filetype:bak "wp-config.php"
Executive Summary: The Art of Passive Reconnaissance
In the foundational methodology we’ve been building, we focus heavily on finding the "unlocked window" before we ever try the front door. While tools like WPScan are essential for active probing, Google Dorking is the ultimate form of passive reconnaissance.
Google has already spent billions of dollars crawling every corner of the internet. It has already indexed the mistakes, the forgotten backups, and the sloppy developer logs of your target. Tactical Dorking isn't about "hacking Google"; it’s about knowing how to ask Google to show you the vulnerabilities it has already found.
The Anatomy of a Dork: Beyond Simple Keywords
Most people use Google to find answers; we use it to find infrastructure. To do this, we use advanced search operators that filter results based on specific file types, URL structures, and page titles.
In the context of the WordPress Hacking Hub, we are looking for the "Low-Hanging Fruit"—information that was never meant to be public but is currently being served on a silver platter by the world's largest search engine.
Weaponizing the Configuration: Hunting for wp-config Backups
The `wp-config.php` file is the heart of a WordPress installation. It contains the database name, the database user, and—most importantly—the plaintext password. Because this file is processed by PHP on the server, a direct request to it normally results in a blank page.
However, developers often make a fatal mistake: they create a backup. Before editing the file, they might save a copy as `wp-config.php.bak`, `wp-config.php.old`, or `wp-config.php.txt`. Because these extensions are not recognized as PHP files, the server will serve them as raw text to anyone who asks.
To find these across a large-scale deployment, we use a dork that looks for specific file extensions paired with the known WordPress filename:
```text filetype:bak "wp-config.php" intitle:"index of" "wp-config.php.save" ```
When Google returns a result for this, you aren't just looking at a website; you are looking at the keys to the kingdom.
The Debugging Debt: Exposed debug.log Entries
WordPress has a built-in debugging mode that developers often forget to turn off when a site goes live. When `WP_DEBUG_LOG` is enabled, WordPress writes every error, warning, and notice to a file located at `/wp-content/debug.log`.
This file is a goldmine for an auditor. It often reveals:
- Absolute file paths on the server (crucial for Local File Inclusion attacks).
- Incompatibilities with specific plugins (revealing which plugins are installed).
- Database query errors that might hint at SQL injection vulnerabilities.
To hunt for these exposed logs, we use: ```text allinurl:/wp-content/debug.log ```
If this file is accessible, it provides a roadmap of the server’s internal architecture, allowing you to skip the "guessing" phase and move straight to the Advanced WPScan Enumeration phase.
The Open Vault: Directory Listing and Indexing
One of the most common misconfigurations is the failure to disable directory listing. When an Apache or Nginx server doesn't find an `index.php` or `index.html` file in a folder, it often defaults to showing the user a list of every file in that directory.
For WordPress, the `/wp-content/uploads/` directory is particularly sensitive. If indexed, it can reveal:
- Company invoices or sensitive PDF documents.
- Older versions of themes or plugins that were manually uploaded.
- Configuration files from security plugins that were meant to be hidden.
The dork to find these "Open Vaults" is: ```text intitle:"index of" "wp-content/uploads" ```
Scaling the Hunt: Leveraging the Google Hacking Database (GHDB)
Manually typing dorks into a search bar works for a single audit, but it doesn't work when you're managing a project to scale your outreach and technical auditing. This is where the Google Hacking Database (GHDB) becomes your primary resource.
The GHDB is a living library of "Dork Signatures." It categorizes dorks by their intent:
- Advisories and Vulnerabilities: Finding sites running software with known CVEs.
- Files Containing Passwords: Hunting for `.sql` dumps or `.env` files.
- Sensitive Online Shopping Info: Finding misconfigured e-commerce WordPress setups.
Professional Automation and Operational Security
As you scale from 20 audits to 1,000, Google will notice. If you start firing off hundreds of dork queries from your home IP, you will quickly meet a CAPTCHA wall. To automate this effectively, you must integrate:
- ISP Proxies: Rotating your queries through high-quality proxies allows you to simulate organic traffic and avoid rate limiting.
- Headless Browsers: Using tools like Playwright or Selenium to handle CAPTCHAs if necessary.
- Stealth Mode: Keeping your actual audit infrastructure hidden while proxies handle the "loud" work.
Closing the Loop: From Dorks to WPScan
Google Dorking is the "Long Range" weapon in your arsenal. It allows you to identify which targets are the most vulnerable before you ever initiate a heavy scan.
Once you’ve used a dork to find an exposed `debug.log` or an outdated plugin, you can take those specific URLs and feed them into the Phase 02: Vulnerability Analysis section of our WPScan Masterclass.
Ready to level up? After you've mapped your targets via Google, check out our guide on Advanced Nmap Scripting to begin the active fingerprinting phase.