How To Hack WordPress In 2020


Learn How To Hack & Defend WordPress Using Plugins & Code

Posted by Henry Dalziel  |  December 16, 2019  |   Questions / Comments 11

How To Hack WordPress In 2020

Cybersecurity Hacker Tool
Henry Dalziel
Henry Dalziel | December 16, 2019

- C|EH, Security+, MSc Marketing Management;
- Based in Hong Kong for the last five years;
- Cybersecurity Pro & Growth Hacker

TL;DR
WordPress is very easy to hack BUT it's also (fairly) simple to defend (if done properly)

Being Able To Hack WordPress Makes You A Better Developer

There’s no doubt. WordPress is a massive, in fact mega, target for hackers.

The key thing to understand about anything to do with hacking is this: the typical hack goes unnoticed for 174 days!

Can you believe that!?

The majority of those hacks, in my opinion, are the result of a vulnerability within WordPress, in other words, WordPress is the gateway into the breach.

What Do We Mean By “Hacking WordPress”

Let’s be clear about what we are referring to the broad term: WordPress Hacking. This term refers to website defacing. That’s it; that’s what it is. To hack a CMS, or indeed, any website for that matter

Hacking a WordPress Website and gaining access to a web application running a “WordPress” Content Management System is a lot easier than you think.

Why Is This A Big Deal?

As of late 2019, 33% of web applications on the Internet are run on WordPress, so clearly it’s a major target for hackers.

The main thing to know about the security implications for WordPress is that it’s common for an inexperienced webmaster to screw up the settings of the CMS and make it vulnerable to hackers, whilst the ability to toughen up WordPress does not take super-advanced technical skills.

The point to understand here is that as long as you follow certain “rules’ you can make your WordPress installation tough and secure.

Of course, being able to hack into the admin section of WordPress (typically located at “wp-admin”) is not the same as securing r00t access, to do that you’d need to get into the server which is beyond the scope of this mini-tutorial.

The Good News

In this resource, I will also demonstrate how to safely secure your site from these hacks and to make sure that your WordPress installation is free from such brute force online hacking attempts, so, the good news is that after reading this tutorial you’ll be in a much safer place.

In terms of the prevention through (I’ll explain those further down the page), the most important thing you can do is actually insanely simple: change your username from ‘admin’ to something more complicated, and, hardly surprisingly, make sure that your password is incredibly complicated. Yes, I know that you’ve been told ad nuseum about the importance of making sure that your password is insanely strong but the truth is that that’s almost all you need to prevent your WordPress website from being hacked from I’d say 98% of all “script-kiddie” hacks.

Doing the above (along with other hacking defensive techniques listed below), will negate this “admin WordPress hack” referred to in this post

Kali Linux Is Your Friend

The hacking tools required for this hack are WPScan and a solid Linux installation (Operating System). Whilst Kali Linux does not need to be the Linux platform it is preferred simply because it ships with all the necessary tools to perform this WordPress hack.

Other tools that could be used for Brute Force WordPress would be THC Hydra, Tamper Data and Burp Suite. There are a ton of other tools that you can use but essentially those just mentioned can be considered as being the most popular hacking tools for this task.

It should also be noted that this hack is relatively simple and it requires no coding.

Aside from the tools listed above, you will also need a decent WordPress “Brute Force, Dictionary List”.

Make Sure Your Target Is Running WordPress

This tutorial is all about WordPress hacking, so – let’s make sure our victim is indeed using WordPress!

Before we dive into how (using Kali Linux and WPScan) we just need to make sure that our victim is indeed running WordPress. To do this, there are three easy and quick ways to check.

  1. View the source of any HTML rendered page via any browser then hit CTRL+F, type “theme” and if you see a bunch of web resources like the one below, then your victim is almost certainly running WordPress as their CMS.
  2. Another way to prove that the website is using WordPress is to type /wp-admin.php after the domain. If it shows the generic WordPress login admin panel then it wouldn’t take a rocket scientist to establish that our target is indeed using WordPress.
  3. And yet, another way to instantly check is to install a Chrome extension called “BuiltWith”, which lists out technology lies behind a web application.

See How “Sophisticated” The Target Is

Now that you’ve established that the target is indeed using WordPress then next on the agenda is to confirm just who you’re dealing with. If you see any extra security features that have been implemented, such as a Captcha Form, or any other form of anti-robot mechanism then that, of course, tells you that the webmaster is aware of how easy it can be to hack into WordPress as a user and has taken preventative measures.

The extra security features and measures (which to be honest are pretty rare in most instances; especially for relatively low-levels of traffic) which you may come across have all been set up to prevent brute force attacks (which is what we will be showing slightly further down the page).

So, if you do see that there are unexpected obstacles then you’ll have to take a slightly different approach and this tutorial won’t help you with that.

Assuming They’re Basic – What Next?

Next on the agenda is testing that the username “admin” is being used. To do that simply type “admin” and enter any gibberish password and if you get the following error message returned to you then you know that there is a username called “admin” who, hardly surprisingly, likely has “admin rights”. Again, just as a footnote, if you do have an account that uses admin then I’d suggest that you either remove it or rapidly change it.

Once you know the username then you’re halfway through the hack!

11 responses to “How To Hack WordPress In 2020”

  1. طراحی سایت و سئو says:

    Hi, this commands working in Ubuntu?

    i work Ubuntu in my windows 10…

    why i used the command /root/desktop/rockyou.txt is not work and show Error (invalid option: –wordlist) ???

  2. Vikas says:

    I love your website and the way you are giving knowledge to all of us. thanks again

  3. Sebastian says:

    Very interesting. What are file permission setting are all about? Can you actually hack a file in root directory on the server? For example content file?

  4. Blanco says:

    Hi,

    You said, “if you get the following error message returned to you then you know that there is a username called “admin” who, hardly surprisingly, likely has “admin rights”” but didn’t mention the error message. Are you referring to the “ERROR: The password you entered for the username admin is incorrect. Lost your password?” error message?

    Also, do these steps work if the target site is using CloudFlare?

    Thanks!

    • Hi Blanco, 100% correct. It’s amazing but that error message is actually very helpful. CloudFlare will make it more difficult but it really depends on how secure the target has made their WordPress installation.

  5. Archie says:

    You can use the WPintel extension to enumerate username. Thank me later.

Leave a Question or Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Some Of Our Other Content

You may also like...

USB Keyloggers
USB Keyloggers

Some of these USB Keyloggers work over WiFi and others even email you the keystrokes! Require NO drivers. Just plant and forget.

Blog Post

N00b Hacking
WiFi Hacking Hardware Devices
WiFi Hacking Hardware Devices

We take a look at hardware used by the pro's to hack into Wireless Networks! (Keyloggers, Deauth Tools, Alfa Scanner etc.)

Blog Post

WiFi Hacking
Mobile Encryption Apps
Mobile Encryption Apps

Is WhatsApp safe? What about Telegram? There are dozens of mobile encryption apps...

List Review

Cyber Hacking
Password Cracking Tools
Password Cracking Tools

John The Ripper, Crowbar, L0phtcrack, Medusa, Rainbowcrack, THC Hydra and more!

List Review

Cyber Hacking
Kali Linux Developers
Meet The Kali Linux Developers

Meet the folks behind the Hacking Tools that make Kali Linux so damn awesome

Blog Post

N00b Hacking
OSCP Advice
How Difficult is OSCP? Get expert advice from those that passed!

We've interviewed over 25 Cybersecurity Professionals to ask them that exact question...

Blog Post

N00b Hacking
How To Hack WordPress 2020
How To Hack WordPress 2020

In this (constantly updated) resource we investigate ways to Hack WordPress

Blog Post

N00b Hacking
Pass CEH First Time
Pass CEH First Time: we ask experts in the field

Are you interested in passing CEH? If yes, read on, we have a ton of advice to share

Blog Post

N00b Hacking