Hacking a WordPress Website and gaining access to a web application running a “WordPress” Content Management System is a lot easier than you think.
Of course, being able to hack into the admin section of WordPress (typically located at “wp-admin”) is not the same as securing r00t access, to do that you’d need to get into the server which is beyond the scope of this mini-tutorial.
The Good News
In this resource, I will also demonstrate how to safely secure your site from these hacks and to make sure that your WordPress installation is free from such brute force online hacking attempts, so, the good news is that after reading this tutorial you’ll be in a much safer place.
In terms of the prevention though (I’ll explain those further down the page), the most important thing you can do is actually insanely simple: change your username from ‘admin’ to something more complicated, and, hardly surprisingly, make sure that your password is incredibly complicated. Yes, I know that you’ve been told ad nuseum about the importance of making sure that your password is insanely strong but the truth is that that’s almost all you need to prevent your WordPress website from being hacked from I’d say 98% of all “script-kiddie” hacks.
Doing the above (along with other hacking defensive techniques listed below), will negate this “admin WordPress hack” referred to in this post
Kali Linux Is Your Friend
The hacking tools required for this hack are WPScan and a solid Linux installation (Operating System). Whilst Kali Linux does not need to be the Linux platform it is preferred simply because it ships with all the necessary tools to perform this WordPress hack.
Other tools which could be used for to Brute Force WordPress would be THC Hydra, Tamper Data and Burp Suite. There are a ton of other tools that you can use but essentially those just mentioned can be considered as being the most popular hacking tools for this task.
It should also be noted that this hack is relatively simple and it requires no coding.
Aside from the tools listed above, you will also need a decent WordPress “Brute Force Dictionary List”.
Make Sure Your Target Is Running WordPress
This tutorial is all about WordPress hacking, so – let’s make sure our victim is indeed using WordPress!
Before we dive into how (using Kali Linux and WPScan) we just need to make sure that our victim is indeed running WordPress. To do this, there are three easy and quick ways to check.
- View the source of any HTML rendered page via any browser then hit CTRL+F, type “theme” and if you see a bunch of web resources like the one below, then your victim is almost certainly running WordPress as their CMS.
- Another way to prove that the website is using WordPress is to type /wp-admin.php after the domain. If it shows the generic WordPress login admin panel then it wouldn’t take a rocket scientist to establish that our target is indeed using WordPress.
- And yet, another way to instantly check is to install a Chrome extension called “BuiltWith”, which lists out technology lies behind a web application.
See How “Sophisticated” The Target Is
Now that you’ve established that the target is indeed using WordPress then next on the agenda is to confirm just who you’re dealing with. If you see any extra security features that have been implemented, such as a Captcha Form, or any other form of anti-robot mechanism then that, of course, tells you that the webmaster is aware of how easy it can be to hack into WordPress as a user and has taken preventative measures.
The extra security features and measures (which to be honest are pretty rare in most instances; especially for relatively low-levels of traffic) which you may come across have all been set up to prevent brute force attacks (which is what we will be showing slightly further down the page).
So, if you do see that there are unexpected obstacles then you’ll have to take a slightly different approach and this tutorial won’t help you with that.
Assuming They’re Basic – What Next?
Next on the agenda is testing that the username “admin” is being used. To do that simply type “admin” and enter any gibberish password and if you get the following error message returned to you then you know that there is a username called “admin” who, hardly surpisngly, likely has “admin rights”. Again, just as a footnote, if you do have an account that uses admin then I’d suggest that you either remove it or rapidly change it.
Once you know the username then you’re half way through the hack!
Onto the Main Hack! Brute Forcing WordPress Passwords
This attack is all about banging the door down until someone answers.
To learn more just go ahead and watch this video, it explains it all very easily.