Skip to content
Patchstack Academy

Setting up WordPress for Hacking

Introduction

Now that we know WordPress and its ecosystem, it is finally time to set up WordPress locally and dive into it. In this section, we will be discussing various ways of setting up a WordPress instance.

Since the local setup is widely covered on the internet, a Google search can provide a ton of articles. We will not be re-inventing the wheel from scratch here either. Instead, we will reference some articles that provide a detailed guideline for setting up.

Apache/MySQL method

The first and the most common method of setting up WordPress is through the traditional LAMP, WAMP, or XAMPP stack. A locally running Apache and MySQL server is required to set this up.

References:

Docker Setup

An official WordPress docker image can be used to set up everything as well. Due to the simplicity of the setup and cross-platform compatibility, it’s the preferred way to use it.

WordPress Official Docker Image

References:

wp-now Setup

wp-now is a zero-config development environment based on WordPress Playground. It allows you to launch WordPress with all the required plugins and themes in a matter of minutes.

To download a certain version of a plugin and a theme you need to:

  1. Create a wp-content folder in the root of your project.

  2. Add a blueprint.json like below. By using the "resource" : "url" you can easily download any version of a plugin or a plugin not from the official WordPress repository.

    {
        "$schema": "https://playground.wordpress.net/blueprint-schema.json",
        "preferredVersions": {
            "php": "latest",
            "wp": "latest"
        },
        "steps": [
            {
                "step": "login"
            },
            {
                "step": "installTheme",
                "themeZipFile": {
                    "resource": "wordpress.org/themes",
                    "slug": "twentytwentyfour"
                },
                "options": {
                    "activate": true
                }
            },
            {
                "step": "installPlugin",
                "pluginZipFile": {
                    "resource": "url",
                    "url": "https://downloads.wordpress.org/plugin/classic-editor.1.6.2.zip"
                },
                "options": {
                    "activate": true
                }
            }
        ]
    }

  3. Run npx @wp-now/wp-now start --blueprint=blueprint.json in the root of your project.

wp-now official GitHub respoitory

References:

Debugging WordPress

A plain WordPress setup installation is good enough for most users, but not optimal for hackers to uncover vulnerabilities deep within the code. We need to be able to step through each line of code, trace it backward/forward, and find those hidden vulnerabilities.

For that purpose, we have XDebug; a tool that is primarily used for debugging and profiling PHP applications. We can set real-time breakpoints in the code and step through it using the tool.

Below are some references to get started with XDebug:

Fortunately, you won’t have to go through everything from scratch on setting up XDebug with WordPress. We already have created a docker image that comes up with everything pre-installed.

The WP XDebug Docker GitHub repository comes with:

  • WordPress Docker instance
  • XDebug Configured
  • File upload limit increased

More information on installation and setup is provided on the GitHub repository. The repo can be used to instantly set up WordPress instances and get started with debugging right away.

Contributors

dhakalanandapalmiak