Understanding Apache, PHP, and WordPress

A foundational breakdown of the tech stack behind the world’s most popular CMS

Why WordPress Matters in Pentesting

Over 40% of all websites on the internet run on WordPress. That makes it one of the most common targets you’ll see in the field — especially in client environments, small businesses, and misconfigured hosting setups.

To effectively enumerate, exploit, or audit a WordPress site, you need to understand the stack it runs on.

The WordPress Stack: Apache + PHP + MySQL

WordPress runs on a stack that looks like this:

+------------------------------+
|         Browser             |
+-------------+----------------
              |
              v
+-------------+----------------+
|           Apache             |  <-- Web server (port 80/443)
+-------------+----------------+
              |
              v
+-------------+----------------+
|             PHP              |  <-- Executes WordPress logic
+-------------+----------------+
              |
              v
+-------------+----------------+
|            MySQL             |  <-- Stores posts, users, configs
+-----------------------------+

Let’s break each part down.

Apache – The Web Server

Apache is a battle-tested, open-source HTTP server that:

• Listens on port 80 (HTTP) and 443 (HTTPS)
• Handles incoming web requests (e.g., GET /wp-login.php)
• Serves static files like images and CSS
• Hands .php files off to the PHP interpreter

Apache is also responsible for reading .htaccess files, which are used heavily in WordPress for things like URL rewriting, redirects, access controls, and directory permissions.

Pentester Notes:

• Misconfigured .htaccess files can expose sensitive files or allow directory traversal.
• Apache version leaks and default config files (like /server-status) can be useful in recon.

PHP – The Language Behind WordPress

PHP is the language WordPress is written in. When Apache receives a .php file request, it doesn’t try to understand it. Instead, Apache passes the file to the PHP engine.

PHP scripts are responsible for:

• Connecting to the database
• Authenticating users
• Rendering pages dynamically
• Handling forms, plugins, themes, and user input

Pentester Notes:

• Vulnerable plugins and themes often introduce insecure PHP code (file upload bugs, eval injections, SQLi).
• PHP doesn’t compile — it’s interpreted line-by-line at runtime. That means bad code can be discovered and abused on the fly.
• Misconfigured servers may expose .php.bak, .php~, or other backup files.

MySQL – The Database Engine

MySQL (or MariaDB) stores all of WordPress’s dynamic content:

• Users and passwords (hashed in wp_users)
• Blog posts, comments, settings (wp_posts, wp_options, etc.)
• Plugin data
• Session info and tokens

PHP interacts with MySQL via queries like:

SELECT * FROM wp_users WHERE user_login = '$username';

Pentester Notes:

• SQL injection is a risk in poorly coded plugins or themes.
• Default table prefix (wp_) can be fingerprinted; custom prefixes can be bruteforced.
• Misconfigured MySQL (listening externally, default creds) can expose the entire DB.

The Role of WordPress

WordPress is a content management system (CMS) written entirely in PHP and designed to make website creation easy. It’s built around:

• A templating engine for themes
• A plugin system for extending functionality
• A user-friendly admin interface (usually at /wp-admin/)

WordPress is not a monolithic executable — it’s a collection of loosely coupled PHP files that dynamically generate web pages based on HTTP requests and database content.

Directory structure overview:

/wp-admin/       # Admin dashboard
/wp-content/     # Themes and plugins
/wp-includes/    # Core PHP libraries
index.php        # Entry point for most requests
.htaccess        # Rewrite and security rules
wp-config.php    # Database credentials, keys, salts

How a Page Loads in WordPress (Simplified)

Let’s say someone visits /blog/my-post:

1. Apache receives the request.
2. Apache passes the request to index.php.
3. index.php loads WordPress core, which:
   • Connects to MySQL
   • Resolves the friendly URL using .htaccess and rewrites
   • Loads post data from the wp_posts table
4. PHP dynamically builds the page with the correct theme.
5. Apache returns the final HTML to the browser.

Common WordPress Pentesting Targets

Vector	Description
wp-login.php bruteforce	Try weak credentials or use password spraying
XML-RPC abuse	Mass login attempts, pingback attacks
Plugin exploits	Many plugins contain XSS, SQLi, RCE
Theme vulnerabilities	Insecure file inclusions or uploads
Outdated core	Known CVEs in old WordPress versions
Exposed backups	.zip, .tar, .sql files in /wp-content/
Database config leaks	wp-config.php often has DB creds

Bonus Tips

• Use tools like WPScan, WPSeku, and WhatWeb to fingerprint and enumerate WordPress installations.
• Always check /readme.html — it often leaks the WordPress version.
• Don’t forget to fuzz for common file paths and plugin directories (e.g. /wp-content/plugins/plugin-name/).

Summary

If you’re going to hack WordPress (ethically), you need to understand:

Component	Why it matters
Apache	Serves pages, handles .htaccess, controls access
PHP	Runs WordPress logic, plugins, themes
MySQL	Stores dynamic data: users, content, configs
WordPress	A dynamic CMS built in PHP, served by Apache, powered by MySQL

Once you know this flow, you stop shooting blind — and start hunting with intent.