Penetration testing your WordPress site

Author - 93digital

Posted By 93digital

Date posted 3rd May 2018

Category Blog, WordPress


Online security is a hot topic and has been for some time now. Recently we have seen plenty of stories hit the news about website hackings and how even the big tech giants aren’t safe from online manipulation.

WordPress has also had some moments in the spotlight for being vulnerable to security issues. As the world’s largest CMS with now over 30% of websites in existence running on WordPress, it is not shocking that the spotlight hits here first.

The reality is that the majority of issues WordPress comes under fire for are not the fault of WordPress. Instead, it is often down to the error of poorly informed WordPress users making poor decisions; which is to be expected when the platform is one accessible to all, from the prolific developer to the novice blogger.

The challenge is that an unsecured site that has no security measures in place is low hanging fruit for hackers. These attacks could range in severity. Hackers could create, read, update, alter, or delete data stored in the back-end database. They could also hijack user sessions, deface websites, or redirect your website’s users to other malicious sites. Then, on the more severe side, they can assume the identity of other users, and gain access to a user’s personal data. All bad results, no matter how big or small your business.

One way to keep a check on your WordPress security is to perform a penetration test — or “pentest” for those in the know. A penetration test is a simulation of a malicious attack on a network, system, application or website, used to discover vulnerabilities and weaknesses before actual hackers can find and exploit them. It is an independent security evaluation, and your best tool for online security.

There are two types of penetration tests.

White box penetration testing is where you give the “attacker” (tester) full knowledge of the systems they’re attacking. Providing maximum information to the tester allows them to more effectively find vulnerabilities and test as widely and deeply as possible. The information you provide may include network diagrams, source code, access to staff for interviews, and configuration information.

Black box penetration testing is the opposite, where the attacker does not know the system they’re attacking; just as the case would be in a real-world attack. Black box penetration testing is usually done from outside the targeted systems and uses reconnaissance to gather any information.

Best tools for penetration testing your WordPress site


WPScan is a black box vulnerability scanner for WordPress written in PHP which mainly focuses on different types of vulnerability in WordPress, WordPress themes, and plugins. WPScan uses the database of all the available plugins and themes during testing against the target to find outdated versions and vulnerabilities.


Metasploit is a penetration testing software that helps security teams verify vulnerabilities, manage security assessments, and improve security awareness, allowing businesses to stay ahead of the game. They provide information about security vulnerabilities and aids in penetration testing and IDS signature development. It is used in conjunction with tools such as WPScan.

With the right precautions in place, WordPress is a high-quality CMS that provides users with optimum level security and functionality. Remember that security is a vital part of the WordPress picture, particularly today when there are more threats than ever to a site.

For more information about security for your WordPress site, you can download our WordPress Security Guide or get in touch with our expert team here at 93Digital; the London WordPress agency.

Let's Talk

Do you have a web design and build project coming up that you would like to talk about?