I wanted a list of public WordPress routes for quickly finding routes to test and check security issues, so I generated a list using Bard AI.
My first attempt only provided the API routes. They can be seen below:
===
The following is a list of all routes a site on WordPress can be publicly accessed from by default:
/wp-json/– The root of the WordPress REST API./wp-json/wp/v2/– The namespace for the WordPress core REST API./wp-json/wp/v2/posts/– A route for managing posts./wp-json/wp/v2/posts/{id}/– A route for managing a specific post, where{id}is the post ID./wp-json/wp/v2/pages/– A route for managing pages./wp-json/wp/v2/pages/{id}/– A route for managing a specific page, where{id}is the page ID./wp-json/wp/v2/categories/– A route for managing categories./wp-json/wp/v2/categories/{id}/– A route for managing a specific category, where{id}is the category ID./wp-json/wp/v2/tags/– A route for managing tags./wp-json/wp/v2/tags/{id}/– A route for managing a specific tag, where{id}is the tag ID./wp-json/wp/v2/users/– A route for managing users./wp-json/wp/v2/users/{id}/– A route for managing a specific user, where{id}is the user ID./wp-json/wp/v2/media/– A route for managing media./wp-json/wp/v2/media/{id}/– A route for managing a specific media item, where{id}is the media item ID./wp-json/wp/v2/comments/– A route for managing comments./wp-json/wp/v2/comments/{id}/– A route for managing a specific comment, where{id}is the comment ID./wp-json/wp/v2/settings/– A route for managing settings./wp-json/wp/v2/search/– A route for searching.
In addition to these default routes, WordPress also allows plugins and themes to register their own custom routes.
It is important to note that the WordPress REST API is exposed by default, but it can be disabled in the WordPress admin settings.
===
I tried again asking for non-API routes, and got a list of important standard routes:
===
The following is a list of all non-API routes a site on WordPress can be publicly accessed from by default:
/– The home page of the site./about/– The about page of the site./contact/– The contact page of the site./blog/– The blog page of the site./category/{slug}/– A page for displaying all posts in a specific category, where{slug}is the category slug./tag/{slug}/– A page for displaying all posts in a specific tag, where{slug}is the tag slug./archives/{year}/{month}/– A page for displaying all posts published in a specific year and month./author/{author_name}/– A page for displaying all posts published by a specific author, where{author_name}is the author’s name./wp-login.php– The WordPress login page./wp-register.php– The WordPress registration page./wp-admin/– The WordPress admin dashboard.
In addition to these default routes, WordPress also allows plugins and themes to register their own custom routes.
It is important to note that the WordPress admin dashboard is not publicly accessible by default, but it can be made publicly accessible by changing the WordPress admin settings.
===
This is sufficient for me now, but please note, this is probably not an extensive list.
For an extensive list, please check the official WordPress documentation.