WordPress Reconnaissance Guide 2025: Professional Commands & Techniques
WordPress remains the most targeted CMS in the world, making reconnaissance and information gathering a critical skill for security researchers, bug bounty hunters, and defenders.
This 2025-ready WordPress reconnaissance guide covers real-world commands used by professionals to identify:
- WordPress versions
- Installed plugins & themes
- Exposed users and endpoints
- Server and infrastructure details
⚠️ Legal Notice: Use these commands only on systems you own or are authorized to test.
Quick Navigation:
What Is WordPress Reconnaissance?
WordPress reconnaissance is the process of mapping a website's attack surface before exploitation. It helps answer questions like:
- What WordPress version is running?
- Which plugins and themes are installed?
- Are users publicly exposed?
- Are there misconfigured APIs or backup files?
This phase often determines attack success or failure.
Passive Reconnaissance (Low Noise, High Value)
Passive reconnaissance gathers intelligence without directly touching the server.
DNS Enumeration (Infrastructure Discovery)
dig any example.com @8.8.8.8 +noall +answer
What you learn:
- Hosting IPs
- Mail servers
- TXT / SPF records
- Hidden sub-services
Subdomain Enumeration (Passive)
sublist3r -d example.com -v
Common findings:
- admin.example.com
- dev.example.com
- staging.example.com
These often run outdated WordPress versions.
Google Dorking for WordPress Exposures
site:example.com inurl:wp-content site:example.com intitle:"index of" wp-content/uploads site:example.com filetype:sql site:example.com "wp-config.php"
Why attackers use dorks:
- Finds leaked backups
- Detects directory indexing
- Exposes sensitive configuration files
Active Reconnaissance (Detectable but Powerful)
Active recon directly interacts with the target.
Full Port & Service Scan
nmap -sS -sV -sC -O -T4 -p- example.com
Discovers:
- Open ports
- Service versions
- Server OS fingerprints
- Misconfigured services
Web Technology Fingerprinting
whatweb -a 3 -v http://example.com
Reveals:
- WordPress CMS
- Web server (Apache / Nginx)
- Frameworks and libraries
- Analytics and plugins
WordPress-Specific Enumeration (High Impact)
WPScan – Professional WordPress Recon Tool
wpscan --url http://example.com \ --enumerate vp,vt,u,cb,dbe \ --plugins-version-detection aggressive \ --random-user-agent \ --api-token YOUR_API_KEY \ -o wpscan.txt
Enumerates:
- Vulnerable plugins (
vp) - Vulnerable themes (
vt) - Usernames (
u) - Config backups (
cb) - Database exports (
dbe)
REST API User Enumeration
curl -s http://example.com/wp-json/wp/v2/users | jq '.[].slug'
Why this matters:
- Exposes valid usernames
- Enables credential attacks
- Common WordPress misconfiguration
XML-RPC Endpoint Detection
curl -I http://example.com/xmlrpc.php
Security risk:
- Password brute-force amplification
- DDoS abuse
- Credential stuffing
Manual WordPress Recon Checks
WordPress Version Disclosure
curl -s http://example.com | grep "generator" curl -s http://example.com/readme.html
Plugin & Theme Discovery
curl -I http://example.com/wp-content/plugins/ curl -I http://example.com/wp-content/themes/
Vulnerability Mapping (Exploit Correlation)
Exploit Search
searchsploit wordpress 6.x searchsploit plugin_name version
Purpose:
- Match discovered versions with public exploits
- Identify CVEs and PoCs
Frequently Asked Questions
Is WordPress reconnaissance legal?
Yes — only when you have explicit permission from the website owner.
Why is WordPress often targeted?
Because of:
- Massive plugin ecosystem
- Outdated installations
- Weak credentials
- Misconfigured APIs
Can WordPress reconnaissance be automated?
Yes. Most professionals automate recon using WPScan, Nmap, and scripting.