MarkMaunder dot com

WordPress Security: Seven Ways I Could Hack Into Your WordPress Site

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

I’m getting emails from people who are interested in securing their WordPress blogs or websites. If I was going to hack your WordPress blog or website, here are the first seven things I would try and how you could prevent me from getting in:

1. Upgrade to the newest version of WordPress

I would look up known vulnerabilities in old versions of WordPress. Then I would scan the web looking for sites that are running an old version of WordPress that I know has a hole in it. I would automate the whole process. Once my automated script finds your blog running an old WordPress version, I would simply drop right in through the hole that security databases have known about for months or even years.

You can stop me from doing this by upgrading to the latest version of WordPress which is version 3.2.1 at the time of this writing.

2. Upgrade all your themes and plugins to their newest versions

In case you’re running the newest WordPress, I would look at your themes and plugins. I would try to find an old version of a theme with a known hole in it. Then I would drop right in and have my evil way with your server.

You can stop me by keeping all your themes and plugins up to date and upgrading immediately when a new version is released.

3. Get rid of the ‘admin’ user

If your WordPress core files, themes and plugins are up to date, I would try to guess your ‘admin’ password. I know the ‘admin’ user exists on most WordPress sites, so I would write a script that keeps trying to log-in using all the words in my dictionary.

You can stop me by creating a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

4. Make sure all your passwords are strong

OK so your site is a little more secure than I thought. But I’m not out of tricks yet. When you publish a blog entry, I will look at the name of the user who published the post. Then I will use my good old automated password guessing script to throw a whole dictionary at your login page using the username that I saw authored your newest blog entry.

You can stop me by making sure your password doesn’t exist in a dictionary and uses numbers and a mix of upper and lower-case letters.

5. Know what other web applications you have installed

Hmmm. You’re a tough customer. But I’m not done yet. WordPress isn’t the only application I could use to get in. Many websites also have forum software, helpdesk software and other applications installed. Security holes are regularly discovered in these applications, so I will scan your site and find out what other apps you have and see if any of them are old versions with known security problems.

You can stop me by making sure all your other applications are up to date and don’t have any known security holes in them that the vendor may have released fixes for.

6. Make sure all other public services running on your web server are secure

Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your passwords. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

You can stop me by making sure your blog host keeps your WordPress server secure and up to date. They should be running a new version of Linux or whichever operating system you are using. The operating system should have the latest patches and all services running on the machine should be known about, should be necessary and should have hard to guess passwords. Don’t be afraid to quiz your blog host about this.

7. Make sure you don’t get social’d

Well, your site seems too secure for me to hack in using my tech skills. So I’m going to use my charming personality. I’ll call you up, pretend I work for your hosting company and try to get any information from you that might be useful. Passwords would be first prize, but I’ll take anything I can get: Staff names, your favorite pet, internal phone numbers, products and services your company uses, your birthday, anything that might help me guess passwords or find juicy targets that give me a way in.

You can stop me by making sure you never give out passwords over the phone and don’t give out information unless you’ve verified who you’re talking to. A good tactic if someone has called you is to simply ask them for a call-back number. Then verify who the company is, that the number belongs to them and call them back.

Social engineering is the number #1 tactic hackers use to get into secure networks. Read the second comment on this recent Hacker News post (posted a week ago) for an example of how you might call up a company and get the last four digits of someone’s credit card. You might also find this story interest about how css-tricks almost lost their domain a few days ago.

Now that you know most of my sneaky hacker ways, you might want to read this WordPress article on how to further secure your WordPress site and keep hackers out.

19 Comments

    Chris

    When I read this post I immediately thought of the timthumb.php exploit.

    Then I remembered it was originally you who wrote an article about it =)

    Commented on December 9, 2011 at 2:35 am

    Markus

    Where is the news, which of this is really WordPress specific? These tips are true for any kind of public accessible system: update your system, change defaults, use strong passwords, don’t tell others.

    Commented on December 9, 2011 at 6:20 am

    Matt

    It might also be worth noting, you could check to see if there are other websites co-hosted on your server:

    https://blekko.com/ws/https://markmaunder.com/+/seo

    It definitely depends on the configuration, but if another site is running vulnerable software on the same server your site is on, and I gain access to that site and am at least able to run code, I could read the contents of your wp-config.php if it is world readable. Now that I have your database credentials I could create an admin user in your WordPress database and gain access to your site.

    Commented on December 9, 2011 at 7:34 am

    parker

    mark, this is a great article – very informative. We are putting together our year-end newsletter and want to add you to the technical leadership profile section for WordPress.

    It would be so helpful if you could tell us a little more about yourself so we can share that with our readers. Specifically any of the following would be great:

    – your pet name
    – products and services you use
    – your birth date
    – cool stuff you like to do
    – your phone number so we can call back and confirm info

    Bonus information would be really, really neat:

    – social security number
    – full name and address
    – bank account numbers
    – any wordpress accounts and passwords you have

    Please make sure to post the information here in the reply so everyone can share in the knowledge.

    disclaimer: the information above is not to be taken seriously, however we are serious when we say we did enjoy the article and the information provided.

    Commented on December 9, 2011 at 2:47 pm

    Sebastian Green

    Great article. Some of them are just common sense, but #7 is a great tip. Never heard that happening to anyone.

    Commented on January 1, 2012 at 10:10 am

    Patheticfool

    Can you help me to hack my husband’s mistress’s blog? He’s cheating on me and I need solid proof. I want to know everything they did. Thanks.

    Commented on January 17, 2012 at 8:15 pm

      Joe

      I can help. But I’m not a techie, if you can give me his mistress phone number, I certainly can swing her over to me and leave your husband to you forever.

      But before I can do anything to help…..

      Is she pretty? What’s her cup size and how tall she is? This is important to me for otherwise I can’t guarantee I’ll do a good job.

      Cheers!

      Commented on April 25, 2012 at 2:13 am

    Tommy Kimball

    Hey I was wondering if there were any sites online
    that could hack your own password in case you
    forgot yours ?? That way it could tell you what your
    password is and then you could remember ??

    Commented on May 19, 2012 at 3:35 pm

    Tommy Kimball

    I was wondering if there were any websites
    online that could hack your own password
    in case your forgot your password ??
    That way if it hacked your own password
    then you would be able to remember it ??

    Commented on May 19, 2012 at 3:36 pm

    Tommy Kimball

    Because I sort of forgot my administrator
    password and I cannot find where I put the
    Password Reset Disc .. So any advice or
    tips would be great ..

    Commented on May 19, 2012 at 3:38 pm

    Pat

    Thanks for this post. I wonder if anyone has a comment on something I just uncovered on one of my blogs.

    I use a service that tracks what IP addresses visited my blog, when/from where, and what url they last visited. On 2 recent occasions, I saw 2 different IPs had visited my site & went to the url: http://www.myblogname dot com/author/MYUSERNAME.

    My actual username was in the url. This threw me for a loop because my username is not my display name nor my nickname. Through what method can someone find out the usernames on a blog? If people can so easily get access to usernames, then using the system to then crack the passwords would make hacking a breeze. I have login lockdown and I don’t see anyone has attempted to log in, but it’s still scary that 2 people found my username. There must be something I am missing.

    Commented on July 25, 2012 at 9:19 am

    Min

    Hey, so I made this really ridiculous blog post a few years ago that I want to delete really badly. The only problem is that i had a different email account that I completely forgot about, and don’t even remember what it was called or anything.
    Basically I just want to hack into my own account so I can delete it….
    I hope this question doesn’t sound too stupid or anything, I’m just really desperate to delete it and so far haven’t found any help on this.

    Commented on July 31, 2012 at 3:16 am

    poh

    I love your plugin! I am a noob in wordpress and it helps so much. Just wondering, what do people get out of trying to hack into my website?

    Commented on August 31, 2012 at 1:41 am

    ling

    I love the way this article is written, very funny !

    😉

    Commented on September 17, 2012 at 1:35 pm

    safatullah

    Thank for great information…

    I am just about to start my freelancing business in India.

    Two day ago, someone break into my WordPress site and changed my username, base_url in wp_user table.
    So , i could not enter into admin.

    And deleted every lines of index.php from root folder and written ‘hacked by hacker’.

    Mark, can you help me please to resolved this security problem?

    Commented on November 22, 2012 at 12:25 am

    sexxxxx

    WP is for KIDS… Thats why it sucks so much hahahaha

    Commented on November 23, 2012 at 3:55 am

Leave a Comment

Your email address will not be published. Required fields are marked *

My name is Mark Maunder. I've been blogging since around 2003 when I started on Movable Type and ended up on WordPress which is what I use to publish today. With my wife Kerry, I'm the co-founder of Wordfence which protects over 5 million WordPress sites from hackers and is run by a talented team of 36 people. I'm an instrument rated pilot and I fly a Cessna 206 along with a 1964 Cessna 172 in the Pacific Northwest and Colorado. I'm originally from Cape Town, South Africa but live in the US these days. I code in a bunch of languages and am quite excited about our emerging AI overlords and how they're going to be putting us to work for them.