diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.fixtures.yml b/modules/vulnerabilities/unix/webapp/wordpress/.fixtures.yml
new file mode 100644
index 000000000..1d6ff32f3
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.fixtures.yml
@@ -0,0 +1,7 @@
+fixtures:
+  repositories:
+    concat: "git://github.com/ripienaar/puppet-concat.git"
+    mysql: "git://github.com/puppetlabs/puppetlabs-mysql.git"
+    stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+  symlinks:
+    wordpress: "#{source_dir}"
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.gitignore b/modules/vulnerabilities/unix/webapp/wordpress/.gitignore
new file mode 100644
index 000000000..56efb9ca1
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.gitignore
@@ -0,0 +1,22 @@
+.*.sw[op]
+.metadata
+.yardoc
+.yardwarns
+*.iml
+/.bundle/
+/.idea/
+/.vagrant/
+/coverage/
+/bin/
+/doc/
+/Gemfile.local
+/Gemfile.lock
+/junit/
+/log/
+/pkg/
+/spec/fixtures/manifests/
+/spec/fixtures/modules/
+/tmp/
+/vendor/
+/convert_report.txt
+.DS_Store
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.gitlab-ci.yml b/modules/vulnerabilities/unix/webapp/wordpress/.gitlab-ci.yml
new file mode 100644
index 000000000..35e420994
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.gitlab-ci.yml
@@ -0,0 +1,70 @@
+---
+stages:
+  - test_2.4.1
+  - test_2.1.9
+
+before_script:
+  - bundle -v
+  - rm Gemfile.lock || true
+  - gem update --system
+  - gem update bundler
+  - gem --version
+  - bundle -v
+  - bundle install --without system_tests
+
+rubocop-2.4.1:
+  stage: test_2.4.1
+  image: ruby:2.4.1
+  script:
+    - bundle exec rake rubocop
+
+syntax-2.4.1:
+  stage: test_2.4.1
+  image: ruby:2.4.1
+  script:
+    - bundle exec rake syntax lint
+
+metadata-2.4.1:
+  stage: test_2.4.1
+  image: ruby:2.4.1
+  script:
+    - bundle exec rake metadata_lint
+
+rspec-puppet-2.4.1:
+  stage: test_2.4.1
+  image: ruby:2.4.1
+  variables:
+    PUPPET_GEM_VERSION: ~> 4.0
+    CHECK: spec
+  script:
+    - bundle update
+    - bundle exec rake $CHECK
+
+rubocop-2.1.9:
+  stage: test_2.1.9
+  image: ruby:2.1.9
+  script:
+    - bundle exec rake rubocop
+
+syntax-2.1.9:
+  stage: test_2.1.9
+  image: ruby:2.1.9
+  script:
+    - bundle exec rake syntax lint
+
+metadata-2.1.9:
+  stage: test_2.1.9
+  image: ruby:2.1.9
+  script:
+    - bundle exec rake metadata_lint
+
+rspec-puppet-2.1.9:
+  stage: test_2.1.9
+  image: ruby:2.1.9
+  variables:
+    PUPPET_GEM_VERSION: ~> 4.0
+    CHECK: spec
+  script:
+    - bundle update
+    - bundle exec rake $CHECK
+
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.pdkignore b/modules/vulnerabilities/unix/webapp/wordpress/.pdkignore
new file mode 100644
index 000000000..56efb9ca1
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.pdkignore
@@ -0,0 +1,22 @@
+.*.sw[op]
+.metadata
+.yardoc
+.yardwarns
+*.iml
+/.bundle/
+/.idea/
+/.vagrant/
+/coverage/
+/bin/
+/doc/
+/Gemfile.local
+/Gemfile.lock
+/junit/
+/log/
+/pkg/
+/spec/fixtures/manifests/
+/spec/fixtures/modules/
+/tmp/
+/vendor/
+/convert_report.txt
+.DS_Store
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.rspec b/modules/vulnerabilities/unix/webapp/wordpress/.rspec
new file mode 100644
index 000000000..16f9cdb01
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.rspec
@@ -0,0 +1,2 @@
+--color
+--format documentation
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.rubocop.yml b/modules/vulnerabilities/unix/webapp/wordpress/.rubocop.yml
new file mode 100644
index 000000000..40a58e071
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.rubocop.yml
@@ -0,0 +1,107 @@
+---
+require: rubocop-rspec
+AllCops:
+  DisplayCopNames: true
+  TargetRubyVersion: '2.1'
+  Include:
+  - "./**/*.rb"
+  Exclude:
+  - bin/*
+  - ".vendor/**/*"
+  - Gemfile
+  - Rakefile
+  - pkg/**/*
+  - spec/fixtures/**/*
+  - vendor/**/*
+Metrics/LineLength:
+  Description: People have wide screens, use them.
+  Max: 200
+RSpec/BeforeAfterAll:
+  Description: Beware of using after(:all) as it may cause state to leak between tests.
+    A necessary evil in acceptance testing.
+  Exclude:
+  - spec/acceptance/**/*.rb
+RSpec/HookArgument:
+  Description: Prefer explicit :each argument, matching existing module's style
+  EnforcedStyle: each
+Style/BlockDelimiters:
+  Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to
+    be consistent then.
+  EnforcedStyle: braces_for_chaining
+Style/ClassAndModuleChildren:
+  Description: Compact style reduces the required amount of indentation.
+  EnforcedStyle: compact
+Style/EmptyElse:
+  Description: Enforce against empty else clauses, but allow `nil` for clarity.
+  EnforcedStyle: empty
+Style/FormatString:
+  Description: Following the main puppet project's style, prefer the % format format.
+  EnforcedStyle: percent
+Style/FormatStringToken:
+  Description: Following the main puppet project's style, prefer the simpler template
+    tokens over annotated ones.
+  EnforcedStyle: template
+Style/Lambda:
+  Description: Prefer the keyword for easier discoverability.
+  EnforcedStyle: literal
+Style/RegexpLiteral:
+  Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168
+  EnforcedStyle: percent_r
+Style/TernaryParentheses:
+  Description: Checks for use of parentheses around ternary conditions. Enforce parentheses
+    on complex expressions for better readability, but seriously consider breaking
+    it up.
+  EnforcedStyle: require_parentheses_when_complex
+Style/TrailingCommaInArguments:
+  Description: Prefer always trailing comma on multiline argument lists. This makes
+    diffs, and re-ordering nicer.
+  EnforcedStyleForMultiline: comma
+Style/TrailingCommaInLiteral:
+  Description: Prefer always trailing comma on multiline literals. This makes diffs,
+    and re-ordering nicer.
+  EnforcedStyleForMultiline: comma
+Style/SymbolArray:
+  Description: Using percent style obscures symbolic intent of array's contents.
+  EnforcedStyle: brackets
+RSpec/MessageSpies:
+  EnforcedStyle: receive
+Style/CollectionMethods:
+  Enabled: true
+Style/MethodCalledOnDoEndBlock:
+  Enabled: true
+Style/StringMethods:
+  Enabled: true
+Layout/EndOfLine:
+  Enabled: false
+Metrics/AbcSize:
+  Enabled: false
+Metrics/BlockLength:
+  Enabled: false
+Metrics/ClassLength:
+  Enabled: false
+Metrics/CyclomaticComplexity:
+  Enabled: false
+Metrics/MethodLength:
+  Enabled: false
+Metrics/ModuleLength:
+  Enabled: false
+Metrics/ParameterLists:
+  Enabled: false
+Metrics/PerceivedComplexity:
+  Enabled: false
+RSpec/DescribeClass:
+  Enabled: false
+RSpec/ExampleLength:
+  Enabled: false
+RSpec/MessageExpectation:
+  Enabled: false
+RSpec/MultipleExpectations:
+  Enabled: false
+RSpec/NestedGroups:
+  Enabled: false
+Style/AsciiComments:
+  Enabled: false
+Style/IfUnlessModifier:
+  Enabled: false
+Style/SymbolProc:
+  Enabled: false
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.travis.yml b/modules/vulnerabilities/unix/webapp/wordpress/.travis.yml
new file mode 100644
index 000000000..6b1f5fbe4
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.travis.yml
@@ -0,0 +1,48 @@
+---
+sudo: false
+dist: trusty
+language: ruby
+cache: bundler
+before_install:
+  - bundle -v
+  - rm Gemfile.lock || true
+  - gem update --system
+  - gem update bundler
+  - gem --version
+  - bundle -v
+script:
+  - 'bundle exec rake $CHECK'
+bundler_args: --without system_tests
+rvm:
+  - 2.4.1
+env:
+  - PUPPET_GEM_VERSION="~> 5.0" CHECK=spec
+matrix:
+  fast_finish: true
+  include:
+    -
+      env: CHECK=rubocop
+    -
+      env: CHECK="syntax lint"
+    -
+      env: CHECK=metadata_lint
+    -
+      env: CHECK=spec
+    -
+      env: PUPPET_GEM_VERSION="~> 4.0" CHECK=spec
+      rvm: 2.1.9
+branches:
+  only:
+    - master
+    - /^v\d/
+notifications:
+  email: false
+deploy:
+  provider: puppetforge
+  user: puppet
+  password:
+    secure: ""
+  on:
+    tags: true
+    all_branches: true
+    condition: "$DEPLOY_TO_FORGE = yes"
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/.yardopts b/modules/vulnerabilities/unix/webapp/wordpress/.yardopts
new file mode 100644
index 000000000..29c933bcf
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/.yardopts
@@ -0,0 +1 @@
+--markup markdown
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/CHANGELOG b/modules/vulnerabilities/unix/webapp/wordpress/CHANGELOG
new file mode 100644
index 000000000..50c8e26b0
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/CHANGELOG
@@ -0,0 +1,73 @@
+2014-10-15 Release 1.0.0
+Features
+- Multiple instances ability via wordpress::instance
+- New wp_debug, wp_debug_log, and wp_debug_display parameters for debug output
+- New wp_config_content parameter for custom configuration
+
+Bugfixes:
+- Convert rspec-system tests to beaker-rspec tests
+- Updated readme
+
+2014-01-16 Release 0.6.0
+Features:
+- Add `wordpress::wp_additional_config` parameter for custom template
+fragments.
+- Add `wordpress::wp_table_prefix` to customize the table prefix in mysql.
+
+Bugfixes:
+- Fix idempotency for `mysql_grant` privileges.
+
+2013-12-17 Release 0.5.1
+Features:
+- Update default version of wordpress to install to 3.8
+- Add `wordpress::wp_proxy_host` and `wordpress::wp_proxy_port` for proxying
+plugin installation.
+- Add `wordpress::wp_mulitsite` and `wordpress::wp_multisite` to enable
+multisite support
+- Update to work with latest 2.x puppetlabs-mysql
+- Update to work with latest 1.x puppetlabs-concat
+- Add rspec-system integration testing, travis testing, and autopublish
+
+Bugfixes:
+- Fix ownership during installation to reduce log output and increase
+idempotency.
+
+2013-12-17 Release 0.5.0
+This release is invalid and was removed.
+
+2013-09-19 Release 0.4.2
+Bugfixes:
+- Correct Modulefile module name
+
+2013-09-19 Release 0.4.1
+Bugfixes:
+- Escape \'s in the salt
+
+2013-06-17 Release 0.4.0
+Features:
+- Add `wordpress::wp_lang` parameter
+- Add `wordpress::wp_plugin_dir` parameter
+
+Bugfixes:
+- Add class anchors
+- Conditionalize directory management
+- Fix `@db_host` template variable
+
+2012-12-31 Release 0.2.3
+Changes:
+- Remove Apache php configuration; that responsibility falls outside of this module.
+
+2012-12-28 Release 0.2.2
+Bugfixes:
+- Pass required parameters
+
+2012-12-28 Release 0.2.1
+Bugfixes:
+- Remove extraneous files from module.
+
+2012-12-28 Release 0.2.0
+Changes:
+- Add `install_url` parameter to download tarball from other location
+
+2012-12-28 Release 0.1.0
+- Initial rewrite from jonhadfield/master
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/Gemfile b/modules/vulnerabilities/unix/webapp/wordpress/Gemfile
new file mode 100644
index 000000000..655b01465
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/Gemfile
@@ -0,0 +1,126 @@
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+def location_for(place_or_version, fake_version = nil)
+  if place_or_version =~ %r{\A(git[:@][^#]*)#(.*)}
+    [fake_version, { git: Regexp.last_match(1), branch: Regexp.last_match(2), require: false }].compact
+  elsif place_or_version =~ %r{\Afile:\/\/(.*)}
+    ['>= 0', { path: File.expand_path(Regexp.last_match(1)), require: false }]
+  else
+    [place_or_version, { require: false }]
+  end
+end
+
+def gem_type(place_or_version)
+  if place_or_version =~ %r{\Agit[:@]}
+    :git
+  elsif !place_or_version.nil? && place_or_version.start_with?('file:')
+    :file
+  else
+    :gem
+  end
+end
+
+ruby_version_segments = Gem::Version.new(RUBY_VERSION.dup).segments
+minor_version = ruby_version_segments[0..1].join('.')
+
+group :development do
+  gem "fast_gettext", '1.1.0',                         require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.1.0')
+  gem "fast_gettext",                                  require: false if Gem::Version.new(RUBY_VERSION.dup) >= Gem::Version.new('2.1.0')
+  gem "json_pure", '<= 2.0.1',                         require: false if Gem::Version.new(RUBY_VERSION.dup) < Gem::Version.new('2.0.0')
+  gem "json", '= 1.8.1',                               require: false if Gem::Version.new(RUBY_VERSION.dup) == Gem::Version.new('2.1.9')
+  gem "puppet-module-posix-default-r#{minor_version}", require: false, platforms: [:ruby]
+  gem "puppet-module-posix-dev-r#{minor_version}",     require: false, platforms: [:ruby]
+  gem "puppet-module-win-default-r#{minor_version}",   require: false, platforms: [:mswin, :mingw, :x64_mingw]
+  gem "puppet-module-win-dev-r#{minor_version}",       require: false, platforms: [:mswin, :mingw, :x64_mingw]
+end
+
+puppet_version = ENV['PUPPET_GEM_VERSION']
+puppet_type = gem_type(puppet_version)
+facter_version = ENV['FACTER_GEM_VERSION']
+hiera_version = ENV['HIERA_GEM_VERSION']
+
+def puppet_older_than?(version)
+  puppet_version = ENV['PUPPET_GEM_VERSION']
+  !puppet_version.nil? &&
+    Gem::Version.correct?(puppet_version) &&
+    Gem::Requirement.new("< #{version}").satisfied_by?(Gem::Version.new(puppet_version.dup))
+end
+
+gems = {}
+
+gems['puppet'] = location_for(puppet_version)
+
+# If facter or hiera versions have been specified via the environment
+# variables, use those versions. If not, and if the puppet version is < 3.5.0,
+# use known good versions of both for puppet < 3.5.0.
+if facter_version
+  gems['facter'] = location_for(facter_version)
+elsif puppet_type == :gem && puppet_older_than?('3.5.0')
+  gems['facter'] = ['>= 1.6.11', '<= 1.7.5', require: false]
+end
+
+if hiera_version
+  gems['hiera'] = location_for(ENV['HIERA_GEM_VERSION'])
+elsif puppet_type == :gem && puppet_older_than?('3.5.0')
+  gems['hiera'] = ['>= 1.0.0', '<= 1.3.0', require: false]
+end
+
+if Gem.win_platform? && (puppet_type != :gem || puppet_older_than?('3.5.0'))
+  # For Puppet gems < 3.5.0 (tested as far back as 3.0.0) on Windows
+  if puppet_type == :gem
+    gems['ffi'] =            ['1.9.0',                require: false]
+    gems['minitar'] =        ['0.5.4',                require: false]
+    gems['win32-eventlog'] = ['0.5.3',    '<= 0.6.5', require: false]
+    gems['win32-process'] =  ['0.6.5',    '<= 0.7.5', require: false]
+    gems['win32-security'] = ['~> 0.1.2', '<= 0.2.5', require: false]
+    gems['win32-service'] =  ['0.7.2',    '<= 0.8.8', require: false]
+  else
+    gems['ffi'] =            ['~> 1.9.0',             require: false]
+    gems['minitar'] =        ['~> 0.5.4',             require: false]
+    gems['win32-eventlog'] = ['~> 0.5',   '<= 0.6.5', require: false]
+    gems['win32-process'] =  ['~> 0.6',   '<= 0.7.5', require: false]
+    gems['win32-security'] = ['~> 0.1',   '<= 0.2.5', require: false]
+    gems['win32-service'] =  ['~> 0.7',   '<= 0.8.8', require: false]
+  end
+
+  gems['win32-dir'] = ['~> 0.3', '<= 0.4.9', require: false]
+
+  if RUBY_VERSION.start_with?('1.')
+    gems['win32console'] = ['1.3.2', require: false]
+    # sys-admin was removed in Puppet 3.7.0 and doesn't compile under Ruby 2.x
+    gems['sys-admin'] =    ['1.5.6', require: false]
+  end
+
+  # Puppet < 3.7.0 requires these.
+  # Puppet >= 3.5.0 gem includes these as requirements.
+  # The following versions are tested to work with 3.0.0 <= puppet < 3.7.0.
+  gems['win32-api'] =           ['1.4.8', require: false]
+  gems['win32-taskscheduler'] = ['0.2.2', require: false]
+  gems['windows-api'] =         ['0.4.3', require: false]
+  gems['windows-pr'] =          ['1.2.3', require: false]
+elsif Gem.win_platform?
+  # If we're using a Puppet gem on Windows which handles its own win32-xxx gem
+  # dependencies (>= 3.5.0), set the maximum versions (see PUP-6445).
+  gems['win32-dir'] =      ['<= 0.4.9', require: false]
+  gems['win32-eventlog'] = ['<= 0.6.5', require: false]
+  gems['win32-process'] =  ['<= 0.7.5', require: false]
+  gems['win32-security'] = ['<= 0.2.5', require: false]
+  gems['win32-service'] =  ['<= 0.8.8', require: false]
+end
+
+gems.each do |gem_name, gem_params|
+  gem gem_name, *gem_params
+end
+
+# Evaluate Gemfile.local and ~/.gemfile if they exist
+extra_gemfiles = [
+  "#{__FILE__}.local",
+  File.join(Dir.home, '.gemfile'),
+]
+
+extra_gemfiles.each do |gemfile|
+  if File.file?(gemfile) && File.readable?(gemfile)
+    eval(File.read(gemfile), binding)
+  end
+end
+# vim: syntax=ruby
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/Modulefile b/modules/vulnerabilities/unix/webapp/wordpress/Modulefile
new file mode 100644
index 000000000..a490a7cb7
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/Modulefile
@@ -0,0 +1,13 @@
+name    'hunner-wordpress'
+version '1.0.0'
+source 'https://github.com/hunner/puppet-wordpress'
+author 'Hunter Haugen'
+license 'Apache2'
+summary 'Puppet module to set up an instance of wordpress'
+description 'Installs wordpress and required mysql db/user.'
+project_page 'https://github.com/hunner/puppet-wordpress'
+
+## Add dependencies, if any:
+#dependency 'puppetlabs/concat', '>= 1.0.0'
+#dependency 'puppetlabs/mysql', '>= 2.1.0'
+#dependency 'puppetlabs/stdlib', '>= 2.3.1'
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/README.markdown b/modules/vulnerabilities/unix/webapp/wordpress/README.markdown
new file mode 100644
index 000000000..ca6cc5bc9
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/README.markdown
@@ -0,0 +1,215 @@
+# WordPress Module
+
+## Overview
+
+This will set up one or more installations of Wordpress 3.8 on Debian and Redhat style distributions.
+
+## Capabilities
+
+#### Installation includes:
+
+- Configuration of WordPress DB connection parameters
+- Generate secure keys and salts for `wp-config.php`.
+- Optional creation of MySQL database/user/permissions.
+
+#### Requires:
+
+- Configuration of php-enabled webserver
+- Configuration MySQL server
+- PHP 5.3 or greater
+- User specified by `wp_owner` must exist
+
+## Parameters
+
+### Class wordpress
+
+* `install_dir`<br />
+  Specifies the directory into which wordpress should be installed. Default: `/opt/wordpress`
+
+* `install_url`<br />
+  Specifies the url from which the wordpress tarball should be downloaded.  Default: `http://wordpress.org`
+
+* `version`<br />
+  Specifies the version of wordpress to install. Default: `3.8`
+
+* `create_db`<br />
+  Specifies whether to create the db or not. Default: `true`
+
+* `create_db_user`<br />
+  Specifies whether to create the db user or not. Default: `true`
+
+* `db_name`<br />
+  Specifies the database name which the wordpress module should be configured to use. Default: `wordpress`
+
+* `db_host`<br />
+  Specifies the database host to connect to. Default: `localhost`
+
+* `db_user`<br />
+  Specifies the database user. Default: `wordpress`
+
+* `db_password`<br />
+  Specifies the database user's password in plaintext. Default: `password`
+
+* `wp_owner`<br />
+  Specifies the owner of the wordpress files.  You must ensure this user exists as this module does not attempt to create it if missing. Default: `root`
+
+* `wp_group`<br />
+  Specifies the group of the wordpress files. Default: `0` (\*BSD/Darwin compatible GID)
+
+* `wp_lang`<br />
+  WordPress Localized Language. Default: ''
+
+* `wp_plugin_dir`<br />
+  WordPress Plugin Directory. Full path, no trailing slash. Default: WordPress Default
+
+* `wp_additional_config`<br />
+  Specifies a template to include near the end of the wp-config.php file to add additional options. Default: ''
+
+* `wp_config_content`<br />
+  Specifies the entire content for wp-config.php. This causes many of the other parameters to be ignored and allows an entirely custom config to be passed. It is recommended to use `wp_additional_config` instead of this parameter when possible.
+
+* `wp_table_prefix`<br />
+  Specifies the database table prefix. Default: wp_
+
+* `wp_proxy_host`<br />
+  Specifies a Hostname or IP of a proxy server for Wordpress to use to install updates, plugins, etc. Default: ''
+
+* `wp_proxy_port`<br />
+  Specifies the port to use with the proxy host.  Default: ''
+
+* `wp_site_url`<br />
+  If your WordPress server is behind a proxy, you might need to set the WP_SITEURL with this parameter.  Default: 'undef'
+
+* `wp_multisite`<br />
+  Specifies whether to enable the multisite feature. Requires `wp_site_domain` to also be passed. Default: `false`
+
+* `wp_site_domain`<br />
+  Specifies the `DOMAIN_CURRENT_SITE` value that will be used when configuring multisite. Typically this is the address of the main wordpress instance.  Default: ''
+
+* `wp_debug`<br />
+  Specifies the `WP_DEBUG` value that will control debugging. This must be true if you use the next two debug extensions. Default: 'false'
+
+* `wp_debug_log`<br />
+  Specifies the `WP_DEBUG_LOG` value that extends debugging to cause all errors to also be saved to a debug.log logfile insdie the /wp-content/ directory. Default: 'false'
+
+* `wp_debug_display`<br />
+  Specifies the `WP_DEBUG_DISPLAY` value that extends debugging to cause debug messages to be shown inline, in HTML pages. Default: 'false'
+
+### Define wordpress::instance
+
+* The parameters for `wordpress::instance` is exactly the same as the class `wordpress` except as noted below.
+* The title will be used as the default value for `install_dir` unless otherwise specified.
+* The `db_name` and `db_user` parameters are required.
+
+### Other classes and defines
+
+The classes `wordpress::app` and `wordpress::db` and defines `wordpress::instance::app` and `wordpress::instance::db` are technically private, but any PRs which add documentation and tests  so that they may be made public for multi-node deployments are welcome!
+
+## Example Usage
+
+Default single deployment (insecure; default passwords and installed as root):
+
+```puppet
+class { 'wordpress': }
+```
+
+Basic deployment (secure database password, installed as `wordpress` user/group.  NOTE: in this example you must ensure the `wordpress` user already exists):
+
+```puppet
+class { 'wordpress':
+  wp_owner    => 'wordpress',
+  wp_group    => 'wordpress',
+  db_user     => 'wordpress',
+  db_password => 'hvyH(S%t(\"0\"16',
+}
+```
+
+Basic deployment of multiple instances (secure database password, installed as `wordpress` user/group):
+
+```puppet
+wordpress::instance { '/opt/wordpress1':
+  wp_owner    => 'wordpress1',
+  wp_group    => 'wordpress1',
+  db_user     => 'wordpress1',
+  db_name     => 'wordpress1',
+  db_password => 'hvyH(S%t(\"0\"16',
+}
+wordpress::instance { '/opt/wordpress2':
+  wp_owner    => 'wordpress2',
+  wp_group    => 'wordpress2',
+  db_user     => 'wordpress2',
+  db_name     => 'wordpress2',
+  db_password => 'bb69381b4b9de3a232',
+}
+```
+
+Externally hosted MySQL DB:
+
+```puppet
+class { 'wordpress':
+  db_user     => 'wordpress',
+  db_password => 'hvyH(S%t(\"0\"16',
+  db_host     => 'db.example.com',
+}
+```
+
+Disable module's database/user creation (the database and db user must still exist with correct permissions):
+
+```puppet
+class { 'wordpress':
+  db_user        => 'wordpress',
+  db_password    => 'hvyH(S%t(\"0\"16',
+  create_db      => false,
+  create_db_user => false,
+}
+```
+
+Install specific version of WordPress:
+
+```puppet
+class { 'wordpress':
+  version => '3.4',
+}
+```
+
+Install WordPress to a specific directory:
+
+```puppet
+class { 'wordpress':
+  install_dir => '/var/www/wordpress',
+}
+```
+
+Download `wordpress-${version}.tar.gz` from an internal server:
+
+```puppet
+class { 'wordpress':
+  install_url => 'http://internal.example.com/software',
+}
+```
+
+Configure wordpress to download updates and plugins through a proxy:
+
+```puppet
+class { 'wordpress':
+  proxy_host => 'http://my.proxy.corp.com',
+  proxy_port => '8080',
+}
+```
+
+Enable the multisite wordpress feature:
+
+```puppet
+class { 'wordpress':
+  wp_multisite   => true,
+  wp_site_domain => 'blog.domain.com',
+}
+```
+
+Add custom configuration to wp-config.php:
+
+```puppet
+class { 'wordpress':
+  wp_additional_config => 'foo/wp-config-extra.php.erb',
+}
+```
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/Rakefile b/modules/vulnerabilities/unix/webapp/wordpress/Rakefile
new file mode 100644
index 000000000..81381e0cf
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/Rakefile
@@ -0,0 +1,2 @@
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-syntax/tasks/puppet-syntax'
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/appveyor.yml b/modules/vulnerabilities/unix/webapp/wordpress/appveyor.yml
new file mode 100644
index 000000000..5fd5e8925
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/appveyor.yml
@@ -0,0 +1,57 @@
+version: 1.1.x.{build}
+skip_commits:
+  message: /^\(?doc\)?.*/
+clone_depth: 10
+init:
+  - SET
+  - 'mkdir C:\ProgramData\PuppetLabs\code && exit 0'
+  - 'mkdir C:\ProgramData\PuppetLabs\facter && exit 0'
+  - 'mkdir C:\ProgramData\PuppetLabs\hiera && exit 0'
+  - 'mkdir C:\ProgramData\PuppetLabs\puppet\var && exit 0'
+environment:
+  matrix:
+    -
+      RUBY_VERSION: 24-x64
+      CHECK: syntax lint
+    -
+      RUBY_VERSION: 24-x64
+      CHECK: metadata_lint
+    -
+      RUBY_VERSION: 24-x64
+      CHECK: rubocop
+    -
+      PUPPET_GEM_VERSION: ~> 4.0
+      RUBY_VERSION: 21
+      CHECK: spec
+    -
+      PUPPET_GEM_VERSION: ~> 4.0
+      RUBY_VERSION: 21-x64
+      CHECK: spec
+    -
+      PUPPET_GEM_VERSION: ~> 5.0
+      RUBY_VERSION: 24
+      CHECK: spec
+    -
+      PUPPET_GEM_VERSION: ~> 5.0
+      RUBY_VERSION: 24-x64
+      CHECK: spec
+matrix:
+  fast_finish: true
+install:
+  - set PATH=C:\Ruby%RUBY_VERSION%\bin;%PATH%
+  - bundle install --jobs 4 --retry 2 --without system_tests
+  - type Gemfile.lock
+build: off
+test_script:
+  - bundle exec puppet -V
+  - ruby -v
+  - gem -v
+  - bundle -v
+  - bundle exec rake %CHECK%
+notifications:
+  - provider: Email
+    to:
+      - nobody@nowhere.com
+    on_build_success: false
+    on_build_failure: false
+    on_build_status_changed: false
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/app.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/app.pp
new file mode 100644
index 000000000..fcefb1f99
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/app.pp
@@ -0,0 +1,48 @@
+class wordpress::app (
+  $install_dir,
+  $install_url,
+  $version,
+  $db_name,
+  $db_host,
+  $db_user,
+  $db_password,
+  $wp_owner,
+  $wp_group,
+  $wp_lang,
+  $wp_config_content,
+  $wp_plugin_dir,
+  $wp_additional_config,
+  $wp_table_prefix,
+  $wp_proxy_host,
+  $wp_proxy_port,
+  $wp_site_url,
+  $wp_multisite,
+  $wp_site_domain,
+  $wp_debug,
+  $wp_debug_log,
+  $wp_debug_display,
+) {
+  wordpress::instance::app { $install_dir:
+    install_dir          => $install_dir,
+    install_url          => $install_url,
+    version              => $version,
+    db_name              => $db_name,
+    db_host              => $db_host,
+    db_user              => $db_user,
+    db_password          => $db_password,
+    wp_owner             => $wp_owner,
+    wp_group             => $wp_group,
+    wp_lang              => $wp_lang,
+    wp_plugin_dir        => $wp_plugin_dir,
+    wp_additional_config => $wp_additional_config,
+    wp_table_prefix      => $wp_table_prefix,
+    wp_proxy_host        => $wp_proxy_host,
+    wp_proxy_port        => $wp_proxy_port,
+    wp_site_url          => $wp_site_url,
+    wp_multisite         => $wp_multisite,
+    wp_site_domain       => $wp_site_domain,
+    wp_debug             => $wp_debug,
+    wp_debug_log         => $wp_debug_log,
+    wp_debug_display     => $wp_debug_display,
+  }
+}
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/db.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/db.pp
new file mode 100644
index 000000000..39cfd63f1
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/db.pp
@@ -0,0 +1,17 @@
+class wordpress::db (
+  $create_db,
+  $create_db_user,
+  $db_name,
+  $db_host,
+  $db_user,
+  $db_password,
+) {
+  wordpress::instance::db { "${db_host}/${db_name}":
+    create_db      => $create_db,
+    create_db_user => $create_db_user,
+    db_name        => $db_name,
+    db_host        => $db_host,
+    db_user        => $db_user,
+    db_password    => $db_password,
+  }
+}
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/init.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/init.pp
new file mode 100644
index 000000000..9eb83a5c5
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/init.pp
@@ -0,0 +1,139 @@
+# == Class: wordpress
+#
+# This module manages wordpress
+#
+# === Parameters
+#
+# [*install_dir*]
+#   Specifies the directory into which wordpress should be installed. Default:
+#   /opt/wordpress
+#
+# [*install_url*]
+#   Specifies the url from which the wordpress tarball should be downloaded.
+#   Default: http://wordpress.org
+#
+# [*version*]
+#   Specifies the version of wordpress to install. Default: 3.8
+#
+# [*create_db*]
+#   Specifies whether to create the db or not. Default: true
+#
+# [*create_db_user*]
+#   Specifies whether to create the db user or not. Default: true
+#
+# [*db_name*]
+#   Specifies the database name which the wordpress module should be configured
+#   to use. Default: wordpress
+#
+# [*db_host*]
+#   Specifies the database host to connect to. Default: localhost
+#
+# [*db_user*]
+#   Specifies the database user. Default: wordpress
+#
+# [*db_password*]
+#   Specifies the database user's password in plaintext. Default: password
+#
+# [*wp_owner*]
+#   Specifies the owner of the wordpress files. You must ensure this user
+#   exists as this module does not attempt to create it if missing.  Default:
+#   root
+#
+# [*wp_group*]
+#   Specifies the group of the wordpress files. Default: 0 (*BSD/Darwin
+#   compatible GID)
+#
+# [*wp_lang*]
+#   WordPress Localized Language. Default: ''
+#
+#
+# [*wp_plugin_dir*]
+#   WordPress Plugin Directory. Full path, no trailing slash. Default: WordPress Default
+#
+# [*wp_additional_config*]
+#   Specifies a template to include near the end of the wp-config.php file to add additional options. Default: ''
+#
+# [*wp_table_prefix*]
+#   Specifies the database table prefix. Default: wp_
+#
+# [*wp_proxy_host*]
+#   Specifies a Hostname or IP of a proxy server for Wordpress to use to install updates, plugins, etc. Default: ''
+#
+# [*wp_proxy_port*]
+#   Specifies the port to use with the proxy host.  Default: ''
+#
+# [*wp_site_url*]
+#  If your WordPress server is behind a proxy, you might need to set the WP_SITEURL with this parameter.  Default: `undef`
+#
+# [*wp_multisite*]
+#   Specifies whether to enable the multisite feature. Requires `wp_site_domain` to also be passed. Default: `false`
+#
+# [*wp_site_domain*]
+#   Specifies the `DOMAIN_CURRENT_SITE` value that will be used when configuring multisite. Typically this is the address of the main wordpress instance.  Default: ''
+#
+# [*wp_debug*]
+#   Specifies the `WP_DEBUG` value that will control debugging. This must be true if you use the next two debug extensions. Default: 'false'
+#
+# [*wp_debug_log*]
+#   Specifies the `WP_DEBUG_LOG` value that extends debugging to cause all errors to also be saved to a debug.log logfile insdie the /wp-content/ directory. Default: 'false'
+#
+# [*wp_debug_display*]
+#   Specifies the `WP_DEBUG_DISPLAY` value that extends debugging to cause debug messages to be shown inline, in HTML pages. Default: 'false'
+#
+# === Requires
+#
+# === Examples
+#
+class wordpress (
+  $install_dir          = '/opt/wordpress',
+  $install_url          = 'http://wordpress.org',
+  $version              = '3.8',
+  $create_db            = true,
+  $create_db_user       = true,
+  $db_name              = 'wordpress',
+  $db_host              = 'localhost',
+  $db_user              = 'wordpress',
+  $db_password          = 'password',
+  $wp_owner             = 'root',
+  $wp_group             = '0',
+  $wp_lang              = '',
+  $wp_config_content    = undef,
+  $wp_plugin_dir        = 'DEFAULT',
+  $wp_additional_config = 'DEFAULT',
+  $wp_table_prefix      = 'wp_',
+  $wp_proxy_host        = '',
+  $wp_proxy_port        = '',
+  $wp_site_url          = undef,
+  $wp_multisite         = false,
+  $wp_site_domain       = '',
+  $wp_debug             = false,
+  $wp_debug_log         = false,
+  $wp_debug_display     = false,
+) {
+  wordpress::instance { $install_dir:
+    install_dir          => $install_dir,
+    install_url          => $install_url,
+    version              => $version,
+    create_db            => $create_db,
+    create_db_user       => $create_db_user,
+    db_name              => $db_name,
+    db_host              => $db_host,
+    db_user              => $db_user,
+    db_password          => $db_password,
+    wp_owner             => $wp_owner,
+    wp_group             => $wp_group,
+    wp_lang              => $wp_lang,
+    wp_config_content    => $wp_config_content,
+    wp_plugin_dir        => $wp_plugin_dir,
+    wp_additional_config => $wp_additional_config,
+    wp_table_prefix      => $wp_table_prefix,
+    wp_proxy_host        => $wp_proxy_host,
+    wp_proxy_port        => $wp_proxy_port,
+    wp_site_url          => $wp_site_url,
+    wp_multisite         => $wp_multisite,
+    wp_site_domain       => $wp_site_domain,
+    wp_debug             => $wp_debug,
+    wp_debug_log         => $wp_debug_log,
+    wp_debug_display     => $wp_debug_display,
+  }
+}
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance.pp
new file mode 100644
index 000000000..54e92fb85
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance.pp
@@ -0,0 +1,135 @@
+# == Definition: wordpress::instance
+#
+# This module manages wordpress
+#
+# === Parameters
+#
+# [*install_dir*]
+#   Specifies the directory into which wordpress should be installed. Default:
+#   /opt/wordpress
+#
+# [*install_url*]
+#   Specifies the url from which the wordpress tarball should be downloaded.
+#   Default: http://wordpress.org
+#
+# [*version*]
+#   Specifies the version of wordpress to install. Default: 3.8
+#
+# [*create_db*]
+#   Specifies whether to create the db or not. Default: true
+#
+# [*create_db_user*]
+#   Specifies whether to create the db user or not. Default: true
+#
+# [*db_name*]
+#   Specifies the database name which the wordpress module should be configured
+#   to use. Required.
+#
+# [*db_host*]
+#   Specifies the database host to connect to. Default: localhost
+#
+# [*db_user*]
+#   Specifies the database user. Required.
+#
+# [*db_password*]
+#   Specifies the database user's password in plaintext. Default: password
+#
+# [*wp_owner*]
+#   Specifies the owner of the wordpress files. Default: root
+#
+# [*wp_group*]
+#   Specifies the group of the wordpress files. Default: 0 (*BSD/Darwin
+#   compatible GID)
+#
+# [*wp_lang*]
+#   WordPress Localized Language. Default: ''
+#
+#
+# [*wp_plugin_dir*]
+#   WordPress Plugin Directory. Full path, no trailing slash. Default: WordPress Default
+#
+# [*wp_additional_config*]
+#   Specifies a template to include near the end of the wp-config.php file to add additional options. Default: ''
+#
+# [*wp_table_prefix*]
+#   Specifies the database table prefix. Default: wp_
+#
+# [*wp_proxy_host*]
+#   Specifies a Hostname or IP of a proxy server for Wordpress to use to install updates, plugins, etc. Default: ''
+#
+# [*wp_proxy_port*]
+#   Specifies the port to use with the proxy host.  Default: ''
+#
+# [*wp_site_url*]
+#  If your WordPress server is behind a proxy, you might need to set the WP_SITEURL with this parameter.  Default: `undef`
+#
+# [*wp_multisite*]
+#   Specifies whether to enable the multisite feature. Requires `wp_site_domain` to also be passed. Default: `false`
+#
+# [*wp_site_domain*]
+#   Specifies the `DOMAIN_CURRENT_SITE` value that will be used when configuring multisite. Typically this is the address of the main wordpress instance.  Default: ''
+#
+# === Requires
+#
+# === Examples
+#
+define wordpress::instance (
+  $db_name,
+  $db_user,
+  $install_dir          = $title,
+  $install_url          = 'http://wordpress.org',
+  $version              = '3.8',
+  $create_db            = true,
+  $create_db_user       = true,
+  $db_host              = 'localhost',
+  $db_password          = 'password',
+  $wp_owner             = 'root',
+  $wp_group             = '0',
+  $wp_lang              = '',
+  $wp_config_content    = undef,
+  $wp_plugin_dir        = 'DEFAULT',
+  $wp_additional_config = 'DEFAULT',
+  $wp_table_prefix      = 'wp_',
+  $wp_proxy_host        = '',
+  $wp_proxy_port        = '',
+  $wp_site_url          = undef,
+  $wp_multisite         = false,
+  $wp_site_domain       = '',
+  $wp_debug             = false,
+  $wp_debug_log         = false,
+  $wp_debug_display     = false,
+) {
+  wordpress::instance::app { $install_dir:
+    install_dir          => $install_dir,
+    install_url          => $install_url,
+    version              => $version,
+    db_name              => $db_name,
+    db_host              => $db_host,
+    db_user              => $db_user,
+    db_password          => $db_password,
+    wp_owner             => $wp_owner,
+    wp_group             => $wp_group,
+    wp_lang              => $wp_lang,
+    wp_config_content    => $wp_config_content,
+    wp_plugin_dir        => $wp_plugin_dir,
+    wp_additional_config => $wp_additional_config,
+    wp_table_prefix      => $wp_table_prefix,
+    wp_proxy_host        => $wp_proxy_host,
+    wp_proxy_port        => $wp_proxy_port,
+    wp_site_url          => $wp_site_url,
+    wp_multisite         => $wp_multisite,
+    wp_site_domain       => $wp_site_domain,
+    wp_debug             => $wp_debug,
+    wp_debug_log         => $wp_debug_log,
+    wp_debug_display     => $wp_debug_display,
+  }
+
+  wordpress::instance::db { "${db_host}/${db_name}":
+    create_db      => $create_db,
+    create_db_user => $create_db_user,
+    db_name        => $db_name,
+    db_host        => $db_host,
+    db_user        => $db_user,
+    db_password    => $db_password,
+  }
+}
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/app.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/app.pp
new file mode 100644
index 000000000..4bc1291e3
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/app.pp
@@ -0,0 +1,146 @@
+define wordpress::instance::app (
+  $install_dir,
+  $install_url,
+  $version,
+  $db_name,
+  $db_host,
+  $db_user,
+  $db_password,
+  $wp_owner,
+  $wp_group,
+  $wp_lang,
+  $wp_config_content,
+  $wp_plugin_dir,
+  $wp_additional_config,
+  $wp_table_prefix,
+  $wp_proxy_host,
+  $wp_proxy_port,
+  $wp_site_url,
+  $wp_multisite,
+  $wp_site_domain,
+  $wp_debug,
+  $wp_debug_log,
+  $wp_debug_display,
+) {
+  validate_string($install_dir,$install_url,$version,$db_name,$db_host,$db_user,$db_password,$wp_owner,$wp_group, $wp_lang, $wp_plugin_dir,$wp_additional_config,$wp_table_prefix,$wp_proxy_host,$wp_proxy_port,$wp_site_domain)
+  validate_bool($wp_multisite, $wp_debug, $wp_debug_log, $wp_debug_display)
+  validate_absolute_path($install_dir)
+
+  if $wp_config_content and ($wp_lang or $wp_debug or $wp_debug_log or $wp_debug_display or $wp_proxy_host or $wp_proxy_port or $wp_multisite or $wp_site_domain) {
+    warning('When $wp_config_content is set, the following parameters are ignored: $wp_table_prefix, $wp_lang, $wp_debug, $wp_debug_log, $wp_debug_display, $wp_plugin_dir, $wp_proxy_host, $wp_proxy_port, $wp_multisite, $wp_site_domain, $wp_additional_config')
+  }
+
+  if $wp_multisite and ! $wp_site_domain {
+    fail('wordpress class requires `wp_site_domain` parameter when `wp_multisite` is true')
+  }
+
+  if $wp_debug_log and ! $wp_debug {
+    fail('wordpress class requires `wp_debug` parameter to be true, when `wp_debug_log` is true')
+  }
+
+  if $wp_debug_display and ! $wp_debug {
+    fail('wordpress class requires `wp_debug` parameter to be true, when `wp_debug_display` is true')
+  }
+
+  ## Resource defaults
+  File {
+    owner  => $wp_owner,
+    group  => $wp_group,
+    mode   => '0644',
+  }
+  Exec {
+    path      => ['/bin','/sbin','/usr/bin','/usr/sbin'],
+    cwd       => $install_dir,
+    logoutput => 'on_failure',
+  }
+
+  ## Installation directory
+  if ! defined(File[$install_dir]) {
+    file { $install_dir:
+      ensure  => directory,
+      recurse => true,
+    }
+  } else {
+    notice("Warning: cannot manage the permissions of ${install_dir}, as another resource (perhaps apache::vhost?) is managing it.")
+  }
+
+  ## tar.gz. file name lang-aware
+  if $wp_lang and $wp_lang != '' {
+    $install_file_name = "wordpress-${version}-${wp_lang}.tar.gz"
+  } else {
+    $install_file_name = "wordpress-${version}.tar.gz"
+  }
+
+  ## Download and extract
+  exec { "Download wordpress ${install_url}/wordpress-${version}.tar.gz to ${install_dir}":
+    command => "wget ${install_url}/${install_file_name}",
+    creates => "${install_dir}/${install_file_name}",
+    require => File[$install_dir],
+    user    => $wp_owner,
+    group   => $wp_group,
+  }
+  -> exec { "Extract wordpress ${install_dir}":
+    command => "tar zxvf ./${install_file_name} --strip-components=1",
+    creates => "${install_dir}/index.php",
+    user    => $wp_owner,
+    group   => $wp_group,
+  }
+  ~> exec { "Change ownership ${install_dir}":
+    command     => "chown -R ${wp_owner}:${wp_group} ${install_dir}",
+    refreshonly => true,
+    user        => $wp_owner,
+    group       => $wp_group,
+  }
+
+  ## Configure wordpress
+  #
+  concat { "${install_dir}/wp-config.php":
+    owner   => $wp_owner,
+    group   => $wp_group,
+    mode    => '0755',
+    require => Exec["Extract wordpress ${install_dir}"],
+  }
+  if $wp_config_content {
+    concat::fragment { "${install_dir}/wp-config.php body":
+      target  => "${install_dir}/wp-config.php",
+      content => $wp_config_content,
+      order   => '20',
+    }
+  } else {
+    # Template uses no variables
+    file { "${install_dir}/wp-keysalts.php":
+      ensure  => present,
+      content => template('wordpress/wp-keysalts.php.erb'),
+      replace => false,
+      require => Exec["Extract wordpress ${install_dir}"],
+    }
+    concat::fragment { "${install_dir}/wp-config.php keysalts":
+      target  => "${install_dir}/wp-config.php",
+      source  => "${install_dir}/wp-keysalts.php",
+      order   => '10',
+      require => File["${install_dir}/wp-keysalts.php"],
+    }
+    # Template uses:
+    # - $db_name
+    # - $db_user
+    # - $db_password
+    # - $db_host
+    # - $wp_table_prefix
+    # - $wp_lang
+    # - $wp_plugin_dir
+    # - $wp_proxy_host
+    # - $wp_proxy_port
+    # - $wp_site_url
+    # - $wp_multisite
+    # - $wp_site_domain
+    # - $wp_additional_config
+    # - $wp_debug
+    # - $wp_debug_log
+    # - $wp_debug_display
+    concat::fragment { "${install_dir}/wp-config.php body":
+      target  => "${install_dir}/wp-config.php",
+      content => template('wordpress/wp-config.php.erb'),
+      order   => '20',
+    }
+  }
+}
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/db.pp b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/db.pp
new file mode 100644
index 000000000..29672d0c3
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/manifests/instance/db.pp
@@ -0,0 +1,30 @@
+define wordpress::instance::db (
+  $create_db,
+  $create_db_user,
+  $db_name,
+  $db_host,
+  $db_user,
+  $db_password,
+) {
+  validate_bool($create_db,$create_db_user)
+  validate_string($db_name,$db_host,$db_user,$db_password)
+
+  ## Set up DB using puppetlabs-mysql defined type
+  if $create_db {
+    mysql_database { "${db_host}/${db_name}":
+      name => $db_name,
+      charset => 'utf8',
+    }
+  }
+  if $create_db_user {
+    mysql_user { "${db_user}@${db_host}":
+      password_hash => mysql_password($db_password),
+    }
+    mysql_grant { "${db_user}@${db_host}/${db_name}.*":
+      table      => "${db_name}.*",
+      user       => "${db_user}@${db_host}",
+      privileges => ['ALL'],
+    }
+  }
+
+}
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/metadata.json b/modules/vulnerabilities/unix/webapp/wordpress/metadata.json
new file mode 100644
index 000000000..db048d41d
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/metadata.json
@@ -0,0 +1,61 @@
+{
+  "name": "hunner-wordpress",
+  "version": "1.0.0",
+  "author": "Hunter Haugen",
+  "summary": "Puppet module to set up an instance of wordpress; and optionally a mysql db/user.",
+  "license": "Apache-2.0",
+  "source": "https://github.com/hunner/puppet-wordpress",
+  "dependencies": [
+//    {"name":"puppetlabs/concat",    "version_requirement":">= 1.0.0"},
+//    {"name":"puppetlabs/mysql",     "version_requirement":">= 2.1.0"},
+//    {"name":"puppetlabs/stdlib",    "version_requirement":">= 2.3.1"}
+  ],
+  "operatingsystem_support": [
+    {
+      "operatingsystem": "CentOS",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "OracleLinux",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "RedHat",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "Scientific",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "Debian",
+      "operatingsystemrelease": [
+        "8"
+      ]
+    },
+    {
+      "operatingsystem": "Ubuntu",
+      "operatingsystemrelease": [
+        "16.04"
+      ]
+    }
+  ],
+  "requirements": [
+    {
+      "name": "puppet",
+      "version_requirement": ">= 4.7.0 < 6.0.0"
+    }
+  ],
+  "pdk-version": "1.4.1",
+  "template-url": "https://github.com/puppetlabs/pdk-templates",
+  "template-ref": "1.4.1-0-g52adbbb"
+}
+
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/secgen_metadata.xml b/modules/vulnerabilities/unix/webapp/wordpress/secgen_metadata.xml
new file mode 100644
index 000000000..f1462a6c1
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/secgen_metadata.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0"?>
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+
+  <name>wordpress</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>wordpress</description>
+
+  <type>webapp</type>
+  <privilege>info_leak</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+  <read_fact>port</read_fact>
+  <read_fact>dbname</read_fact>
+  <read_fact>dbhost</read_fact>
+  <read_fact>dbuser</read_fact>
+  <read_fact>dbpass</read_fact>
+
+  <default_input into="port">
+    <value>80</value>
+  </default_input>
+
+  <default_input into="dbname">
+    <value>userspice</value>
+  </default_input>
+
+  <default_input into="dbhost">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="dbuser">
+    <value>userspice</value>
+  </default_input>
+
+  <default_input into="dbpass">
+    <generator type="password_generator"/>
+  </default_input>
+
+  <reference>https://www.exploit-db.com/exploits/44101/</reference>
+  <hint>The authors of this website forgot to sanitise their database inputs!</hint>
+
+  <conflict>
+    <name>Wheezy</name>
+  </conflict>
+
+  <requires>
+    <module_path>.*/handy_cli_tools</module_path>
+  </requires>
+
+  <requires>
+    <module_path>.*/apache_kali.*</module_path>
+  </requires>
+
+  <requires>
+    <module_path>.*/mysql</module_path>
+  </requires>
+
+</vulnerability>
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/nodesets/centos-6-vcloud.yml b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/nodesets/centos-6-vcloud.yml
new file mode 100644
index 000000000..ca9c1d329
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/nodesets/centos-6-vcloud.yml
@@ -0,0 +1,15 @@
+HOSTS:
+  'centos-6-vcloud':
+    roles:
+      - master
+    platform: el-6-x86_64
+    hypervisor: vcloud
+    template: centos-6-x86_64
+CONFIG:
+  type: foss
+  ssh:
+    keys: "~/.ssh/id_rsa-acceptance"
+  datastore: instance0
+  folder: Delivery/Quality Assurance/Enterprise/Dynamic
+  resourcepool: delivery/Quality Assurance/Enterprise/Dynamic
+  pooling_api: http://vcloud.delivery.puppetlabs.net/
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/wordpress_spec.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/wordpress_spec.rb
new file mode 100644
index 000000000..3d151a257
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/acceptance/wordpress_spec.rb
@@ -0,0 +1,102 @@
+require 'spec_helper_acceptance'
+
+describe "setting up a wordpress instance" do
+  it 'deploys a wordpress instance' do
+    pp = %{
+      class { 'apache':
+        mpm_module => 'prefork',
+      }
+      class { 'apache::mod::php': }
+      class { 'mysql::server': }
+      class { 'mysql::bindings': php_enable => true, }
+      host { 'wordpress.localdomain': ip => '127.0.0.1', }
+
+      apache::vhost { 'wordpress.localdomain':
+        docroot => '/opt/wordpress',
+        port    => '80',
+      }
+
+      class { 'wordpress':
+        install_dir => '/opt/wordpress/blog',
+        require     => Class['mysql::server'],
+      }
+    }
+
+    expect(apply_manifest(pp, :catch_failures => true).stderr).to eq("")
+    expect(apply_manifest(pp, :catch_changes  => true).stderr).to eq("")
+
+    expect(shell("/usr/bin/curl wordpress.localdomain:80/blog/wp-admin/install.php").stdout).to match(/Install WordPress/)
+  end
+
+  it 'deploys two wordpress instances' do
+    pp = %{
+      class { 'apache':
+        mpm_module => 'prefork',
+      }
+      class { 'apache::mod::php': }
+      class { 'mysql::server': }
+      class { 'mysql::bindings': php_enable => true, }
+      host { 'wordpress1.localdomain': ip => '127.0.0.1', }
+      host { 'wordpress2.localdomain': ip => '127.0.0.1', }
+
+      apache::vhost { 'wordpress1.localdomain':
+        docroot => '/opt/wordpress1',
+        port    => '80',
+      }
+      apache::vhost { 'wordpress2.localdomain':
+        docroot => '/opt/wordpress2',
+        port    => '80',
+      }
+
+      wordpress::instance { '/opt/wordpress1/blog':
+        db_name => 'wordpress1',
+        db_user => 'wordpress1',
+        require => Class['mysql::server'],
+      }
+      wordpress::instance { '/opt/wordpress2/blog':
+        db_name => 'wordpress2',
+        db_user => 'wordpress2',
+        require => Class['mysql::server'],
+      }
+    }
+
+    expect(apply_manifest(pp, :catch_failures => true).stderr).to eq("")
+    expect(apply_manifest(pp, :catch_changes  => true).stderr).to eq("")
+
+    expect(shell("/usr/bin/curl wordpress1.localdomain:80/blog/wp-admin/install.php").stdout).to match(/Install WordPress/)
+    expect(shell("/usr/bin/curl wordpress2.localdomain:80/blog/wp-admin/install.php").stdout).to match(/Install WordPress/)
+  end
+
+  it 'deploys a wordpress instance as the httpd user with a secure DB password and a specific location' do
+    pp = %{
+      class { 'apache':
+        mpm_module => 'prefork',
+      }
+      class { 'apache::mod::php': }
+      class { 'mysql::server': }
+      class { 'mysql::bindings::php': }
+
+      apache::vhost { 'wordpress.localdomain':
+        docroot => '/var/www/wordpress',
+        port    => '80',
+      }
+
+      class { 'wordpress':
+        install_dir => '/var/www/wordpress/blog',
+        wp_owner    => $apache::user,
+        wp_group    => $apache::group,
+        db_name     => 'wordpress',
+        db_host     => 'localhost',
+        db_user     => 'wordpress',
+        db_password => 'hvyH(S%t(\"0\"16',
+      }
+    }
+
+    pending
+  end
+
+  it 'deploys a wordpress instance with a remote DB'
+  it 'deploys a wordpress instance with a pre-existing DB'
+  it 'deploys a wordpress instance of a specific version'
+  it 'deploys a wordpress instance from an internal server'
+end
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/classes/wordpress_spec.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/classes/wordpress_spec.rb
new file mode 100644
index 000000000..2ca2b6843
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/classes/wordpress_spec.rb
@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+describe 'wordpress', :type => :class do
+  context "on a RedHat 5 OS" do
+    let :facts do
+      {
+        :osfamily          => 'RedHat',
+        :lsbmajdistrelease => '5',
+        :concat_basedir    => '/dne',
+      }
+    end
+    it { should contain_wordpress__instance__app("/opt/wordpress") }
+    it { should contain_wordpress__instance__db("localhost/wordpress") }
+  end
+  context "on a RedHat 6 OS" do
+    let :facts do
+      {
+        :osfamily          => 'RedHat',
+        :lsbmajdistrelease => '6',
+        :concat_basedir    => '/dne',
+      }
+    end
+    it { should contain_wordpress__instance__app("/opt/wordpress") }
+    it { should contain_wordpress__instance__db("localhost/wordpress") }
+  end
+  context "on a Debian OS" do
+    let :facts do
+      {
+        :osfamily       => 'Debian',
+        :concat_basedir => '/dne',
+      }
+    end
+    it { should contain_wordpress__instance__app("/opt/wordpress") }
+    it { should contain_wordpress__instance__db("localhost/wordpress") }
+  end
+end
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/default_facts.yml b/modules/vulnerabilities/unix/webapp/wordpress/spec/default_facts.yml
new file mode 100644
index 000000000..3248be5aa
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/default_facts.yml
@@ -0,0 +1,8 @@
+# Use default_module_facts.yml for module specific facts.
+#
+# Facts specified here will override the values provided by rspec-puppet-facts.
+---
+concat_basedir: "/tmp"
+ipaddress: "172.16.254.254"
+is_pe: false
+macaddress: "AA:AA:AA:AA:AA:AA"
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/defines/wordpress_spec.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/defines/wordpress_spec.rb
new file mode 100644
index 000000000..794f1cf4f
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/defines/wordpress_spec.rb
@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe 'wordpress::instance', :type => :define do
+  let :title do
+    '/opt/wordpress2'
+  end
+  let :params do
+    {
+      :db_user => 'test',
+      :db_name => 'test'
+    }
+  end
+  context "on a RedHat 5 OS" do
+    let :facts do
+      {
+        :osfamily          => 'RedHat',
+        :lsbmajdistrelease => '5',
+        :concat_basedir    => '/dne',
+      }
+    end
+    it { should contain_wordpress__instance__app("/opt/wordpress2") }
+    it { should contain_wordpress__instance__db("localhost/test") }
+  end
+  context "on a RedHat 6 OS" do
+    let :facts do
+      {
+        :osfamily          => 'RedHat',
+        :lsbmajdistrelease => '6',
+        :concat_basedir    => '/dne',
+      }
+    end
+    it { should contain_wordpress__instance__app("/opt/wordpress2") }
+    it { should contain_wordpress__instance__db("localhost/test") }
+  end
+  context "on a Debian OS" do
+    let :facts do
+      {
+        :osfamily       => 'Debian',
+        :concat_basedir => '/dne',
+      }
+    end
+    it { should contain_wordpress__instance__app("/opt/wordpress2") }
+    it { should contain_wordpress__instance__db("localhost/test") }
+  end
+end
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/spec.opts b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec.opts
new file mode 100644
index 000000000..de653df4b
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec.opts
@@ -0,0 +1,4 @@
+--format s
+--colour
+--loadby mtime
+--backtrace
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper.rb
new file mode 100644
index 000000000..efd225b54
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper.rb
@@ -0,0 +1,30 @@
+require 'puppetlabs_spec_helper/module_spec_helper'
+require 'rspec-puppet-facts'
+
+begin
+  require 'spec_helper_local' if File.file?(File.join(File.dirname(__FILE__), 'spec_helper_local.rb'))
+rescue LoadError => loaderror
+  warn "Could not require spec_helper_local: #{loaderror.message}"
+end
+
+include RspecPuppetFacts
+
+default_facts = {
+  puppetversion: Puppet.version,
+  facterversion: Facter.version,
+}
+
+default_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_facts.yml'))
+default_module_facts_path = File.expand_path(File.join(File.dirname(__FILE__), 'default_module_facts.yml'))
+
+if File.exist?(default_facts_path) && File.readable?(default_facts_path)
+  default_facts.merge!(YAML.safe_load(File.read(default_facts_path)))
+end
+
+if File.exist?(default_module_facts_path) && File.readable?(default_module_facts_path)
+  default_facts.merge!(YAML.safe_load(File.read(default_module_facts_path)))
+end
+
+RSpec.configure do |c|
+  c.default_facts = default_facts
+end
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper_acceptance.rb b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper_acceptance.rb
new file mode 100644
index 000000000..b0f000afc
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/spec/spec_helper_acceptance.rb
@@ -0,0 +1,35 @@
+require 'beaker-rspec/spec_helper'
+require 'beaker-rspec/helpers/serverspec'
+
+unless ENV['RS_PROVISION'] == 'no' or ENV['BEAKER_provision'] == 'no'
+  if hosts.first.is_pe?
+    install_pe
+  else
+    install_puppet({ :version        => '3.6.2',
+                     :facter_version => '2.1.0',
+                     :hiera_version  => '1.3.4',
+                     :default_action => 'gem_install' })
+    hosts.each {|h| on h, "/bin/echo '' > #{h['hieraconf']}" }
+  end
+  hosts.each do |host|
+    on host, "mkdir -p #{host['distmoduledir']}"
+    on host, puppet('module','install','puppetlabs-stdlib'), :acceptable_exit_codes => [0,1]
+    on host, puppet('module','install','puppetlabs-concat'), :acceptable_exit_codes => [0,1]
+    on host, puppet('module','install','puppetlabs-mysql' ), :acceptable_exit_codes => [0,1]
+    on host, puppet('module','install','puppetlabs-apache'), :acceptable_exit_codes => [0,1]
+  end
+end
+
+RSpec.configure do |c|
+  # Project root
+  proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+  # Readable test descriptions
+  c.formatter = :documentation
+
+  # Configure all nodes in nodeset
+  c.before :suite do
+    # Install module and dependencies
+    puppet_module_install(:source => proj_root, :module_name => 'wordpress')
+  end
+end
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-config.php.erb b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-config.php.erb
new file mode 100644
index 000000000..f29611e64
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-config.php.erb
@@ -0,0 +1,114 @@
+/**
+ * The base configurations of the WordPress.
+ *
+ * This file has the following configurations: MySQL settings, Table Prefix,
+ * Secret Keys, WordPress Language, and ABSPATH. You can find more information
+ * by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
+ * wp-config.php} Codex page. You can get the MySQL settings from your web host.
+ *
+ * This file is used by the wp-config.php creation script during the
+ * installation. You don't have to use the web site, you can just copy this file
+ * to "wp-config.php" and fill in the values.
+ *
+ * @package WordPress
+ */
+
+// ** MySQL settings - You can get this info from your web host ** //
+/** The name of the database for WordPress */
+define('DB_NAME', '<%= @db_name %>');
+
+/** MySQL database username */
+define('DB_USER', '<%= @db_user %>');
+
+/** MySQL database password */
+define('DB_PASSWORD', '<%= @db_password %>');
+
+/** MySQL hostname */
+define('DB_HOST', '<%= @db_host %>');
+
+/** Database Charset to use in creating database tables. */
+define('DB_CHARSET', 'utf8');
+
+/** The Database Collate type. Don't change this if in doubt. */
+define('DB_COLLATE', '');
+
+/**
+ * WordPress Database Table prefix.
+ *
+ * You can have multiple installations in one database if you give each a unique
+ * prefix. Only numbers, letters, and underscores please!
+ */
+$table_prefix  = '<%= @wp_table_prefix %>';
+
+/**
+ * WordPress Localized Language, defaults to English.
+ *
+ * Change this to localize WordPress. A corresponding MO file for the chosen
+ * language must be installed to wp-content/languages. For example, install
+ * de_DE.mo to wp-content/languages and set WPLANG to 'de_DE' to enable German
+ * language support.
+ */
+
+define('WPLANG', '<%= @wp_lang %>');
+
+/**
+ * For developers: WordPress debugging mode.
+ *
+ * Change this to true to enable the display of notices during development.
+ * It is strongly recommended that plugin and theme developers use WP_DEBUG
+ * in their development environments.
+ *
+ * WP_DEBUG_LOG is a companion to WP_DEBUG that causes all errors to also be
+ * saved to a debug.log log file inside the /wp-content/ directory. This is
+ * useful if you want to review all notices later or need to view notices
+ * generated off-screen (e.g. during an AJAX request or wp-cron run).
+ *
+ * WP_DEBUG_DISPLAY is another companion to WP_DEBUG that controls whether
+ * debug messages are shown inside the HTML of pages or not. The default
+ * is 'true' which shows errors and warnings as they are generated. Setting
+ * this to false will hide all errors. This should be used in conjunction with
+ * WP_DEBUG_LOG so that errors can be reviewed later.
+ */
+define('WP_DEBUG', <%= @wp_debug %>);
+define('WP_DEBUG_LOG', <%= @wp_debug_log %>);
+define('WP_DEBUG_DISPLAY', <%= @wp_debug_display %>);
+
+<% if @wp_plugin_dir != 'DEFAULT' %>
+define('WP_PLUGIN_DIR', '<%= @wp_plugin_dir %>');
+<% end %>
+
+<% if @wp_proxy_host and ! @wp_proxy_host.empty? %>
+/* Proxy Settings */
+define('WP_PROXY_HOST', '<%= @wp_proxy_host %>');
+<% if @wp_proxy_port and ! @wp_proxy_port.empty? %>
+define('WP_PROXY_PORT', '<%= @wp_proxy_port %>');
+<% end %>
+<% end %>
+
+<% if @wp_site_url  %>
+define('WP_SITEURL', '<%= @wp_site_url %>');
+<% end %>
+
+<% if @wp_multisite %>
+/* Multisite */
+define('WP_ALLOW_MULTISITE', true);
+define('MULTISITE', true);
+define('SUBDOMAIN_INSTALL', true);
+define('DOMAIN_CURRENT_SITE', '<%= @wp_site_domain %>');
+define('PATH_CURRENT_SITE', '/');
+define('SITE_ID_CURRENT_SITE', 1);
+define('BLOG_ID_CURRENT_SITE', 1);
+<% end %>
+
+<% if @wp_additional_config != 'DEFAULT' -%>
+<%= scope.function_template([@wp_additional_config]) %>
+<% end -%>
+/* That's all, stop editing! Happy blogging. */
+
+/** Absolute path to the WordPress directory. */
+if ( !defined('ABSPATH') )
+        define('ABSPATH', dirname(__FILE__) . '/');
+
+/** Sets up WordPress vars and included files. */
+require_once(ABSPATH . 'wp-settings.php');
+
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-keysalts.php.erb b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-keysalts.php.erb
new file mode 100644
index 000000000..9f6a4c6dd
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/templates/wp-keysalts.php.erb
@@ -0,0 +1,21 @@
+<?php
+/**#@+
+ * Authentication Unique Keys and Salts.
+ *
+ * Change these to different unique phrases!
+ * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
+ * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
+ *
+ * @since 2.6.0
+ */
+define('AUTH_KEY',         '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+define('SECURE_AUTH_KEY',  '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+define('LOGGED_IN_KEY',    '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+define('NONCE_KEY',        '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+define('AUTH_SALT',        '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+define('SECURE_AUTH_SALT', '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+define('LOGGED_IN_SALT',   '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+define('NONCE_SALT',       '<%= (1..50).map{(rand(86)+40).chr}.join.gsub(/\\/,'\&\&') %>');
+
+/**#@-*/
+
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/tests/init.pp b/modules/vulnerabilities/unix/webapp/wordpress/tests/init.pp
new file mode 100644
index 000000000..4d39bb34f
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/tests/init.pp
@@ -0,0 +1,7 @@
+class { 'wordpress':
+  install_dir => '/var/www/wordpress',
+  db_name     => 'wordpress',
+  db_host     => 'localhost',
+  db_user     => 'wordpress',
+  db_password => 'insecure password',
+}
diff --git a/modules/vulnerabilities/unix/webapp/wordpress/wordpress.pp b/modules/vulnerabilities/unix/webapp/wordpress/wordpress.pp
new file mode 100644
index 000000000..c483c0d0f
--- /dev/null
+++ b/modules/vulnerabilities/unix/webapp/wordpress/wordpress.pp
@@ -0,0 +1,16 @@
+class { 'apache':
+  mpm_module => 'prefork',
+}
+
+class { 'apache::mod::php': }
+class { 'mysql::server': }
+class { 'mysql::bindings': php_enable => true, }
+
+apache::vhost { 'wordpress':
+  docroot => '/opt/wordpress',
+  port    => '80',
+}
+
+class { 'wordpress':
+  # version => '3.4',
+}
\ No newline at end of file