WordPress
WordPress.orgcms3 credentials
Database Credentials
wordpress / database-credentials
WordPress stores database connection settings in wp-config.php. WordPress documents DB_NAME, DB_USER, DB_PASSWORD, and DB_HOST constants as the database name, username, password, and host used by the application.
Looks like
patterndefine\(\s*'DB_PASSWORD'\s*,\s*'[^'\r\n]+'\s*\)Location
wp-config.phpWordPress site configuration containing database constants
WORDPRESS_DB_USER, WORDPRESS_DB_PASSWORD, WORDPRESS_DB_HOST, WORDPRESS_DB_NAMEhosting control panels, Docker/Kubernetes secrets, cloud secret managers, and CI/CD variables
accidentally committed wp-config.php files, backups, and deployment scripts
webroot backups, tarballs, and container images containing wp-config.php
setup output, debug traces, and support bundles containing configuration dumps
Notes
Database credentials can expose WordPress content, users, password hashes, plugin settings, and sensitive options stored in the database.
Authentication Unique Keys and Salts
wordpress / auth-salts-and-keys
WordPress uses secret keys and salts in wp-config.php to harden cookies and authentication state. WordPress documents AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and matching SALT constants.
Looks like
patterndefine\(\s*'(?:AUTH|SECURE_AUTH|LOGGED_IN|NONCE)_(?:KEY|SALT)'\s*,\s*'[^'\r\n]+'\s*\)Location
wp-config.phpWordPress authentication keys and salts
committed wp-config.php files, examples, and backups
site backups, container images, and deployment bundles
managed hosting secrets and deployment vault entries
Notes
Rotating keys and salts invalidates existing authentication cookies and reduces risk from stolen cookie/session material.
Application Password
wordpress / application-password
WordPress REST API supports Application Passwords for authenticated remote applications. WordPress documents Basic Authentication with Application Passwords as preferred over sending the user's regular password.
Location
AuthorizationBasic authentication using WordPress username and application password
WordPress user metadata storing application password verifier material
API client config, .env files, and integration settings
password managers, CI/CD variables, and cloud secret managers
REST API scripts, tests, and committed integration clients
HTTP client traces and failed REST API request logs
Notes
Application passwords are scoped to the user account that created them and should be revoked if found outside the intended client.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.