• Subscribe to the low volume list for updates.

Attacking WordPress

These techniques can be used to attack and break into WordPress based websites. By providing details on these types of attacks the aim is to raise awareness about the need for hardening and security monitoring of WordPress.

Of course any penetration testers wishing to pop a WordPress based site may also find some helpful pointers in this guide.

WordPress is the application behind close to 20% of all websites. Its ease of use and open source base make it such a popular solution. The numbers of installations keep growing; there are literally millions of WordPress installations. This popularity makes it a juicy target for bad guys aiming to use a compromised web server for malicious purposes.

Securing WordPress

There are many very good and detailed guides on securing a WordPress installation available, this post is not intended to repeat those. To get started securing a WordPress install try the excellent guide on the wordpress.org web portal https://codex.wordpress.org/Hardening_WordPress.

Also keep in mind that if you use a managed WordPress hosting service, some of these attacks (and mitigations) will be the responsibility of your hosting provider. If you are self hosting on an unmanaged VPS then security is your responsibility. Ok, ready to start? Lets get cracking.

 Information Gathering

The first step in attacking a WordPress site involves gathering information about the installation. To begin with we want to get an idea of how well maintained the site is; determining whether the site is running the latest WordPress core version is a good start.

WordPress Core Version

The two fastest ways to discover the core version of the WordPress site is to check the HTML source of the page for a meta generator tag in the HEAD of the source or the examplesite.com/readme.html file that is distributed as part of the core installation files.

This example is taken from the source of a default WP install of version 3.5.2 and twenty twelve theme. From the source HTML:

<meta name="generator" content="WordPress 3.5.2" />

If the meta tag has been disabled, check for the presence of /readme.html from root of the install. This information file contains the version of WordPress right there at the top.

It is common to find the version of the installation through one of these two techniques. There are known security issues even in some of the most recent releases of WordPress core, so check the discovered version against the known vulnerabilities. Even if you are unable to find any good exploits for the version of WordPress core, knowing the installation is running anything older than the latest release indicates that the site may not be closely managed - in which case the chance of exploitation elsewhere has increased considerably.

Directory Indexing

directory indexing enabled on plugins directoryDirectory indexing is a function of the web server that allows you to view the contents of a directory in the web accessible path. Viewing the contents of a directory allows an unauthorised user to gather a lot of information about the installation such as which plugins and themes have been installed.

To check for directory indexing you can browse to folder locations and see if you get a response that includes "Index Of" and a list of folders / files. Common locations to check would be:


If you can browse /wp-content/plugins/ - the next step in the information gathering phase where we attempt to find installed plugins and versions becomes much easier!

WordPress Plugin Versions

In this step we are going to attempt to find as many plugins that are installed (whether they are enabled or not) as possible. Knowing which plugins are installed allows us to then try to determine whether it is vulnerable to known exploits.

  • Passive analysis can be used to find plugins through regular HTTP requests to the WordPress site.
  • Active analysis is more aggressive and usually involves using a script or tool to perform hundreds or even thousands of mostly invalid HTTP requests.

Review of the HTML source of the WordPress site can reveal installed plugins, through javascript links, comments and resources such as css that are loaded into the page. These are the easiest plugins to discover and require no aggressive testing of the target site. Even the HTTP headers can reveal information such as the X-Powered-By header that reveals the presence of the W3-Total-Cache plugin.

Since some plugins are not seen in the HTML source; to find all the installed plugins you have to get more aggressive. A number of tools can brute force known plugin lists from the path /wp-content/plugins/ * plugin to test * /. The web server response will usually reveal valid directories as opposed to unknown directories on the web server with its HTTP response code.

User Enumeration

Discovering the account names of the users of the site, allows you to then attack the passwords of those users through the WordPress login form. We will go through attacking the password in the next section, for now lets enumerate the users of the site.

In a default installation you should be able to find the users of a site by iterating through the user id's and appending them to the sites URL. For example /?author=1, adding 2 then 3 etc to the URL will reveal the users login id either through a 301 redirect with a Location HTTP Header


 Having valid user accounts will be very useful when it comes to brute forcing passwords. Automated user enumeration can be performed by the tools listed in the brute forcing section below.

Attack the Users

The most common attack against the WordPress user is brute forcing the password of an account to gain access to the back-end of the WordPress system. Other ways a password can be compromised include sniffing the password in clear text over a HTTP login session or even getting the credentials from a key logger on the workstation of the WordPress administrator.

Accounts with administrator level access are the most sought after due to the amount of mischief an admin user can get up to; adding PHP command shells or malicious javascript directly through admin interface are common examples.

Brute Force wp-login

confirm valid users with the login formWith the usernames we collected during information gathering we can get started (or just try admin). Take a look at the login form /wp-login.php, notice how failed logins confirm the username when an incorrect password is entered. This is very helpful to an attacker.... it also makes things more user friendly for the end user who has forgotten their username and password. This "feature" has been debated and it has been decided to keep this response within the WordPress code.

Tools for popping weak passwords

Brute forcing accounts of users is possible using a number of open source tools. In addition there are recent worm like scripts available that have been spreading through the WordPress interwebs, searching for and spreading to WordPress sites with weak admin passwords.

 WPScan - http://wpscan.org

The WPScan tool is one of the best available when it comes to testing a WordPress installation from a blackbox perspective. It is able to brute force plugins, detect vulnerable themes, enumerate users and brute force accounts.

Here is example output from a test I ran with WPScan against a low end Digital Ocean VPS ($5 / month) where I had installed a default installation of WordPress.

ruby wpscan.rb -u 192.241.xx.x68 --threads 20 --wordlist 500worst.txt --username testadmin

********* SNIP ******************

[+] Starting the password brute forcer

  Brute forcing user 'testadmin' with 500 passwords... 100% complete.
[+] Finished at Thu Jul 18 03:39:02 2013
[+] Elapsed time: 00:01:16

Lets review the output, 500 passwords tested against the 'testadmin' account (that was discovered during user enumeration). Those 500 passwords were tested in 1 minute and 16 seconds! While the test was running the site was still responding; a web server administrator would have no idea the attack took place without some sort of security log monitoring system in place (OSSEC does this very well).

The '500 worst' password list used above is from SecLists. The site has a large number of password lists including the 60mb rockyou list that contains many more than 500 passwords!

 Nmap NSE Script - http://nmap.org

Nmap the port scanner can do much more than just find open ports. Recent versions of Nmap come bundled with NSE scripts that can be used to test many different vulnerabilities; including enumerating users and brute forcing WordPress passwords.

nmap -sV --script http-wordpress-enum --script-args limit=25 

80/tcp open  http    syn-ack
| http-wordpress-enum: 
| Username found: admin
| Username found: testadmin
| Username found: fred
| Username found: alice
| Username found: bob
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-enum.limit'

Output above shows an example run using the http-wordpress-enum NSE script to enumerate WordPress users.

80/tcp   open  http    syn-ack
| http-wordpress-brute:
|   Accounts
|     testadmin:myS3curePass => Login correct
|   Statistics
|_    Perfomed 113 guesses in 19 seconds, average tps: 6

Above are the results from brute forcing WordPress accounts using the http-wordpress-brute NSE script.

 Burp Suite - http://www.portswigger.net/burp/

For those familiar with web application security testing the Burp Suite Intruder tool can also be used for brute forcing WordPress passwords. A WordPress login attempt is simply a POST request after all.

Capture Credentials over non-secure login

Without additional security measures in place (SSL), accessing the /wp-admin/ dashboard is over an unencrypted connection. This means if you login to your WordPress site on an unsecured network such as the wireless at your local coffee shop or airport your login and password to manage the site could be captured by an attacker simply by watching your session.

Attack the Application

Plugins, Themes and WordPress Core all contain a large amount of php code from developers around the world. These developers have differing abilities and focus when it comes to writing secure software. For this reason there are thousands of exploitable vulnerabilities available to an attacker. Updating plugins, the WordPress Core and Themes must be a routine task for any WordPress administrator to ensure the known vulnerabilities are patched.

Common vulnerabilities include XSS, SQL injection, file upload and code execution. All of these can have devastating consequences to a WordPress site. Search through Metasploit and exploit-db.com for lists of exploitable WordPress bugs.

The best tools for brute forcing the installed plugins are similar to those used to brute force passwords. The WPScan tool has the option to search for all plugins, the most popular plugins or only the vulnerable plugins. An Nmap NSE script is also available for brute forcing plugins. Note that brute forcing thousands of plugin paths will result in thousands of 404 Not found entries in the web server log file.

Plugins and Themes that have been installed but are not enabled can still introduce vulnerabilities as the bad code may be directly accessible through the web path. An example of this would be a vulnerable upload function that allows local or remote file includes. Even though the plugin / theme is not enabled, the upload function still works via direct access to the php file in the web path. Brute forcing the location of these vulnerable files is a very common attack by scanning bots.

Attack the Server

Testing the WordPress application itself is only one part of ensuring your web site is secure. The server that hosts the website must also be kept secure.

Brute Force Management Accounts

A successful brute force attack against a server management account will give an attacker full access to the server and the WordPress application.

Services that can be attacked with brute force password guessing include:

  • SSH Service
  • MySQL database service
  • Webmin Server Management
  • CPanel or WHCMS Web Hosting Control Panels
  • phpMyAdmin database management application

To reduce the chance of management account compromise the normal rules apply.

  • Use strong passwords everywhere, do not re-use them!
  • Move SSH to a different port
  • Use SSL for web based management services
  • White list IP addresses that can connect to services

Server Software Exploits

Exploitable security vulnerabilities can be present in server software or the operating system. Examples can be found on any vulnerability mailing list, recently SQL Injection exploits have been used successfully against WHMCS a very popular web hosting control panel software. PHPMyAdmin has long been a favorite application to attack, due to its popularity and a long list of vulnerabilities.

Server Software Misconfiguration

Often times security vulnerabilities can be introduced purely through misconfiguration of a service or poor management practice.

Tools to find Security Weak Points in the Server

These tools can be used by attackers and defenders to find security issues on the target server. The three below are examples. There are many other security testing tools that can be used to find vulnerable systems; both commercial and open source.

 OpenVAS Vulnerability Scanner - openvas.org

An open source vulnerability scanner with a collection of plugins that number close to 30000. The plugins test many different aspects of a system or network device.

 Nmap Port Scanner - nmap.org

Test for open ports and how effectively a firewall is protecting a system with the well known Nmap Port Scanner. A well configured firewall that only allows access to required services makes an attackers job much harder.

 Nikto Web Server Scanner - www.cirt.net

A vulnerability scanner that focuses on a web server and looks for known vulnerable scripts, configuration mistakes and other web server items of interest. The Nikto tool has been around for many years yet still has a place in the penetration testers toolbox.

There are many reasons why WordPress sites are attacked. Understand that it does happen, and do not be the low hanging fruit. Keep everything up to date, keep regular backups, perform basic hardening and if you derive an income from it..... test your security regularly and have visibility with real time monitoring (such as OSSEC).

Follow up post to this article:  Defending WordPress with OSSEC.
Tutorial on OSSEC:  OSSEC intro and installation guide.

Secured WordPress?
Test WordPress and Server Security in 2 clicks


  • Plamch
    it's all about basics
    • unfortunately way too many people #fail at the basics...
      • Onion Guard
        as you... access to dashboard: http://hackertarget.com/wp-admin and username: "admin" ... the password is a mystery... #epicfail
      • bob
        hey, I was wondering if you were offering tutoring/helping or teaching(per hour)? If you do, it would be my pleasure to potentially be your client!
      yeah it is.. looking for a spoon feed?
  • Good stuff!
  • Great article. Wish more people would harden their sites.
  • AbiusX
    Didn't like it much. Its not the way sites are hacked.
    • AbisuX yes, that is one of the many methods that most PHP sites are hacked. Just take a look at any honeypot report and access log file. Its all bruteforce, XSS, and SQL injection attacks. The best way to defend against any of this is to harden your firewall, server, and install a WAF like NAXSI or Mod_security. Plus, ensure your regularly updating your software with security patches and run malware scans on anything you didn't create yourself.
  • Black Cracker
    Helpful informations on your Website
    • TRD
      Why did you not try Plamch?
      • BorisV
        You don't get that far on any of my sites. LOL!
  • Hammad Khan
    I'm reading this article for secure my website. Thanks Great article.
  • Abhishek Malviya
    hyyy i want to need website scaning tools
  • yuqiao ning
    very goods
  • BorisV
    So, how do you by pass an ip block??? That is, if you can't access the admin area in the first place.