WordPress Security: Seven Ways I Could Hack Into Your WordPress Site

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I’m getting emails from people who are interested in securing their WordPress blogs or websites. If I was going to hack your WordPress blog or website, here are the first seven things I would try and how you could prevent me from getting in:

1. Upgrade to the newest version of WordPress

I would look up known vulnerabilities in old versions of WordPress. Then I would scan the web looking for sites that are running an old version of WordPress that I know has a hole in it. I would automate the whole process. Once my automated script finds your blog running an old WordPress version, I would simply drop right in through the hole that security databases have known about for months or even years.

You can stop me from doing this by upgrading to the latest version of WordPress which is version 3.2.1 at the time of this writing.

2. Upgrade all your themes and plugins to their newest versions

In case you’re running the newest WordPress, I would look at your themes and plugins. I would try to find an old version of a theme with a known hole in it. Then I would drop right in and have my evil way with your server.

You can stop me by keeping all your themes and plugins up to date and upgrading immediately when a new version is released.

3. Get rid of the ‘admin’ user

If your WordPress core files, themes and plugins are up to date, I would try to guess your ‘admin’ password. I know the ‘admin’ user exists on most WordPress sites, so I would write a script that keeps trying to log-in using all the words in my dictionary.

You can stop me by creating a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

4. Make sure all your passwords are strong

OK so your site is a little more secure than I thought. But I’m not out of tricks yet. When you publish a blog entry, I will look at the name of the user who published the post. Then I will use my good old automated password guessing script to throw a whole dictionary at your login page using the username that I saw authored your newest blog entry.

You can stop me by making sure your password doesn’t exist in a dictionary and uses numbers and a mix of upper and lower-case letters.

5. Know what other web applications you have installed

Hmmm. You’re a tough customer. But I’m not done yet. WordPress isn’t the only application I could use to get in. Many websites also have forum software, helpdesk software and other applications installed. Security holes are regularly discovered in these applications, so I will scan your site and find out what other apps you have and see if any of them are old versions with known security problems.

You can stop me by making sure all your other applications are up to date and don’t have any known security holes in them that the vendor may have released fixes for.

6. Make sure all other public services running on your web server are secure

Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your passwords. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

You can stop me by making sure your blog host keeps your WordPress server secure and up to date. They should be running a new version of Linux or whichever operating system you are using. The operating system should have the latest patches and all services running on the machine should be known about, should be necessary and should have hard to guess passwords. Don’t be afraid to quiz your blog host about this.

7. Make sure you don’t get social’d

Well, your site seems too secure for me to hack in using my tech skills. So I’m going to use my charming personality. I’ll call you up, pretend I work for your hosting company and try to get any information from you that might be useful. Passwords would be first prize, but I’ll take anything I can get: Staff names, your favorite pet, internal phone numbers, products and services your company uses, your birthday, anything that might help me guess passwords or find juicy targets that give me a way in.

You can stop me by making sure you never give out passwords over the phone and don’t give out information unless you’ve verified who you’re talking to. A good tactic if someone has called you is to simply ask them for a call-back number. Then verify who the company is, that the number belongs to them and call them back.

Social engineering is the number #1 tactic hackers use to get into secure networks. Read the second comment on this recent Hacker News post (posted a week ago) for an example of how you might call up a company and get the last four digits of someone’s credit card. You might also find this story interest about how css-tricks almost lost their domain a few days ago.

Now that you know most of my sneaky hacker ways, you might want to read this WordPress article on how to further secure your WordPress site and keep hackers out.

109 thoughts on “WordPress Security: Seven Ways I Could Hack Into Your WordPress Site

  1. Attractive element of content. I simply stumbled upon your
    website and in accession capital to assert that
    I acquire actually loved account your blog posts.
    Anyway I’ll be subscribing in your feeds or even I success you access persistently fast.

  2. Nice post. I was checking constantly this blog and I am inspired!

    Extremely useful ijfo specially the remaining part :) I handle
    suchh info a lot. I used to bbe seeking this certain information for a long time.

    Thsnk you and good luck.

  3. Thank you a bunch for sharing this with all peoplee you actually know what you’re speaking about!
    Bookmarked. Kindly also discuss with my site =).
    We will haqve a hyperlink alternate agreement among us

  4. I know this if off topic but I’m looking into starting my own blog and
    was curious what all is required to get setup? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web smart so I’m not 100% sure.
    Any recommendations or advice would be greatly appreciated.
    Thanks

  5. Hello there, just became alert to your blog through Google,
    and found that it is truly informative. I’m gonna watch
    out for brussels. I’ll be grateful if you continue this in future.
    Numerous people will be benefited from your writing. Cheers!

  6. I’ve been exploring for a little for any high quality articles or weblog posts on this sort of space .
    Exploring in Yahoo I ultimately stumbled upon this site. Studying this
    info So i’m happy to convey that I’ve an incredibly just right uncanny feeling I came upon exactly what
    I needed. I so much indisputably will make sure to do not
    forget this website and give it a look regularly.

  7. When you play the game, after that in different amounts you need gems to continue.

    Each group would like to have representation from their own community.
    Simply by amassing one hundred coins, the life in the character can be greater by one.

  8. Hi!
    Great post here! Pls I tried using a WordPress last year but it sucks it’s one of these security plugin that I saw on blogstash.com It affects my blog, then my blog was just a month old so I was trying to strenghtning the security of the site, but it seems this plugin I use uses SSL, so I wasn’t allowed to acces the admin page. Then I had to forget about the website and go directly to my website’s cpanel to reinstall wordpress on another path, i.e. Mydomain.com/blog.

  9. My Partner And I just recently put in a steam shower unit, the best thing we’ve bought in a while, children and friends and family
    like it so much, unable to see me returning to traditional showers again

  10. It’s perfect time to make some plans for the
    long run and it is time to be happy. I’ve read this submit and
    if I may just I desire to recommend you some fascinating issues or suggestions.
    Maybe you could write subsequent articles regarding this article.

    I desire to learn more things about it!

  11. We’ve been a bunch of volunteers as well as beginning a fresh scheme within our online community. Your blog made available us all using helpful details to works of art in. You have carried out an outstanding endeavor and our own whole local community might be fortunate to you.

  12. Excellent post. I used to be checking continuously this blog and I am inspired! Very useful information particularly the ultimate phase :) I care for such information much. I was looking for this certain info for a long time. Thanks and best of luck.

  13. A powerful share, I simply given this onto a colleague who was doing a little evaluation on this. And he actually purchased me breakfast as a result of I discovered it for him.. smile. So let me reword that: Thnx for the deal with! However yeah Thnkx for spending the time to debate this, I really feel strongly about it and love studying extra on this topic. If potential, as you turn out to be experience, would you thoughts updating your weblog with extra particulars? It’s extremely useful for me. Huge thumb up for this weblog submit!

  14. The website is any bettor than the game menu. It’s time a mate of letters, while the ability to spiel the game, you postulate to be acting. If at that place’s more you’ll be taxed with running across real-life motivations such as Tetris, and” Open” the bad thing? It’s actually one of the most knock-down ninja.

  15. At least my WP blog satisfies all of the points above, I think there is another way to hack wordpress website is by directly hacking into host server if its insecure, or hacker can attempt to send some latest custom virus to your computer.

    You can make it difficult for a good hacker to hack, but he would find some vulnerability for sure.

  16. brute force attacks are terrible on wordpress. what also makes it worse is that wordpress releases the bug fixes when new versions are released which tell hackers exactly how to hack the older versions

  17. Hey just wanted to give you a brief heads up and let you know a few
    of the images aren’t loading correctly. I’m not sure why but
    I think its a linking issue. I’ve tried it in two different internet browsers and both show the same outcome.

  18. Good post about WP security!
    I run a Dutch blog about WP security and I want to compliment you with not only mentioning the security hazards, but also explaining how to avoid the risks.
    Maybey I will review your plugin so my readers can learn about..

    Keep it safe..!

  19. I think its high time people take there web business serious by making sure you keep note on updated file and making sure you check on your site source code, my hacked site was stuffed with url keyword cloaking of viagra and other stuff sometimes back on my footer.php page, how it got there still amazed me .. thanks for sharing this great post

  20. I’d like to thank you for the efforts you have put in penning this site. I’m hoping to check out the same high-grade content from you in the future as well. In fact, your creative writing abilities has inspired me to get my own site now ;)

  21. Fantastic publish, very informative. I ponder why the other experts of this sector don’t realize this. You should proceed your writing. I am confident, you’ve a great readers’ base already!|What’s Happening i’m new to this, I stumbled upon this I have discovered It absolutely helpful and it has aided me out loads. I hope to contribute & help different customers like its aided me. Great job.

    • WP is serious blogging platform. Do not underestimate the choice of more than 50% bloggers. WP can be used for commercial websites, too. This is the cheapest way to be online with your business.
      If somebody want to make website and have money to pay web designers and programmers, let him pay. There are many ways to spend $10k+.

  22. Thank for great information…

    I am just about to start my freelancing business in India.

    Two day ago, someone break into my WordPress site and changed my username, base_url in wp_user table.
    So , i could not enter into admin.

    And deleted every lines of index.php from root folder and written ‘hacked by hacker’.

    Mark, can you help me please to resolved this security problem?

    • There are several ways to retrieve your information,
      the easiest way is to access Phpmyadmin and access the user table of your wordpress database, there you can perform changes, my suggestion is to change the admin’s email and change your user name from your wp site.

      if you don’t have the server access of your site you might have little difficulty accessing your information

  23. May I simply just say what a relief to discover someone that genuinely understands what they are talking about over the internet. You actually understand how to bring a problem to light and make it important. A lot more people need to check this out and understand this side of your story. It’s surprising you’re not more popular since you certainly have the gift.

  24. I just came across your site looking for plugins for my new wordpress site. Previously, all of my old websites I have run I have done the old fashioned way. I still use Frontpage for editing my main site and link to WordPress in a different directory. This post was very informative. I’ve just finished installing and setting up WordFence. My first scan caught some file changes in the theme which I had made myself and I love that it allows me the option to either always ignore or to ignore until changed, since I would like to know if something else changes these files. I’m definitely going to continue to follow this blog, as you seem to have a lot of useful information.

  25. Great post about all the wordpress securities
    recently one of my Wp sites where hacked and I have no clue what so ever how did they get in and what was the loop hole ?

    Thank you so much for a good post
    by the way
    Please write more articles relating the Wp security I am one of those people who constantly review your posts.

    And by the way enable a captcha you have lots of spam comments

  26. I love your plugin! I am a noob in wordpress and it helps so much. Just wondering, what do people get out of trying to hack into my website?

  27. Hey, so I made this really ridiculous blog post a few years ago that I want to delete really badly. The only problem is that i had a different email account that I completely forgot about, and don’t even remember what it was called or anything.
    Basically I just want to hack into my own account so I can delete it….
    I hope this question doesn’t sound too stupid or anything, I’m just really desperate to delete it and so far haven’t found any help on this.

  28. Thanks for this post. I wonder if anyone has a comment on something I just uncovered on one of my blogs.

    I use a service that tracks what IP addresses visited my blog, when/from where, and what url they last visited. On 2 recent occasions, I saw 2 different IPs had visited my site & went to the url: http://www.myblogname dot com/author/MYUSERNAME.

    My actual username was in the url. This threw me for a loop because my username is not my display name nor my nickname. Through what method can someone find out the usernames on a blog? If people can so easily get access to usernames, then using the system to then crack the passwords would make hacking a breeze. I have login lockdown and I don’t see anyone has attempted to log in, but it’s still scary that 2 people found my username. There must be something I am missing.

  29. Thanks for the tips, very useful
    I use a combination of plugins to keep my sites protected:
    Wordfence Security
    Login Lockdown
    and Timthumb Vulnerability Scanner
    along with changing my login details often.
    Thanks for sharing, Tobi

  30. I think today Hackers are become more powerful and have a great scripts and tools to hack. But your safety preventions help us a lot. If we use an email it must be safe by 2 step verification by gmail . It may be help us a lot by getting hacked. So i think there are some pluggins aslm present like “ninja securty ” or some what. What you think about there plugins ?

  31. Hi, thank you for putting this out. I feel this issue is not enough in the front burner; I say because I never really thought about it until I had to redesign a client’s website and thought I’d do some research (security is always a good thing, I figure).

    After seeing the break-in attempts from places my client have never even worked in or not a target audience, I began to do some more homework on it.

    Again thank you for the info.

  32. Because I sort of forgot my administrator
    password and I cannot find where I put the
    Password Reset Disc .. So any advice or
    tips would be great ..

  33. I was wondering if there were any websites
    online that could hack your own password
    in case your forgot your password ??
    That way if it hacked your own password
    then you would be able to remember it ??

  34. Hey I was wondering if there were any sites online
    that could hack your own password in case you
    forgot yours ?? That way it could tell you what your
    password is and then you could remember ??

  35. am just coming accross your blog for the first time, even though this is a old post, i had no choice than to leave my comment, really informative, have just updated my wordpress info

  36. Can you help me to hack my husband’s mistress’s blog? He’s cheating on me and I need solid proof. I want to know everything they did. Thanks.

    • I can help. But I’m not a techie, if you can give me his mistress phone number, I certainly can swing her over to me and leave your husband to you forever.

      But before I can do anything to help…..

      Is she pretty? What’s her cup size and how tall she is? This is important to me for otherwise I can’t guarantee I’ll do a good job.

      Cheers!

  37. On point 4 you can make it even harder by using a nickname for your posts which you can set up in your wordpress profile. E.g. you could have a username of “markm” but a nickname of “mm” then all your posts would be signed “mm” but hackers would then be trying to guess a password with the wrong user id.

    If you want to be really devious use “admin” as your nickname and poor mr hacker will probably assume that your userid is the default still.

  38. Thanks man. I’m one of the ones who’s been bugging you :-/ Good tips. Currently on the flip side of my 4th hack. If nothing else, my unix skills are getting better each time around!

    that’s interesting what you said about other services. Up until recently, I had some old, neglected Joomla sites on my server. I’m pretty sure they were gone before this last hack, but I can’t be sure. I also have an old Flash website up … and that uses something called FormMail to send emails back. Haven’t touched it in years.

    This time around I changed all my secret keys and MySQL passwords, which I hadn’t done in the past. Maybe that’ll end the maddness :)

    Anyway, as always, keep up the good work.

  39. I’ve another way. I believe most of the wordpress sites are hosted in shared hosting. Therefore, I’d scan first his DNS and try to attack another blog/site in the same server and upload the shell. I never do that before, but I think it might work as well. For VPS/Dedicated Hosting, of course it won’t work.

  40. Great post mark. Point 7 is a winner in my book. This has been used in just about every industry.
    Personally I love the calls from people that say they work for Windows and have a concern about my home computer.

  41. Great post mark!

    But i do have a question: If i run my website on a shared plan, and the other sites on this server have security holes… do i have to worry about it?

    What if the server is running on a CloudLinux OS, OnApp and CloudFlare environment?

    • “But i do have a question: If i run my website on a shared plan, and the other sites on this server have security holes… do i have to worry about it?”

      Yes, I believe this was Ma.tt’s explanation for the recent DreamHost, GoDaddy, Bluehost, Media Temple and HostGator hacks (and I would agree with him, I was on Media Temple and they changed my database pw twice) although I don’t know if these hosts will admit fault. I’m sure they’re more cautious now.

      Anyway, if you have a Xen-based virtual machine to yourself, I believe Simon Crosby said in a recent interview it has never been penetrated. Other types of virtualization/jailing, I don’t know how secure they are. Maybe a good analogy here: shared hosting is like owning an apartment with paper walls, vs. (virtualization) iron walls. Paper walls, you’re probably not safe from your neighbors ;-) Of course the OS you install on the virtual machine is just as vulnerable as any other OS, but in aggregate you’re safer, ceteris paribus.

      Nice quote from Simon Crosby:

      “Ultimately, virtualization is all about isolation. Isolation gives you a tremendous opportunity to enhance system security.”

      • What about CloudLinux OS shared hosting?
        If i get the idea right, CloudLinux makes a kind of VPS inside a sharing hosting plan… virtualizing everything.

        Is it safe or should i just move to a VPS/Dedicated? I’m kinda paranoic with security sometimes.

  42. mark, this is a great article – very informative. We are putting together our year-end newsletter and want to add you to the technical leadership profile section for WordPress.

    It would be so helpful if you could tell us a little more about yourself so we can share that with our readers. Specifically any of the following would be great:

    – your pet name
    – products and services you use
    – your birth date
    – cool stuff you like to do
    – your phone number so we can call back and confirm info

    Bonus information would be really, really neat:

    – social security number
    – full name and address
    – bank account numbers
    – any wordpress accounts and passwords you have

    Please make sure to post the information here in the reply so everyone can share in the knowledge.

    disclaimer: the information above is not to be taken seriously, however we are serious when we say we did enjoy the article and the information provided.

  43. Check out the following “Introduction to WordPress Security” presentation from WordCamp Detroit by David Wilemski:

    http://www.slideshare.net/davidwilemski/word-camp2011-introwordpresssecurity

    You can also easily add two-factor authentication (via push, phone call, SMS, or token) to any WordPress site using our free Duo Security plugin:

    http://wordpress.org/extend/plugins/duo-wordpress/

    Full disclosure: I’m a founder at Duo, and we’re a sister company to Automattic (WordPress.com), backed by True Ventures.

    • that was a really nice presentation. Its always in the back of my mind how many users do you lose when try to make them authenticate. An example is I wont comment on blogs normally if I have to login. You can call it severely lazy.

      • “Its always in the back of my mind how many users do you lose when try to make them authenticate.”

        Last time I measured the difference, I saw a 6x increase in comments by just requiring a name and nothing else.

  44. Yeah, there are quite a few other things you can to secure your word press site also. One of my favorites is to .htaccess your WP-admin and only allowed ip’s can get through, put index.php files in all your directories, correct permissions among others.

  45. It might also be worth noting, you could check to see if there are other websites co-hosted on your server:

    https://blekko.com/ws/http://markmaunder.com/+/seo

    It definitely depends on the configuration, but if another site is running vulnerable software on the same server your site is on, and I gain access to that site and am at least able to run code, I could read the contents of your wp-config.php if it is world readable. Now that I have your database credentials I could create an admin user in your WordPress database and gain access to your site.

    • Good point Matt, although blekko’s data is quite old – this site runs on a different IP address to what they have listed and was moved over some time ago.

  46. Where is the news, which of this is really WordPress specific? These tips are true for any kind of public accessible system: update your system, change defaults, use strong passwords, don’t tell others.

  47. When I read this post I immediately thought of the timthumb.php exploit.

    Then I remembered it was originally you who wrote an article about it =)

  48. The brute force dictionary password attacks that you mention in point #3 can be effectively eliminated with plugins that throttle unsuccessful login attempts, such as Login Lockdown. A really simple but effective security enhancement.

  49. Make sure new user registrations are off. Unless you really know what you’re doing. Under “General Settings” uncheck “Anyone can register”

    From LinkedIn’s WordPress group:

    PJ Brunet • @Thomas Raef From the hacks you have seen, how many of them were cases where the blogger allowed new user registrations vs. blogs that didn’t allow new user registrations?

    Thomas Raef • @PJ Brunet, it’s 93% allow new user registrations and 7% didn’t. But that also could be due to the fact that the majority of blog do allow new user registrations, so it only follows that there will be more of these infected, just because there is more of them. That’s just a thought.

    PS: I don’t think it’s the default now–but previously it was. Can anyone confirm this?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.