Understanding WordPress Architecture for Pentesters

WordPress powers 43%+ of the internet.

Most hacks don’t happen because hackers are “smart” they happen because people don’t understand:

• how WordPress loads requests
• what executes first
• how plugins interact
• how themes execute code
• and how everything ties into the database

Once you understand that, exploitation becomes strategic rather than guesswork.

WordPress Core - The Heart of the System

The WordPress Core is the main engine written in PHP. It handles:

• posts & pages
• authentication
• database connections
• REST API
• dashboards
• hooks & filters
• plugin loading
• theme rendering

Some important directories:

wp-admin      → Admin dashboard
wp-includes  → Core functions
wp-content   → Plugins / Themes / Uploads
wp-config.php → Critical config file

WordPress Request Lifecycle (Very Important!)

Whenever you open a WordPress page:

1. Request hits index.php
2. WordPress bootstraps
3. Plugins load
4. Theme loads
5. Page renders

In simple terms:

Core starts engine → Plugins add power → Theme decides what user sees

Understanding this execution order helps you predict where vulnerabilities trigger.

Core Security Mindset

Attackers usually target:

• exposed wp-config.php
• debug logs
• REST API weaknesses
• XML-RPC abuse
• information leaks

Defenders should:

• restrict file access
• disable debug in production
• harden configuration
• carefully control REST access

Themes - The Presentation Layer

Themes control how WordPress looks.
But they are much more than “design”.

Themes can execute PHP, modify behavior, and run logic.

They live in:

/wp-content/themes/

A theme commonly contains:

• style.css
• index.php
• functions.php
• template files

The functions.php file is especially powerful. It can:

✔ run PHP on every page
✔ load scripts
✔ register hooks
✔ manipulate output

Which means…

A theme can introduce serious vulnerabilities.

Common Theme Vulnerabilities

• Arbitrary File Upload
• Stored / Reflected XSS
• Local File Inclusion
• Remote Code Execution
• Backdoored pirated themes
• exposed backup archives

Example risky files:

functions.php
editor.php
backup.zip

Themes are “visual”, but from a pentesting perspective, they are code execution gateways.

---

Plugins - The Real Attack Surface

If themes control presentation, plugins control power.

Plugins add:

• features
• admin tools
• database operations
• APIs
• integrations
• uploads
• automation

They live in:

/wp-content/plugins/

Plugin Vulnerabilities = 90% of WordPress Hacks

Most major WordPress hacks happen because of plugins.

Common plugin issues:

• Unauthenticated RCE
• SQL Injection
• File Upload vulnerabilities
• CSRF
• IDOR
• XSS
• SSRF
• Privilege Escalation
• REST API exploitation
• PHP Object Injection

Plugins are basically “third-party code running inside your site”.
And third-party code = trust + risk.

Database - The Brain of WordPress

WordPress uses MySQL/MariaDB.

Important tables:

wp_users
wp_usermeta
wp_posts
wp_postmeta
wp_options
wp_comments

From a pentesting angle:

• SQL Injection becomes meaningful
• privilege escalation is possible
• admin takeover chains exist

Example:

Admin passwords are stored (hashed) in:

wp_users.user_pass

Knowing structure helps in exploit design.

Execution Order - Why It Matters in Attacks

Execution order determines where you focus testing.

Request Flow:
1️⃣ Core
2️⃣ Plugins
3️⃣ Theme
4️⃣ Output

Meaning:

• Plugin vulnerability triggers before theme loads
• Security plugin may load after malicious plugin code
• Core protections can be overridden

This is why understanding architecture gives you advantage.