Why Nigerian WordPress sites are high-value targets
WordPress runs over 40% of the web globally, which means automated scanning tools run by threat actors probe WordPress installations at scale every hour. Nigerian business sites are specifically attractive because of three factors that are endemic to the local hosting environment:
- Shared hosting concentration: The majority of Nigerian WordPress sites run on shared hosting plans at local providers (Whogohost, QServers, Web4Africa). A single compromised account on a shared server can be used to read files from adjacent accounts if server isolation is misconfigured.
- Stale plugin ecosystems: Local web agencies build WordPress sites and hand them off to clients who have no process for plugin updates. Plugins from 2021 with unauthenticated RCE CVEs remain active on live production sites.
- Unconfigured admin panels: The /wp-admin/ panel is accessible from any IP worldwide with no rate limiting, no geo-restriction, and no two-factor authentication on the admin account.
What we test on every WordPress engagement
Plugin vulnerability scanning and manual verification
We enumerate all installed plugins and their versions using WPScan and manual inspection of publicly accessible plugin file headers. For any plugin with a known CVE, we manually verify exploitability in your specific configuration rather than reporting it as theoretical. A vulnerability in a plugin that is installed but not activated is a different risk than one in an active, internet-facing plugin.
WordPress REST API enumeration
WordPress ships with a REST API that is enabled by default. The /wp-json/wp/v2/users endpoint returns a full list of registered usernames without authentication. These usernames are then used in targeted brute-force attacks against the admin panel and xmlrpc.php. We verify that your user enumeration is blocked and that the REST API is restricted to authenticated requests only.
# WordPress user enumeration via REST API (unauthenticated)
curl https://yourbusiness.com.ng/wp-json/wp/v2/users
# Returns: [{"id":1,"name":"admin","slug":"admin"}] XML-RPC brute force and multicall exploitation
WordPress's xmlrpc.php endpoint allows authentication and content management via XML-RPC calls. More critically, the system.multicall method allows bundling hundreds of login attempts into a single HTTP request, bypassing per-request rate limiting. We test whether xmlrpc.php is exposed and exploitable on your installation, and whether your hosting environment's WAF handles multicall brute force attempts.
wp-config.php exposure and server misconfiguration
The wp-config.php file contains your database credentials, authentication secret keys, and table prefix. We test whether this file is accessible via the web server (it should return a 403 or redirect), and we inspect your server configuration files (.htaccess on Apache, nginx.conf on Nginx) for rules that protect sensitive paths.
WooCommerce payment flow testing
For Nigerian e-commerce sites using WooCommerce with Paystack, Flutterwave, or Monnify, we test the checkout flow for client-side price manipulation (modifying cart totals before payment initiation), webhook signature validation on the payment callback endpoint, and order status update authorization (can a non-admin user mark their own order as paid?).
Unauthenticated file upload via outdated form plugin
During a security assessment of a Nigerian corporate services website, we identified a contact form plugin version from 2022 with a known unauthenticated arbitrary file upload CVE. We uploaded a PHP web shell through the form's file attachment field without providing any authentication credentials. The shell gave us read access to the server filesystem, including the wp-config.php file containing the production database credentials. Fix priority: critical. Remediated by updating the plugin, restricting allowed file extensions, and scanning all uploaded files through a server-side validation function.
Running a business website on WordPress in Nigeria? Book a security assessment before attackers find it first.
Book a WordPress Security TestFrequently asked questions
Why are Nigerian WordPress sites targeted specifically?
Nigerian business websites are targeted because they frequently run outdated plugin versions, use shared hosting environments with weak isolation between accounts, and have administrative panels directly exposed to the public internet with no geo-IP restriction or rate limiting.
Is it worth penetration testing a WordPress site?
Yes, especially for any site that handles customer payments, member logins, or business-critical data. A compromised WordPress site is used to steal customer payment card details at checkout, redirect visitors to phishing pages, and send fraudulent emails from your domain.
What is the most dangerous WordPress attack vector in Nigeria?
In our experience testing Nigerian WordPress installations, the most consistently critical finding is outdated plugins with known Remote Code Execution CVEs. Many Nigerian web agencies install plugins during site builds and never update them, creating a fixed but publicly-known attack path.
Do you test WooCommerce payment integrations?
Yes. We test WooCommerce payment gateway plugin configurations (Paystack, Flutterwave, and Stripe integrations are common in Nigeria), webhook validation on payment callbacks, and client-side price manipulation vulnerabilities in the checkout flow.
Related reading
Blog: WooCommerce payment security · Nigerian hosting vulnerabilities · Top vulnerabilities in Nigerian companies
Services: Penetration testing · Vulnerability assessment