In this resource I list a couple of ways that outline how to hack WordPress. Is that a bad thing? Yes - but I'm listing them out so that you can become a better developer and even SEO hacker.\n\n\n\nBeing Able To Hack WordPress Makes You A Better Developer\n\n\n\nThere's no doubt. WordPress is a massive, in fact mega, target for hackers.\n\n\n\nThe key thing to understand about anything to do with hacking is this: the typical hack goes unnoticed for 174 days!\n\n\n\nCan you believe that!?\n\n\n\nThe majority of those hacks, in my opinion, are the result of a vulnerability within WordPress, in other words, WordPress is the gateway into the breach.\n\n\n\nWhat Do We Mean By "Hacking WordPress"\n\n\n\nLet\u2019s be clear about what we are referring to the broad term: WordPress Hacking. This term refers to website defacing. That\u2019s it; that's what it is. To hack a CMS, or indeed, any website for that matter\n\n\n\nHacking a WordPress Website and gaining access to a web application running a \u201cWordPress\u201d Content Management System is a lot easier than you think.\n\n\n\nWhy Is This A Big Deal?\n\n\n\nAs of late 2019, 33% of web applications on the Internet are run on WordPress, so clearly it\u2019s a major target for hackers.\n\n\n\nThe main thing to know about the security implications for WordPress is that it\u2019s common for an inexperienced webmaster to screw up the settings of the CMS and make it vulnerable to hackers, whilst the ability to toughen up WordPress does not take super-advanced technical skills.\n\n\n\nThe point to understand here is that as long as you follow certain \u201crules\u2019 you can make your WordPress installation tough and secure.\n\n\n\nOf course, being able to hack into the admin section of WordPress (typically located at \u201cwp-admin\u201d) is not the same as securing r00t access, to do that you\u2019d need to get into the server which is beyond the scope of this mini-tutorial.\n\n\n\nThe Good News\n\n\n\nIn this resource, I will also demonstrate how to safely secure your site from these hacks and to make sure that your WordPress installation is free from such brute force online hacking attempts, so, the good news is that after reading this tutorial you\u2019ll be in a much safer place.\n\n\n\nIn terms of the prevention through (I\u2019ll explain those further down the page), the most important thing you can do is actually insanely simple: change your username from \u2018admin\u2019 to something more complicated, and, hardly surprisingly, make sure that your password is incredibly complicated. Yes, I know that you\u2019ve been told ad nuseum about the importance of making sure that your password is insanely strong but the truth is that that\u2019s almost all you need to prevent your WordPress website from being hacked from I\u2019d say 98% of all \u201cscript-kiddie\u201d hacks.\n\n\n\nDoing the above (along with other hacking defensive techniques listed below), will negate this \u201cadmin WordPress hack\u201d referred to in this post\n\n\n\nKali Linux Is Your Friend\n\n\n\nThe hacking tools required for this hack are WPScan and a solid Linux installation (Operating System). Whilst Kali Linux does not need to be the Linux platform it is preferred simply because it ships with all the necessary tools to perform this WordPress hack.\n\n\n\nOther tools that could be used for Brute Force WordPress would be THC Hydra, Tamper Data and Burp Suite. There are a ton of other tools that you can use but essentially those just mentioned can be considered as being the most popular hacking tools for this task.\n\n\n\nIt should also be noted that this hack is relatively simple and it requires no coding.\n\n\n\nAside from the tools listed above, you will also need a decent WordPress \u201cBrute Force, Dictionary List\u201d.\n\n\n\nMake Sure Your Target Is Running WordPress\n\n\n\nThis tutorial is all about WordPress hacking, so \u2013 let\u2019s make sure our victim is indeed using WordPress!\n\n\n\nBefore we dive into how (using Kali Linux and WPScan) we just need to make sure that our victim is indeed running WordPress. To do this, there are three easy and quick ways to check.\n\n\n\nView the source of any HTML rendered page via any browser then hit CTRL+F, type \u201ctheme\u201d and if you see a bunch of web resources like the one below, then your victim is almost certainly running WordPress as their CMS.Another way to prove that the website is using WordPress is to type \/wp-admin.php after the domain. If it shows the generic WordPress login admin panel then it wouldn\u2019t take a rocket scientist to establish that our target is indeed using WordPress.And yet, another way to instantly check is to install a Chrome extension called \u201cBuiltWith\u201d, which lists out technology lies behind a web application.\n\n\n\nSee How \u201cSophisticated\u201d The Target Is\n\n\n\nNow that you\u2019ve established that the target is indeed using WordPress then next on the agenda is to confirm just who you\u2019re dealing with. If you see any extra security features that have been implemented, such as a Captcha Form, or any other form of anti-robot mechanism then that, of course, tells you that the webmaster is aware of how easy it can be to hack into WordPress as a user and has taken preventative measures.\n\n\n\nThe extra security features and measures (which to be honest are pretty rare in most instances; especially for relatively low-levels of traffic) which you may come across have all been set up to prevent brute force attacks (which is what we will be showing slightly further down the page).\n\n\n\nSo, if you do see that there are unexpected obstacles then you\u2019ll have to take a slightly different approach and this tutorial won\u2019t help you with that.\n\n\n\nAssuming They\u2019re Basic \u2013 What Next?\n\n\n\nNext on the agenda is testing that the username \u201cadmin\u201d is being used. To do that simply type \u201cadmin\u201d and enter any gibberish password and if you get the following error message returned to you then you know that there is a username called \u201cadmin\u201d who, hardly surprisingly, likely has \u201cadmin rights\u201d. Again, just as a footnote, if you do have an account that uses admin then I\u2019d suggest that you either remove it or rapidly change it.\n\n\n\nOnce you know the username then you\u2019re halfway through the hack!