your local machine, buzzing around its network, maybe through your phone, into the router, hopping across your web surfing, into the remote server, buzzing around that network, and jumping all over WordPress.”
This article explains what is a WordPress penetration testing and how to perform one yourself using the open-source resources at your disposal.
Related Content
I do have several other articles on WordPress security that you might be interested in.
What is WordPress Penetration Testing?
The basic idea behind a WordPress penetration testing is to perform a simulated attacks testing on your site. This is supposed to uncover any potential vulnerabilities on your site. Which in turn, would help in shaping the security policies of your WordPress website. Although this is the job of an expert certain basic steps can be taken even by an average user to enhance the security of your site.
WordPress Penetration Testing: Prerequisites
Just like you need a toolset of the hammer, wrench, etc to fix a pipe, similarly, a collection of tools is required to start with WordPress penetration testing. Individually getting each one of them can be cumbersome. Therefore, for this article, we shall use Kali Linux. This is a specially designed OS that contains the bundle of all the popular security tools you will need.
Using Kali Linux on Virtual Box
Kali Linux can be installed and used in multiple ways, i.e. dual-booting, using a hypervisor, via a docker, etc. However, for this article, we shall use it on a hypervisor called Virtual box. You can try other options too in case your machine does not have specifications to run Kali in the Virtual box or lags.
- Step 1: Download Virtual Box by visiting this official download page. Install it after the download is complete.
- Step 2: Once the Virtual box is set, you can download a custom Virtual Box image of Kali Linux from here. You can select 32 bit or 64 bit as per your machine specifications for WordPress penetration testing.
- Step 3: Once downloaded, double left-click on it. Thereafter, this file will add itself in the list of available machines on the Virtual box after asking you for a few permissions.
- Step 4: Now, open Virtual Box and Kali Linux will be visible in the available machines. Select it and click Start as shown in the image below.

Now that our toolset is ready, make sure to take a backup of your WordPress site in case something breaks while pentesting. To make a backup, check out this official documentation of WordPress.
WordPress Penetration Testing: Tools
WPScan
This is a customized tool designed specially to scan vulnerabilities in a WordPress site. WPScan maintains a database of all the WordPress vulnerabilities and matches your plugins, themes, core, etc against them. Moreover, it can brute force your WordPress login. To use this tool, open the terminal in Kali Linux and type:
wpscan --url https://www.example.com
Here, replace example.com with the URL of your WordPress site.

Sqlmap
Although WPScan thoroughly checks for vulnerabilities in your WordPress against its database, at times the database may not be up to date or some zero-day vulnerability may be present. Thus, tools like Sqlmap help us in finding those SQL injection bugs present in themes, plugins, etc. To use this tool, open the terminal in Kali Linux and type:
sqlmap -u "https://www.example.com/index.html?parameter=1" --dbs
Here, replace example.com with the URL of your WordPress site. The option “–dbs” will help you enumerate the database in case any SQLi bug is found during WordPress penetration testing. So, if none is found that doesn’t imply that the site is secure. This tool has a lot of options to find SQLi bugs and explaining each is beyond the scope of this article. To learn more, read the official documentation of Sqlmap.

XSSer
The most common vulnerability which has been found in almost every CMS at some point in time is XSS (Cross-Site Scripting). So, various WordPress themes, plugins, etc can be checked for XSS bugs by using a tool called XSSer. This tool comes with advanced capabilities like bypassing security filters etc. However, this article will cover only basic testing. For average users, it is easy to use it via a graphical interface. To do so, open up the terminal in Kali and type:
xsser --gtk
Now once the tool opens, click on the Wizard option in the menu bar on top. Thereafter click on Start Wizard Helper as shown in the image below. It will then ask you a few basic questions like the URL of the target, mode, etc. Just enter the details and your basic WordPress penetration testing for XSS bugs will start.

PHPStan
Although experts charge hefty fees for conducting a code analysis of your WordPress site but using tools like PHPStan, you can do a basic static code analysis yourself. There is also a PHPStan extension customized for WordPress which needs to be downloaded separately. After setting up this tool, open up the terminal in Kali and type this command:
vendor/bin/phpstan analyze Dir1 Dir2
Here, replace Dir1 and Dir2 with the directories containing the WordPress code that you wish to scan for bugs. For more usage info, check out this article.
Conclusion
By now it must be evident that WordPress penetration testing is a well-defined procedure. However, this article barely scratches the surface. There is an array of comprehensive tests that need to be done in order to ensure the full security of your website. This can only be performed by an expert so do not hesitate to contact one.
Moreover, certain free malware scanners are provided by companies like Astra Security that can make your job a lot easier. Not only this but Astra Security also conducts an affordable website penetration testing of your website. Security experts ensure that no bugs slip by and perform a comprehensive audit of vulnerabilities like:
- Configuration and Deployment Misconfiguration.
- WordPress Core, Plugins & Theme Specific Vulnerabilities.
- Broken or Improper Authentication.
- Identifying Technical & Business Logic Vulnerabilities.
and many more in your system! So why wait? Try it now!