In this resource I list a couple of ways that outline how to hack WordPress. Is that a bad thing? Yes – but I’m listing them out so that you can become a better developer and even SEO hacker.
Being Able To Hack WordPress Makes You A Better Developer
There’s no doubt. WordPress is a massive, in fact mega, target for hackers.
The key thing to understand about anything to do with hacking is this: the typical hack goes unnoticed for 174 days!
Can you believe that!?
The majority of those hacks, in my opinion, are the result of a vulnerability within WordPress, in other words, WordPress is the gateway into the breach.
What Do We Mean By “Hacking WordPress”
Letâs be clear about what we are referring to the broad term: WordPress Hacking. This term refers to website defacing. Thatâs it; that’s what it is. To hack a CMS, or indeed, any website for that matter
Hacking a WordPress Website and gaining access to a web application running a âWordPressâ Content Management System is a lot easier than you think.
Why Is This A Big Deal?
As of late 2019, 33% of web applications on the Internet are run on WordPress, so clearly itâs a major target for hackers.
The main thing to know about the security implications for WordPress is that itâs common for an inexperienced webmaster to screw up the settings of the CMS and make it vulnerable to hackers, whilst the ability to toughen up WordPress does not take super-advanced technical skills.
The point to understand here is that as long as you follow certain ârulesâ you can make your WordPress installation tough and secure.
Of course, being able to hack into the admin section of WordPress (typically located at âwp-adminâ) is not the same as securing r00t access, to do that youâd need to get into the server which is beyond the scope of this mini-tutorial.
The Good News
In this resource, I will also demonstrate how to safely secure your site from these hacks and to make sure that your WordPress installation is free from such brute force online hacking attempts, so, the good news is that after reading this tutorial youâll be in a much safer place.
In terms of the prevention through (Iâll explain those further down the page), the most important thing you can do is actually insanely simple: change your username from âadminâ to something more complicated, and, hardly surprisingly, make sure that your password is incredibly complicated. Yes, I know that youâve been told ad nuseum about the importance of making sure that your password is insanely strong but the truth is that thatâs almost all you need to prevent your WordPress website from being hacked from Iâd say 98% of all âscript-kiddieâ hacks.
Doing the above (along with other hacking defensive techniques listed below), will negate this âadmin WordPress hackâ referred to in this post
Kali Linux Is Your Friend
The hacking tools required for this hack are WPScan and a solid Linux installation (Operating System). Whilst Kali Linux does not need to be the Linux platform it is preferred simply because it ships with all the necessary tools to perform this WordPress hack.
Other tools that could be used for Brute Force WordPress would be THC Hydra, Tamper Data and Burp Suite. There are a ton of other tools that you can use but essentially those just mentioned can be considered as being the most popular hacking tools for this task.
It should also be noted that this hack is relatively simple and it requires no coding.
Aside from the tools listed above, you will also need a decent WordPress âBrute Force, Dictionary Listâ.
Make Sure Your Target Is Running WordPress
This tutorial is all about WordPress hacking, so â letâs make sure our victim is indeed using WordPress!
Before we dive into how (using Kali Linux and WPScan) we just need to make sure that our victim is indeed running WordPress. To do this, there are three easy and quick ways to check.
- View the source of any HTML rendered page via any browser then hit CTRL+F, type âthemeâ and if you see a bunch of web resources like the one below, then your victim is almost certainly running WordPress as their CMS.
- Another way to prove that the website is using WordPress is to type /wp-admin.php after the domain. If it shows the generic WordPress login admin panel then it wouldnât take a rocket scientist to establish that our target is indeed using WordPress.
- And yet, another way to instantly check is to install a Chrome extension called âBuiltWithâ, which lists out technology lies behind a web application.
See How âSophisticatedâ The Target Is
Now that youâve established that the target is indeed using WordPress then next on the agenda is to confirm just who youâre dealing with. If you see any extra security features that have been implemented, such as a Captcha Form, or any other form of anti-robot mechanism then that, of course, tells you that the webmaster is aware of how easy it can be to hack into WordPress as a user and has taken preventative measures.
The extra security features and measures (which to be honest are pretty rare in most instances; especially for relatively low-levels of traffic) which you may come across have all been set up to prevent brute force attacks (which is what we will be showing slightly further down the page).
So, if you do see that there are unexpected obstacles then youâll have to take a slightly different approach and this tutorial wonât help you with that.
Assuming Theyâre Basic â What Next?
Next on the agenda is testing that the username âadminâ is being used. To do that simply type âadminâ and enter any gibberish password and if you get the following error message returned to you then you know that there is a username called âadminâ who, hardly surprisingly, likely has âadmin rightsâ. Again, just as a footnote, if you do have an account that uses admin then Iâd suggest that you either remove it or rapidly change it.
Once you know the username then youâre halfway through the hack!
14 thoughts on “How To Hack WordPress”
Leave a Reply
Recent Posts
BuiltWith, which I use via its' Chrome browser extension is a useful tool. Why? Because you can see what tech a website is using. The types of data you can find out about include: Their...
This is promoting a paid service (I'm not an affiliate for this product) but anyway - here it is! Just shy of a million individuals are available to advertise your brand for USD $75 each month if...
Hi, this commands working in Ubuntu?
i work Ubuntu in my windows 10…
why i used the command
/root/desktop/rockyou.txt
is not work and show Error (invalid option: –wordlist) ???Likely because the permissions on the file haven’t been set correctly?
How do I set them?
1. use
'--passwords' or '-P' instead . '
2. path name is case sensitive, so use
'/root/Desktop/ .....txt'
I love your website and the way you are giving knowledge to all of us. thanks again
Very interesting. What are file permission setting are all about? Can you actually hack a file in root directory on the server? For example content file?
Misconfiguration is always what you’re looking for.
Hi,
You said, “if you get the following error message returned to you then you know that there is a username called âadminâ who, hardly surprisingly, likely has âadmin rightsâ” but didn’t mention the error message. Are you referring to the “ERROR: The password you entered for the username admin is incorrect. Lost your password?” error message?
Also, do these steps work if the target site is using CloudFlare?
Thanks!
Hi Blanco, 100% correct. It’s amazing but that error message is actually very helpful. CloudFlare will make it more difficult but it really depends on how secure the target has made their WordPress installation.
You can use the WPintel extension to enumerate username. Thank me later.
Thanks Archie! I love it when folk like you come and drop these absolute gems into the conversation.
Please can you tell us how to get the password after we get the username? You have not covered it here?
I need to hack a client who refused to pay me after work down and logged me out from both his server and WordPress also he changed the login URL
Not much you can do here – but honestly, it’s better to solve this legally because it will obvious who did the WordPress hack….