Difference between UI and UX design.
May 23, 2017
May 31, 2017


Today, we will discuss about the attacking and securing the WordPress websites. The techniques I am going to discuss are used to attack and break the WordPress websites. The intention of this post is not to teach how to hack the WordPress sites and destroy someone’s valuable work. But this post will be helpful for the WordPress developers who are new in coding and are unaware of the vulnerabilities that might present in the plugins and other things they use. The aim of this post is to raise the awareness about the security of the WordPress websites. By knowing the method of attacks, we can easily get to the backdoor of our WordPress websites and can enhance the security. Somehow, the penetration testers may find this post useful as I am providing some content on penetration testing also.

Most WordPress Website owners Don’t Know

Most of the WordPress website owners don’t know about how the WordPress websites are compromised. According to a survey, in year 2012 alone, more than 1, 70,000 WordPress websites were hacked and the number is increasing day after day.
The backdoor of the WordPress can be analyzed by this graph that describes how the WordPress websites are compromised : –
So, the biggest reason of getting a WordPress website hacked is the use of malicious plugins and brute force attacks. Most of the newbie WordPress developers use the malicious plugins unknowingly and give the database and login information to the hackers by their own.

Plugins : Biggest Risk

Plugins plays an important role in the development of any WordPress websites and plugins are the reason why the WordPress is so popular today. There are approximately 50,000 plugins available in the official WordPress website. The plugins makes the development of the website easy and simple, just plug & play and get the expected output. But we are unaware of the fact that the plugins are the biggest entry point for the hackers.
If you are using unknown plugin to your WordPress website, then it might contain some malicious code that can fetch your data without your permission from your database.If this is somewhere, hacker will use union query and can fetch your all database rows from wp_users table and below is an example query to fetch all WordPress users using union query to know email addresses of all users.

union select 1,2,3,4,5,6,group_concat(user_login,—-,user_pass),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,262,7,28,29,30,31,32,33,34,35,36,37,38,39,40 from wp_users

Through this query, the hacker will fetch the admin’s email address using this union query and can login into the admin section with further information gathering.
  • Few months ago, Plugin all-video-gallery had a Vulnerabilities in config.php because of following code:-“SELECT * FROM “.$wpdb->prefix.”allvideogallery_profiles WHERE id=”.$_pid.”
Through the above query, the Plugin developer can pass it directly into the URL in order to fetch the admin’s email address.
So, we must use Plugins properly and with attention. This may be the reason for all our hard word go into vain.
  • We must keep the plugins updated.
  • We must not use abandoned Plugins.
  • We must download Plugin from reputable and trusted websites.

Attacking the WordPress Website through WpScan

Windows operating system doesn’t support WPScan and it can be done through Kali Linux. In order to get the details of the WordPress admin, you can just follow the steps taken below :

  • WPScan Update

We will start the attack from updating our WpScan. For this, we will type : wpscan -update

  • Getting into WordPress vulnerabilities

Use the following command to scan the target website – wpscan -url[wordpress url]

  • Enumerate WordPress Users

We can enumerate the WordPress users by following this command below : – wpscan -url[wordpress url] -enumerate u

  • BruteForce root Password

We can Brute – Force the root password by using the command below : – wpscan -url [wordpress url]-wordlist [path to wordlist]-username [username to bruteforce]-threads [number of threads to use]

Hence, we finally Brute Forced the WordPress website’s Admin Password using WPScan. The password here in this case is “root123”.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − 10 =