Listen to this Post
Introduction:
WordPress powers over 40% of the web, but its default REST API configuration often leaks critical information about installed plugins and themes. WPProbe capitalizes on this design oversight, enabling security professionals to detect over 5,000 plugins and their associated vulnerabilities through passive REST API enumeration without generating noisy brute-force traffic, making it an essential tool for authorized penetration testing and defensive hardening assessments.
Learning Objectives:
- Master passive WordPress reconnaissance using WPProbe’s stealthy REST API enumeration techniques
- Learn to automate vulnerability correlation using Wordfence and WPScan databases
- Implement defensive countermeasures to protect WordPress REST API endpoints from unauthorized discovery
You Should Know:
- Passive Plugin Discovery via REST API Endpoint Analysis
WPProbe’s stealth scanning mode operates by querying a WordPress site’s REST API root endpoint (?rest_route=/) and matching discovered endpoint signatures against a precompiled database of known plugin fingerprints. This non-intrusive method can identify thousands of plugins without triggering security monitoring or rate-limiting defenses, as it requires only a single request per target site.
Step-by-step guide for stealth enumeration:
Kali Linux installation (included in kali-rolling) sudo apt update && sudo apt install wpprobe -y Alternative installation via Go (requires Go 1.22+) go install github.com/Chocapikk/wpprobe@latest Initialize vulnerability database (no API key required for built-in DB) wpprobe update-db Launch stealthy scan against target wpprobe scan -u https://target-wordpress-site.com --mode stealthy Export results in structured format wpprobe scan -u https://target-site.com -o results.json
For Windows users, the tool can be run via Docker:
docker run -it --rm wpprobe scan -u https://example.com
The scan output reveals plugin names, installed versions, and known CVEs via version range matching against Wordfence and WPScan databases. To verify the raw REST API response manually for testing:
Linux curl command to examine exposed endpoints curl -k -s https://target-site.com/wp-json/ | jq .routes | head -20 Alternative endpoint structure curl -k -s "https://target-site.com/index.php?rest_route=/" | jq .
- Hybrid and Brute-Force Scanning Modes for Deep Vulnerability Assessment
When stealth is not required, WPProbe’s brute-force mode performs direct directory checks against common plugin paths, expanding detection coverage to over 10,000 plugins. The hybrid mode intelligently combines both approaches—performing stealthy enumeration first, then falling back to brute-force for comprehensive coverage.
Implementation workflow:
Hybrid scan (stealthy first, then brute-force) wpprobe scan -u https://example.com --mode hybrid -t 20 Custom user-agent and proxy configuration wpprobe scan -u https://example.com --mode bruteforce --header "User-Agent: CustomBot" --proxy http://127.0.0.1:8080 Rate-limited scanning to avoid WAF detection wpprobe scan -u https://example.com --rate-limit 5 Bulk scanning with multiple targets cat targets.txt | wpprobe scan -f /dev/stdin -o results.csv
To search for specific CVEs after database update:
wpprobe search --cve CVE-2024-5932 wpprobe search --plugin woocommerce
The Wordfence vulnerability database integration requires a free API key for direct fetching, though WPProbe’s built-in database updates automatically every two hours via CI. Configure it as follows:
Set environment variable export WORDFENCE_API_KEY=your_free_api_key wpprobe update-db Or use flag directly wpprobe update-db --api-key your_wordfence_key
3. Defensive Hardening: Blocking REST API Enumeration
To protect WordPress sites from tools like WPProbe, implement multiple layers of REST API access control. The most effective approach combines endpoint restriction with user authentication requirements.
Defensive commands and configurations for Linux server administrators (nginx):
Nginx configuration to block REST API access for unauthenticated users
location ~ ^/wp-json/ {
if ($http_user_agent ~ (wpprobe|wpscan|nikto|sqlmap)) {
return 403;
}
allow 192.168.1.0/24;
deny all;
}
Alternative: Restrict specific user enumeration endpoints
location ~ ^/wp-json/wp/v2/users {
return 403;
}
Apache .htaccess rules:
Block REST API user enumeration
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users [bash]
RewriteRule . - [F,L]
RewriteCond %{REQUEST_URI} ^/index.php\?rest_route=/wp/v2/users [bash]
RewriteRule . - [F,L]
</IfModule>
For non-developer environments, the Security Hardener WordPress plugin can restrict REST API access to authenticated users with a minimal allowlist for oEmbed functionality. Additionally, Pinny’s REST Lock specifically blocks user enumeration endpoints without breaking site functionality.
4. Vulnerability Correlation and Automated Remediation
After identifying vulnerable components, WPProbe provides version-aware CVE matching that enables targeted remediation workflows. The tool’s output can be piped into automated patching systems or ticketing platforms.
Post-scan automation example:
!/bin/bash Automated vulnerability reporting script wpprobe scan -u https://example.com -o /tmp/scan.json Extract high-severity findings jq '.plugins[] | select(.vulnerabilities[].severity=="critical")' /tmp/scan.json Generate CSV for patch management wpprobe scan -u https://example.com -o vulnerable_plugins.csv Cross-reference with local plugin inventory while read plugin; do echo "Patching required: $plugin" | mail -s "WordPress Security Alert" [email protected] done < vulnerable_plugins.txt
For Windows administrators using PowerShell:
PowerShell automation example
wpprobe scan -u https://example.com -o results.json
$findings = Get-Content -Path results.json | ConvertFrom-Json
$findings.plugins | Where-Object { $_.vulnerabilities.severity -eq "critical" } | Export-Csv -Path critical_findings.csv
5. Advanced Exploitation Detection and Security Monitoring
Blue teams can leverage WPProbe internally to audit their own infrastructure while also implementing monitoring rules to detect external enumeration attempts.
Linux monitoring commands to detect WPProbe-like activity:
Monitor REST API requests in real-time
tail -f /var/log/nginx/access.log | grep -E "wp-json|rest_route"
Detect enumeration patterns in logs
grep -E "wp-json/wp/v2/users" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c
Block repeat offending IPs
fail2ban-client set wordpress-enum banip 192.168.1.100
SIEM detection rule (Sigma format example):
title: WordPress REST API Enumeration Attempt status: experimental description: Detects multiple REST API user enumeration requests logsource: category: webserver detection: selection: c-uri|contains: - '/wp-json/wp/v2/users' - '?rest_route=/wp/v2/users' condition: selection level: medium
What Undercode Say:
- Passive Reconnaissance is the New Baseline: WPProbe demonstrates that complex enumeration no longer requires aggressive scanning techniques. A single REST API request can reveal an entire plugin inventory, fundamentally changing how penetration testers and attackers approach WordPress assessments.
- Defensive Transparency is a Double-Edged Sword: While WordPress’s REST API provides legitimate functionality for headless deployments and external integrations, its default permissive configuration creates an information disclosure risk that many site owners remain unaware of. The ease of exploitation via tools like WPProbe underscores the urgent need for API security to become part of standard WordPress hardening checklists.
- Automated Vulnerability Lifecycle Management: The integration of real-time CVE databases transforms WPProbe from a simple enumeration tool into a complete vulnerability assessment platform. This shift toward automated, database-backed scanning represents the future of security tooling, where every detected component is instantly correlated with known exploit paths.
Prediction:
- +1 API-First Security Will Drive Next-Generation WAF Development: As REST API enumeration becomes the preferred attack vector for WordPress reconnaissance, expect Web Application Firewalls to evolve specialized API inspection modules capable of detecting and blocking passive fingerprinting attempts without disrupting legitimate API consumers.
- -1 Automated Vulnerability Scanners Will Increase Incident Response Workload: The democratization of tools like WPProbe lowers the barrier to entry for threat actors, leading to a surge in automated vulnerability exploitation attempts. Organizations without mature patch management processes will face increased pressure as scanners continuously identify and weaponize newly disclosed CVEs against public-facing WordPress installations.
- +1 Hardening-as-Code Will Emerge as a Standard Practice: The availability of precise defensive commands and configuration examples will accelerate the adoption of infrastructure-as-code approaches for WordPress security. Expect to see hardened WordPress Terraform modules and Ansible playbooks that automatically restrict REST API access based on threat intelligence feeds.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: 0xfrost Wpprobe – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
