WordPress Security Testing: How to Test Your Site for Vulnerabilities

Introduction

Regular security testing identifies vulnerabilities before attackers exploit them. This guide covers practical methods to test your WordPress site's security posture.

Types of Security Testing

Different testing approaches serve different purposes:

• Vulnerability scanning - Automated detection of known issues
• Penetration testing - Simulated attacks to find weaknesses
• Security audits - Comprehensive review of security practices
• Configuration review - Checking security settings
• Code review - Analyzing custom code for vulnerabilities

Automated Vulnerability Scanning

Use tools to scan for known vulnerabilities:

WPScan for WordPress

# Install WPScan
gem install wpscan

# Basic scan
wpscan --url https://yoursite.com

# Enumerate users, plugins, themes
wpscan --url https://yoursite.com -e u,ap,at

# Check for vulnerable plugins
wpscan --url https://yoursite.com -e vp

# Use API for vulnerability database
wpscan --url https://yoursite.com --api-token YOUR_TOKEN

Custom Vulnerability Scanner

// Internal vulnerability checks
function run_security_audit() {
    $issues = array();

    // Check WordPress version
    $wp_version = get_bloginfo('version');
    $latest = get_latest_wp_version();
    if (version_compare($wp_version, $latest, '<')) {
        $issues[] = array(
            'severity' => 'high',
            'issue' => "WordPress {$wp_version} is outdated. Latest: {$latest}",
        );
    }

    // Check for vulnerable plugins
    $plugins = get_plugins();
    foreach ($plugins as $plugin_file => $plugin_data) {
        $vulnerabilities = check_plugin_vulnerabilities($plugin_file);
        if (!empty($vulnerabilities)) {
            $issues[] = array(
                'severity' => 'critical',
                'issue' => "Plugin {$plugin_data['Name']} has known vulnerabilities",
                'details' => $vulnerabilities,
            );
        }
    }

    // Check file permissions
    $permission_issues = check_file_permissions();
    $issues = array_merge($issues, $permission_issues);

    // Check security headers
    $header_issues = check_security_headers();
    $issues = array_merge($issues, $header_issues);

    // Check for debug mode
    if (defined('WP_DEBUG') && WP_DEBUG) {
        $issues[] = array(
            'severity' => 'medium',
            'issue' => 'WP_DEBUG is enabled on production site',
        );
    }

    return $issues;
}

function check_file_permissions() {
    $issues = array();

    $files_to_check = array(
        ABSPATH . 'wp-config.php' => '0400',
        ABSPATH . '.htaccess' => '0644',
    );

    foreach ($files_to_check as $file => $recommended) {
        if (file_exists($file)) {
            $perms = substr(sprintf('%o', fileperms($file)), -4);
            if ($perms > $recommended) {
                $issues[] = array(
                    'severity' => 'medium',
                    'issue' => "{$file} has permissions {$perms}, should be {$recommended}",
                );
            }
        }
    }

    return $issues;
}

Manual Security Testing

Test common attack vectors manually:

SQL Injection Testing

# Test URL parameters
https://yoursite.com/?id=1'
https://yoursite.com/?id=1 OR 1=1
https://yoursite.com/?id=1 UNION SELECT null,null

# Test search forms
Search: test' OR '1'='1
Search: test'; DROP TABLE wp_posts; --

# Test login forms
Username: admin' --
Password: anything

XSS Testing

# Test input fields
<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
javascript:alert('XSS')

# Test in various contexts
" onmouseover="alert('XSS')"
'; alert('XSS'); //
</title><script>alert('XSS')</script>

Authentication Testing

// Test login security
function test_login_security() {
    $results = array();

    // Test rate limiting
    $results['rate_limiting'] = test_rate_limiting();

    // Test password policy
    $results['password_policy'] = test_weak_passwords();

    // Test session security
    $results['session_security'] = test_session_handling();

    // Test 2FA if enabled
    $results['2fa'] = test_2fa_bypass();

    return $results;
}

function test_rate_limiting() {
    // Attempt multiple failed logins
    $attempts = 0;
    $blocked = false;

    for ($i = 0; $i < 20; $i++) {
        $result = wp_authenticate('test_user', 'wrong_password_' . $i);
        $attempts++;

        if (is_wp_error($result) && $result->get_error_code() === 'too_many_attempts') {
            $blocked = true;
            break;
        }
    }

    return array(
        'blocked' => $blocked,
        'attempts_before_block' => $attempts,
        'pass' => $blocked && $attempts <= 10,
    );
}

API Security Testing

# Test REST API exposure
curl https://yoursite.com/wp-json/wp/v2/users
curl https://yoursite.com/wp-json/wp/v2/posts?status=draft

# Test authentication bypass
curl -X POST https://yoursite.com/wp-json/wp/v2/posts 
  -H "Content-Type: application/json" 
  -d '{"title":"Test","status":"publish"}'

# Test for exposed endpoints
curl https://yoursite.com/wp-json/
curl https://yoursite.com/?rest_route=/

Security Audit Checklist

• WordPress and plugins are up to date
• Unused themes and plugins removed
• Strong admin passwords in use
• Two-factor authentication enabled
• File permissions correctly set
• Security headers implemented
• SSL/TLS properly configured
• Backup system functioning
• Login attempt limiting active
• Admin username is not "admin"

Conclusion

Regular security testing using automated scanners, manual testing, and comprehensive audits identifies vulnerabilities before attackers exploit them. Test your WordPress site periodically and after any significant changes.