search
ITPTToolsGithub

CMS

hashtag
Wordpress

hashtag
Directories and files

Path / Directory

Purpose

/wp-admin/

Contains all files needed to run the backend/admin area of WordPress (manage posts, pages, users, plugins, settings).

/wp-content/

Stores all site-specific content, including themes, plugins, uploads, and other custom files.

/wp-content/languages/

Contains translations for WordPress core, themes, and plugins (PO/MO files).

/wp-content/mu-plugins/

Holds must-use plugins that are always enabled.

/wp-content/plugins/

All installed plugins (enabled or disabled).

/wp-content/themes/

All installed WordPress themes.

/wp-content/upgrade/

Temporary folder used during updates of WordPress core, plugins, or themes.

/wp-content/uploads/

Media files like images, videos, and PDFs.

/wp-content/<plugin-specific folders>

Plugin-specific storage, e.g., caching plugins storing cached assets.

/wp-includes/

Core WordPress files, libraries, and functions (database handling, formatting, REST API, etc.).

/.htaccess

Server configuration (Apache) controlling URL rewriting, permalinks, redirects, caching, and security.

/index.php

Main entry point; boots WordPress and determines what content to display.

/wp-config.php

Main configuration file (database credentials, authentication keys, debug settings, table prefix).

/wp-config-sample.php

Sample configuration file used as a reference or during installation.

/license.txt

GPL license text for WordPress.

/readme.html

WordPress version info and basic site info (often removed for security).

/wp-activate.php

Handles account activation in Multisite installations.

/wp-signup.php

Handles new user or site signups in a Multisite network.

/wp-blog-header.php

Loads WordPress environment and template for frontend requests.

/wp-load.php

Loads WordPress core and wp-config.php; used for bootstrapping WordPress in custom scripts.

/wp-settings.php

Initializes WordPress, loading plugins, themes, and core features.

/wp-login.php

Handles login, logout, and password reset functionality.

/wp-comments-post.php

Processes comment form submissions.

/wp-mail.php

Allows posting content via email (rarely used).

/wp-trackback.php

Handles trackbacks to notify other blogs of links.

/wp-links-opml.php

Legacy endpoint for exporting blogroll links in OPML format.

/wp-sitemap.xml or sitemap.xml

Provides an XML sitemap for the site.

/xmlrpc.php

Remote communication API for mobile apps, remote publishing, and plugin integrations; often restricted due to security.

hashtag
REST APIs

Endpoint

Purpose

/wp-json/wp/v2/posts

Posts

/wp-json/wp/v2/posts/<id>/revisions

Post Revisions

/wp-json/wp/v2/categories

Categories

/wp-json/wp/v2/tags

Tags

/wp-json/wp/v2/pages

Pages

/wp-json/wp/v2/pages/<id>/revisions

Page Revisions

/wp-json/wp/v2/comments

Comments

/wp-json/wp/v2/taxonomies

Taxonomies

/wp-json/wp/v2/media

Media

/wp-json/wp/v2/users

Users

/wp-json/wp/v2/types

Post Types

/wp-json/wp/v2/statuses

Post Statuses

/wp-json/wp/v2/settings

Settings

/wp-json/wp/v2/themes

Themes

/wp-json/wp/v2/search

Search

/wp-json/wp/v2/block-types

Block Types

/wp-json/wp/v2/blocks

Blocks

/wp-json/wp/v2/blocks/<id>/autosaves/

Block Revisions

/wp-json/wp/v2/block-renderer

Block Renderer

/wp-json/wp/v2/block-directory/search

Block Directory Items

/wp-json/wp/v2/plugins

Plugins

/wp-json/wp/v2/users/

List WordPress users via REST API

/wp-json/?rest_route=/wp/v2/users/

Legacy query-based route for listing users

/wp-json/wp/v2/users/<n>

Retrieve a specific user by ID

/wp-json/?rest_route=/wp/v2/users/<n>

Legacy query-based route for a specific user

/?author=<n>

Resolve author ID to author archive (username discovery)

/wp-json/wp/v2/sensei-messages/<numericID>

Access a specific Sensei LMS message

/wp-json/tenwebio/v2/compress-one

Compress a single image via TenWeb

/wp-json/oembed/1.0/embed?url=https://www.example.domain&format=json

Generate embeddable content metadata

hashtag
403 Bypass

The following requests are blocked with a 403 response:

  • https://target.com/wp-json/wp/v2/users/

  • https://target.com/wp-json/?rest_route=/wp/v2/users/

Bypass:

that generates the following HTTP request:

hashtag
Drupal

hashtag
Common Paths

Path

Purpose

/user

User login, registration, and profiles

/user/login

User authentication

/user/password

Password reset

/admin

Administration dashboard

/admin/content

Manage site content

/admin/people

Manage users and roles

/admin/config

Site configuration

/node/<id>

Access content by numeric node ID

/taxonomy/term/<id>

View content by taxonomy term

/search

Site search

/search/node

Content search

/jsonapi

JSON:API entry point

/jsonapi/node/*

Content entities via API

/rest

REST API base path

/oauth/token

OAuth authentication

/session/token

CSRF token endpoint

/sites/default/files/

Public uploaded files

/core

Drupal core assets

/modules

Installed modules

/themes

Installed themes

/install.php

Drupal installer

/update.php

Run database updates

/cron.php

Trigger scheduled tasks

/?q=

Legacy routing fallback

hashtag
Wordlists

hashtag
Scan tools

PreviousSwagger UINextCommon Frameworks and libraries

Last updated