nmap -p80,443 --script http-wordpress-enum target.com
Executive Summary: Beyond Basic Port Scanning
If Nmap is the Swiss Army Knife of a security auditor's toolkit, most people are still just using the toothpick. While basic port scanning identifies open services, a "high-growth tactical auditor" requires deeper intelligence.
The Nmap Scripting Engine (NSE) allows us to transform a standard network scan into a highly specialized WordPress reconnaissance engine. Instead of just knowing port 443 is open, we want to know exactly which PHP version is running the backend, which users are posting content, and which plugins are leaking metadata—all before we ever fire up a heavy-duty tool like WPScan.
Why NSE Over Standard Scans?
Standard Nmap flags (like `-sV`) use a massive database of service signatures to guess what’s running. While effective, they are "loud" and often generic. NSE scripts are surgical. They are written in Lua and designed to perform specific tasks—like interrogating a WordPress `/wp-json/` endpoint or brute-forcing valid login handles—using minimal packets.
The Strategic Advantage:
- WAF Evasion: By using specific scripts instead of a broad version scan, you minimize the "noise" that triggers Web Application Firewalls.
- Pre-Exploitation Intelligence: Identifying a specific PHP version (e.g., PHP 7.4.x) immediately tells you which exploits are likely to work.
- Automation at Scale: You can wrap these scripts into a custom Nmap profile that handles thousands of targets efficiently.
The Core Arsenal: WordPress-Specific NSE Scripts
To build a high-performance fingerprinting profile, we focus on scripts that extract high-value data with low-risk footprints.
1. `http-wordpress-enum`
This is the workhorse of Phase 1. It doesn't just check if WordPress exists; it enumerates the "who" and the "what."
- What it does: Searches for valid usernames by probing the `/author/` archives and the REST API. It also attempts to identify installed themes and plugins by checking common directory paths.
- Tactical Implementation: ```bash nmap -p80,443 --script http-wordpress-enum --script-args http-wordpress-enum.search-limit=50 target-site.com ```
- Why it matters: Identifying a username like `admin` or `dev_ralph` gives you the exact target for the brute-force stage of your audit.
2. `http-php-version`
WordPress is only as secure as the PHP version it’s built on.
- What it does: Probes for specific "Easter eggs" and header signatures (like the `X-Powered-By` header) to determine the exact PHP version.
- Tactical Implementation: ```bash nmap -sV --script http-php-version target-site.com ```
3. `http-wordpress-brute`
While we usually save brute-forcing for the exploitation phase, a "light" brute-force check during recon can confirm if the site has basic login protections (like XML-RPC blocking) in place.
Designing the "Phase 1" Nmap Profile
To operate like a professional specialist, you need a repeatable, automated workflow. We combine version detection, script execution, and WAF evasion into a single "one-liner."
The "Ghost Profile" Command:
```bash nmap -p80,443 -sV -Pn -n --script "http-wordpress-enum,http-php-version,http-robots.txt" --max-rate 10 --script-args "http.useragent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' http-wordpress-enum.search-limit=20" -oN tactical_recon.txt [TARGET_IP] ```
Breaking Down the Anatomy:
| Flag | Purpose | Tactical Benefit |
|---|---|---|
| `-Pn` | No Ping | Avoids ICMP blocks; assumes the host is up to stay stealthy. |
| `-n` | No DNS Resolution | Speeds up the scan and avoids leaving logs on the DNS server. |
| `--max-rate 10` | Rate Limiting | Keeps your packet per second count low to fly under WAF thresholds. |
| `http.useragent` | Spoofing | Makes your Nmap scan look like a standard Chrome browser visit. |
| `-oN` | Output | Saves the results to a file for analysis. |
WAF Evasion: How to Not Get Blocked
A Web Application Firewall (WAF) like Cloudflare or Wordfence is designed to spot Nmap's default behavior. To ensure your reconnaissance is successful, follow these rules:
- Fragment Your Packets (`-f`): This breaks the TCP headers into smaller pieces, making it harder for simple packet filters to signature-match Nmap.
- Use Decoy IPs (`-D`): `nmap -D RND:10 [TARGET]` This generates 10 random "decoy" IP addresses that appear to be scanning the target at the same time as you, masking your actual IP.
- Timing is Everything: Never use `-T4` or `-T5` (Aggressive). Stick to `-T2` (Polite) or `-T3` (Normal) to avoid getting banned.
From Recon to Exploitation
The data you've just gathered—the PHP version, the enumerated usernames, and the plugin list—is the fuel for the next steps in our WordPress Hacking Hub.
Instead of guessing which commands to run, you now have a surgical roadmap. You know which usernames to target and which plugins are outdated. You’ve moved from "scanning everything" to "targeting the vulnerabilities that matter."
Next Up: We take this Nmap data and feed it into our Phase 02: Vulnerability Analysis workflow to begin mapping specific CVEs to our discovered targets.
Audit Tip: Always check the `robots.txt` file (using the `http-robots.txt` script). Developers often "disallow" the very directories they are most afraid of you finding—like `/backup/` or `/dev-wp/`.