lolcreds

Public credential defaults and exposure patterns for authorized security testing.

WordPress

WordPress.orgcms3 credentials

Credentials3 documented
01

Database Credentials

wordpress / database-credentials

WordPress stores database connection settings in wp-config.php. WordPress documents DB_NAME, DB_USER, DB_PASSWORD, and DB_HOST constants as the database name, username, password, and host used by the application.

user definedsecretusername/password

Looks like

pattern
pattern

WordPress wp-config.php database password constant

define\(\s*'DB_PASSWORD'\s*,\s*'[^'\r\n]+'\s*\)

Location

config file
wp-config.php

WordPress site configuration containing database constants

environment
WORDPRESS_DB_USER, WORDPRESS_DB_PASSWORD, WORDPRESS_DB_HOST, WORDPRESS_DB_NAME
secret store

hosting control panels, Docker/Kubernetes secrets, cloud secret managers, and CI/CD variables

source code

accidentally committed wp-config.php files, backups, and deployment scripts

artifact

webroot backups, tarballs, and container images containing wp-config.php

logs

setup output, debug traces, and support bundles containing configuration dumps

Notes

Database credentials can expose WordPress content, users, password hashes, plugin settings, and sensitive options stored in the database.

02

Authentication Unique Keys and Salts

wordpress / auth-salts-and-keys

WordPress uses secret keys and salts in wp-config.php to harden cookies and authentication state. WordPress documents AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and matching SALT constants.

generated on installsecretsecret value

Looks like

pattern
pattern

WordPress authentication key or salt constant in wp-config.php

define\(\s*'(?:AUTH|SECURE_AUTH|LOGGED_IN|NONCE)_(?:KEY|SALT)'\s*,\s*'[^'\r\n]+'\s*\)

Location

config file
wp-config.php

WordPress authentication keys and salts

source code

committed wp-config.php files, examples, and backups

artifact

site backups, container images, and deployment bundles

secret store

managed hosting secrets and deployment vault entries

Notes

Rotating keys and salts invalidates existing authentication cookies and reduces risk from stolen cookie/session material.

03

Application Password

wordpress / application-password

WordPress REST API supports Application Passwords for authenticated remote applications. WordPress documents Basic Authentication with Application Passwords as preferred over sending the user's regular password.

user definedsecrettoken

Location

http header
Authorization

Basic authentication using WordPress username and application password

database

WordPress user metadata storing application password verifier material

config file

API client config, .env files, and integration settings

secret store

password managers, CI/CD variables, and cloud secret managers

source code

REST API scripts, tests, and committed integration clients

logs

HTTP client traces and failed REST API request logs

Notes

Application passwords are scoped to the user account that created them and should be revoked if found outside the intended client.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.