Forum Thread: WordPress Hackage [2]

WordPress Hackage [2]

Since my chromebook apparently cannot post replies, I'm making a new thread to talk about wordpress hacking (not in depth tutorial, just the basic steps)

Obviously the first task is to locate your site. For example, let's say www.jacksnotwordpress.com

Some high quality businesses use WordPress, making them vulnerable. Just tap on a wp-admin or /login at the end of the URL and you will get to the WordPress login page.

www.jacksnotwordpress.com/wp-admin will display the WP login. Username is oftentimes 'admin' and you can just BF the password. I know a popular blog recently was attacked this way by a pentester.

IF you want to post your own step by step tutorial, please do so. :-)

11 Responses

I know some Perl and Php Scripts which bruting on WordPress and Joomla's Admin Panel after you get the Username ! And you can use WPscan it's grate tool to get wordpress username or either to get the plugins of the wp website !

And about all websites , I don't have an idea ! You can try brute with xHydra or other Tool which not specefied to any kind of website !

It depends on how the site is set up.

Sites like wordpress use a simple login page and are easy to pass. However other sites might have far more complex means of admin authentication.

I'm not going to pretend to be an expert in something I am not skilled at however.

Some sites try to hide this by hiding it from Google by hiding it in their robots.txt file. To access this file, simply add "robots.txt" to the url like this:

www.Derp.com

Becomes:

www.Derp.com/robots.txt

The robots.txt file also has a few interesting points in there like a map of the entire site and in some rare cases, hidden links.

Happy Hunting!

Ninja243_

Ninja243,I've seen those before while searching for sites. "This site's robots.txt prevent it from being shown" is in the description of the page when you google it.

I'll have to check them out further. Thanks for the tip!

Since my email will not verify I'll just post my message here:
@ninja243

Well without a doubt WordPress will log your ip when you log in. If you use a VPN and do it, all they will see is a user logging on from a different ip.

After you finish your acts, clean your history, cookies, etc and switch VPNs.

I've been toying around with some local sites I found, using usernames that were easy to locate. I was looking up research today and found a site that I suddenly realized was WP.

As you can quickly discover, the usernames of the authors on that site are also their admin usernames.

I don't have any brute forcers on me right now because I rarely go beyond initial pentesting, but if you have one it should be straightforward.

I hope I helped, although I'm not the most experienced fellow to ask about this. I just used wordpress a lot when I worked in an ITT company, so I discovered a few big exploits in it.

Thanks for the reply, bro. Will WordPress try to log my IP when I try to log in and fail? I've been trying to have a go at one WordPress site and if so, my IP is plastered all over the logs (due to the fact that I cannot use a proxy server because of a corporate firewall that blocks most, if not all proxy servers).

Also, is there a way to get around Captcha and Google's ReCaptcha systems when bruteforcing?

Ninja243

Why do use a chromebook ??

School issued. I can't use my desktop all the time, especially during one of my classes.

and I'm not sure about the Captcha. I know if you are able to send requests from different IPs (like a proxy) it won't activate the captcha.

I ASSUME wordpress logs ips because that's what google does when you sign in from a new location. IT adds an extra layer of security.

I don't know all the exact techniques though.

So is implementing Captha on the login page enough to stop brute force attacks?

I'm looking for a way around it right now, but otherwise, I presume it is.

Ninja243

Share Your Thoughts

  • Hot
  • Active