How To Hack WordPress

In this resource I list a couple of ways that outline how to hack WordPress. Is that a bad thing? Yes – but I’m listing them out so that you can become a better developer and even SEO hacker.

Being Able To Hack WordPress Makes You A Better Developer

There’s no doubt. WordPress is a massive, in fact mega, target for hackers.

The key thing to understand about anything to do with hacking is this: the typical hack goes unnoticed for 174 days!

Can you believe that!?

The majority of those hacks, in my opinion, are the result of a vulnerability within WordPress, in other words, WordPress is the gateway into the breach.

What Do We Mean By “Hacking WordPress”

Let’s be clear about what we are referring to the broad term: WordPress Hacking. This term refers to website defacing. That’s it; that’s what it is. To hack a CMS, or indeed, any website for that matter

Hacking a WordPress Website and gaining access to a web application running a “WordPress” Content Management System is a lot easier than you think.

Why Is This A Big Deal?

As of late 2019, 33% of web applications on the Internet are run on WordPress, so clearly it’s a major target for hackers.

The main thing to know about the security implications for WordPress is that it’s common for an inexperienced webmaster to screw up the settings of the CMS and make it vulnerable to hackers, whilst the ability to toughen up WordPress does not take super-advanced technical skills.

The point to understand here is that as long as you follow certain “rules’ you can make your WordPress installation tough and secure.

Of course, being able to hack into the admin section of WordPress (typically located at “wp-admin”) is not the same as securing r00t access, to do that you’d need to get into the server which is beyond the scope of this mini-tutorial.

The Good News

In this resource, I will also demonstrate how to safely secure your site from these hacks and to make sure that your WordPress installation is free from such brute force online hacking attempts, so, the good news is that after reading this tutorial you’ll be in a much safer place.

In terms of the prevention through (I’ll explain those further down the page), the most important thing you can do is actually insanely simple: change your username from ‘admin’ to something more complicated, and, hardly surprisingly, make sure that your password is incredibly complicated. Yes, I know that you’ve been told ad nuseum about the importance of making sure that your password is insanely strong but the truth is that that’s almost all you need to prevent your WordPress website from being hacked from I’d say 98% of all “script-kiddie” hacks.

Doing the above (along with other hacking defensive techniques listed below), will negate this “admin WordPress hack” referred to in this post

Kali Linux Is Your Friend

The hacking tools required for this hack are WPScan and a solid Linux installation (Operating System). Whilst Kali Linux does not need to be the Linux platform it is preferred simply because it ships with all the necessary tools to perform this WordPress hack.

Other tools that could be used for Brute Force WordPress would be THC Hydra, Tamper Data and Burp Suite. There are a ton of other tools that you can use but essentially those just mentioned can be considered as being the most popular hacking tools for this task.

It should also be noted that this hack is relatively simple and it requires no coding.

Aside from the tools listed above, you will also need a decent WordPress “Brute Force, Dictionary List”.

Make Sure Your Target Is Running WordPress

This tutorial is all about WordPress hacking, so – let’s make sure our victim is indeed using WordPress!

Before we dive into how (using Kali Linux and WPScan) we just need to make sure that our victim is indeed running WordPress. To do this, there are three easy and quick ways to check.

  1. View the source of any HTML rendered page via any browser then hit CTRL+F, type “theme” and if you see a bunch of web resources like the one below, then your victim is almost certainly running WordPress as their CMS.
  2. Another way to prove that the website is using WordPress is to type /wp-admin.php after the domain. If it shows the generic WordPress login admin panel then it wouldn’t take a rocket scientist to establish that our target is indeed using WordPress.
  3. And yet, another way to instantly check is to install a Chrome extension called “BuiltWith”, which lists out technology lies behind a web application.

See How “Sophisticated” The Target Is

Now that you’ve established that the target is indeed using WordPress then next on the agenda is to confirm just who you’re dealing with. If you see any extra security features that have been implemented, such as a Captcha Form, or any other form of anti-robot mechanism then that, of course, tells you that the webmaster is aware of how easy it can be to hack into WordPress as a user and has taken preventative measures.

The extra security features and measures (which to be honest are pretty rare in most instances; especially for relatively low-levels of traffic) which you may come across have all been set up to prevent brute force attacks (which is what we will be showing slightly further down the page).

So, if you do see that there are unexpected obstacles then you’ll have to take a slightly different approach and this tutorial won’t help you with that.

Assuming They’re Basic – What Next?

Next on the agenda is testing that the username “admin” is being used. To do that simply type “admin” and enter any gibberish password and if you get the following error message returned to you then you know that there is a username called “admin” who, hardly surprisingly, likely has “admin rights”. Again, just as a footnote, if you do have an account that uses admin then I’d suggest that you either remove it or rapidly change it.

Once you know the username then you’re halfway through the hack!

Henry "HMFIC"

I'm Henry, the guy behind this site. I've been Growth Hacking since 2002, yep, that long...

14 thoughts on “How To Hack WordPress

  1. Hi, this commands working in Ubuntu?

    i work Ubuntu in my windows 10…

    why i used the command /root/desktop/rockyou.txt is not work and show Error (invalid option: –wordlist) ???

  2. Very interesting. What are file permission setting are all about? Can you actually hack a file in root directory on the server? For example content file?

  3. Hi,

    You said, “if you get the following error message returned to you then you know that there is a username called “admin” who, hardly surprisingly, likely has “admin rights”” but didn’t mention the error message. Are you referring to the “ERROR: The password you entered for the username admin is incorrect. Lost your password?” error message?

    Also, do these steps work if the target site is using CloudFlare?


    1. Hi Blanco, 100% correct. It’s amazing but that error message is actually very helpful. CloudFlare will make it more difficult but it really depends on how secure the target has made their WordPress installation.

  4. Please can you tell us how to get the password after we get the username? You have not covered it here?

  5. I need to hack a client who refused to pay me after work down and logged me out from both his server and WordPress also he changed the login URL

    1. Not much you can do here – but honestly, it’s better to solve this legally because it will obvious who did the WordPress hack….

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts