How to Setup a Wordpress Environment for Pentesting

Your very own Wordpress for hacking!

As you (hopefully) know, it is illegal to attempt hacking other people’s websites without their express permission. Even when you think you’re doing a company a favor by submitting a bug found in their setup, it could imply you were “hacking” their system and backfire on you big time! 🚔

This inherit danger in your learning process necessitates a safe space for your wild imagination. 😉

Luckily… you can easily setup your own local Wordpress site on any computer in a snap! 👍

In this tutorial, we’ll show you how to use automated Wordpress installations courtesy of WPDistillery that can be spun up in VirtualBox using Vagrant at lightning speeds! ⚡️

Installing VirtualBox & Vagrant

Install VirtualBox and its Extension Pack

NOTE: Windows users must always open the Command Prompt & VirtualBox with Run as Administrator when installing and using this setup.

Install Vagrant

Make sure VirtualBox works and opens normally.

Test Vagrant by running:

$ vagrant v

Install the vagrant hostupdater for Wordpress

$ vagrant plugin install vagrant-hostsupdater

If you run into errors, try running: VAGRANT_DISABLE_STRICT_DEPENDENCY_ENFORCEMENT=1 vagrant plugin install vagrant-hostsupdater

Verify the plugin was installed correctly:

$ vagrant plugin list

Setting Up Wordpress with WPDistillery

$ mkdir ~/pentesting
$ cd ~/pentesting
$ git clone
$ nano WPDistillery/wpdistillery/config.yml

You’ll want to peruse this section for interesting settings, but here’s a few we’ll want to tinker with right away.

  • Line 16: wpversion: latest

  • Line 94-107: # WPDISTILLERY SETUP

We’re going to change the wordpress version to an older version to make it easier to practice our exploits. So we’ll change that line to wpversion: 4.2

We’re also opting for a minimal setup by changing our WPDISTILLERY SETUP to:

  wp: true
  settings: true
  themes: false
  plugins: false
  cleanup: false
  # adjust what data you want to be deleted within the cleanup (requires `cleanup: true`)
  comment: false
  posts: false
  files: false

Now it’s time to fire 🔥 up our VM!

$ vagrant up

Now, the first time you run this it’s gotta download a large image, so better give yourself a coffee break.

If everything went smoothly, you should see: 👀

==> default: ========== WPDISTILLERY FINISHED ==========

Another quick way to test your VM is up is with ping:

$ ping wpdistillery.vm

If you run into an error about not finding the host, then try adding a line to your hosts file:

$ sudo echo "     wpdistillery.vm" >> /etc/hosts

or you have packet loss, try pinging its IP:

$ ping

No errors? Then we’re all setup! 🎈 🎉 🎊

Break Stuff! 💥

Now you can see your wordpress site if you just open a browser and go to http://wpdistillery.vm/ (or

Try using the program wpscan to give you some hints on exploits to test. If you need some pentesting tools, I’d recommend just installing Kali Linux on another virtual machine, and working from there.


Some handy commands for Vagrant

Stop the wordpress virtual machine:

$ vagrant halt

Delete & Remove the Installed Wordpress VM:

$ vagrant halt
$ vagrant destroy --force
$ rm -rf public