Security Audits

WordPress Hacking 101: How to Hack a WordPress Site

Ever wonder how you could hack a WordPress site? You are not one of the bad guys, but you just want to know how it works, maybe for the purpose of securing your own WordPress site. Hacking a WordPress site is a complex and multi-step procedure. You will need to gather information about the site you are about to hack, locate vulnerabilities, obtain login info and finally attack the site using user attack, application attack or server attack. Here are the steps to hacking a WordPress site. Please note that they are for educational purpose only, and we shall not be held responsible if you misuse the information provided in any way.

Obtaining Information

In order to successfully hack a WordPress site, you must start by understanding the way the site works. Does it use the latest or an earlier version of WordPress? Does it have one or more plugins that are not updated and contain potential security vulnerabilities? Does it use any special security software to prevent attacks from happening? Once you have done the required homework, you can start out on hacking any WordPress site.

A very easy way to detect the version of core WordPress is to look for a meta generator tag in the source code of the file. It will show something like this:

<meta name="generator" content="WordPress 3.5.2" />

Next, do some directory indexing, which will give you an idea of the various files and folders within the WordPress and where they are located. Just look for the index of contents in the following URLs:


Next, find out about the various users on the site by visiting the following URLs:
And so on…

Once you have an idea of the WordPress, themes, plugins and users, you can pick any of the following methods to hack into the WordPress:

Attacking Users

An easy way to hack into a WordPress site is to just hack into the individual WordPress user accounts for the site. Once you have found the list of users on the site using the method above, you already have their usernames, and all you need is the passwords. An easy way to find out weak passwords is a Brute Force Attack. It is nothing but using hitting the login form with a random list of passwords until one just works out. It is really the most common and basic way to hack into any CMS. Other ways of finding user passwords include sniffing the password an HTTP login session or getting the user’s login credentials by installing a key logger onto the user’s workstation.

Attacking Applications

The second most common way is to surf the themes and plugins on the subject’s website for vulnerabilities in the myriad strands of PHP code contained within the many applications. Common vulnerabilities include XSS, SQL injection, file upload and code execution exploits that can easily be targeted and attacked by hackers. A common way of hacking into a WordPress application is a Brute Force Attack similar to the one used to obtain user credentials. There are various online tools that can help you achieve this, such as WPScan and Nmap NSE.

Attacking Servers

A Brute Force Attack that reveals the credentials of a server management account gives the hacker full access to both the server and the application. Password guessing can be used to hack into the following server applications:

  • SSH Service
  • CPanel or WHCMS Web Hosting Control Panels
  • phpMyAdmin database management application
  • Webmin Server Management
  • MySQL database service

Tools like the OpenVAS Vulnerability Scanner and Nmap Port Scanner make it very easy to search for common vulnerabilities in server accounts.

These are just a few of the many ways one can hack into a WordPress site. Reasons behind these attacks can include anything from deliberately spreading malware, obtaining sensitive information about users and taking complete control over the hacked site for many reasons.

Did you learn something new about how to hack a WordPress site from reading this article? Let us know in your comments!