index.php
license.txt
contains useful information such as the version WordPress installed.wp-activate.php
is used for the email activation process when setting up a new WordPress site./wp-admin/login.php
/wp-admin/wp-login.php
/login.php
/wp-login.php
xmlrpc.php
is a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.wp-content
folder is the main directory where plugins and themes are stored.wp-content/uploads/
Is the directory where any files uploaded to the platform are stored.wp-includes/
This is the directory where core files are stored, such as certificates, fonts, JavaScript files, and widgets.wp-config.php
file contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting./license.txt
or /readme.html
meta name
xml-rpc.php
is active you can perform a credentials brute-force or use it to launch DoS attacks to other resources. (You can automate this process using this for example).system.multicall
as you can try several credentials on the same request:system.multicall
**in the previous section to learn how to abuse this method to cause DDoS./wp-cron.php
When this file is accessed a "heavy" MySQL query is performed, so I could be used by attackers to cause a DoS.
Also, by default, the wp-cron.php
is called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).wp-admin.php
file and only allow access internally or from certain IP addresses.