What is the Defense Against Google Dorking

Hacking WordPress - A look behind the scenes

1. Help i got hacked!

Only in Germany is that Penetration rate from WordPress enormous - and the trend continues to rise. In a worldwide comparison with other content management systems (CMS), WordPress holds a share of up to 51% (top million sites). Impressive numbers that are increasingly the focus of WordPress professional attackers moves. In April of this year, a botnet attacked WordPress installations around the world.

Numerous instructions have already been published to protect and secure installations. »Hardnening WordPress« or my series of articles »Securing WordPress« are recommended.

In this post, however, there are no more Protective measures presented, but how attackers proceed to hack WordPress installations. It is supposed to give a little insight behind that Backdrops be - in reality there are far more possibilities and variants.

2. Note on »Hacking WordPress«

Attacking WordPress installations or systems without permission or a declaration of consent constitutes a punishable act Anyone who attacks third-party systems without a contractual basis is walking on very thin ice. The following information is provided for clarification and should only be used in the context of a penetration test. In contrast to illegal hacking attacks, a penetration test stops order-driven A break-in into one or more systems. The procedure basically serves as a »quality control« of the IT security currently implemented in the corporate environment.

An attack / penetration test can be divided into different Phases subdivide, a part of which is repeated sequentially. Phase 1 initially serves the Information acquisition about the goal. While a penetration tester records the results in phase 4, an attacker will probably save himself this step ...

3. Obtaining information - phase 1

In the first step, an attacker becomes as many as possible information about his goal, which may be of interest for the further course. Various publicly available sources of information are searched for this purpose. These are then evaluated and are intended to provide information about the route by which a break-in occurred on simplest can be realized. Various tools are available for this purpose - most of them are on the Linux distribution Kali. The distribution is supported by both Hackers, as well as from Penetration testers used to find weak points / security analyzes.

Tools that are summarized under "Information Gathering" help here. Ultimately, the following objectives are pursued in the first phase:

  • Identify target
  • Determine the system / application version
  • Available network ports
  • Ongoing services
  • Recognize defense strategies
  • [ … ]

3.1 Example: WordPress identification

Hiding the WordPress version number or other Metadata is often associated with protection against spambots or security gaps among laypeople. Indeed, it can be used to fool the particularly "stupid" bots, but even semi-professional versions cannot be deterred by the security by obscurity measures. They use sophisticated methods to determine whether a site is powered by WordPress.

If you want to see for yourself whether your WordPress installation is recognized as such, you can use the following website: Is it WordPress?

Need more information? For example, all installed plugins? No problem at all with the plecost tool. Here is a fingerprint of a WordPress installation:

With the help of the collected information, WordPress or one of the installed plugins can be targeted. For example, details on vulnerabilities for certain versions are provided by CVE details.

3.2 Example: Identifying the system

Nmap is a tool for to scan and Evaluate of hosts on a network and falls into the category of port scanners. The name stands for Network Mapper. Nmap is primarily used for port scanning. In addition, it has other technologies, such as recognizing the operating system used (OS fingerprinting).

Ultimately, such information in turn serves as a starting point for the further phases in which weak points are actively exploited.

3.3 Example: Recognition of user accounts

To get into the Administration area To log in from WordPress, the combination of a username and password is required. If an attacker can "guess" the username in advance, all he needs is the correct password. Overall, this makes it easier to penetrate the sensitive administration area successfully.

Often it is sufficient to enter


in the browser line. In the standard installation, an administrator / user receives a unique Identification Number assigned. Usually this ends on author = 1 or can easily be tried out by replacing the 1 at the end.

If the WordPress operator has changed this manually, a script for nmap will help - who would like to try out all combinations:

4. Find attack vectors - phase 2

Based on the information gathered in step one, possible Entry points identified in the system. With the help of tools and manual queries, specific weaknesses and gaps are searched for that enable a break-in. The tools required are summarized under "Vulnerability Analysis" and serve the following purposes:

  • Identify weak points
  • Identify and prioritize system access points
  • Assess risks
  • [ … ]

Check WordPress for weaknesses and configuration errors

I have one for your WordPress installation special Service package on offer:
  • Scan your WordPress installation for weaknesses
  • Evaluation and assessment of the weak points found
  • Based on the results, you will receive individual recommendations for corrective action and protection from me

When you have your WordPress installation sustainable you are welcome to contact me.

Good to know: You don't get security by installing countless security plugins, but by a clean configuration, constant updates and proactive measures for security. make contact

4.1 Administration area

The login to the Administration area WordPress - not least because an attack can be carried out with simple means in many installations.

The browser can be used to check whether the administration area is generally accessible to everyone:


After entering a user name and password, the reaction of WordPress can first be explored.

In the first example, the account »admin" approved. This is available and is probably used for the administration of the WordPress installation.

The use of a security plug-in can be derived from example two. Probably Login LockDown / Limit Login Attempts or a similar plugin is used here. These log failed Login attempts. If a login attempt fails three times in a row within 5 minutes, the plugin blocks the requesting IP address for an hour, for example. Script kiddies and stupid bots can be deterred by such measures - professional attackers, however, less so.

4.2 Missing SSL encryption

Mainly SSL is used for the validation used between web browser and web server - i.e. whenever sensitive information about the unsafe Internet should be exchanged.

The login to the administration area is called up again via the browser:


If no encrypted SSL connection is negotiated between the browser and the server, the Credentials be recorded. In concrete terms: A WordPress blogger uses this for free WIRELESS INTERNET ACCESS in his favorite coffee and logs into the administration area. Since the connection is not secured via SSL, an attacker can read the login data in plain text or unencrypted. Such an attack can already be carried out by beginners with simple means.

5. Exploitation of weak points - phase 3

In phase 3, any weak points found must be exploited in a targeted manner. Existing exploits are used for this purpose or new ones are developed that enable systems to compromise. If it is possible to enter into a system, the access often results in further possible ones Targets of attackthat were previously unavailable. With the toolbox from »Exploitation Tools« or »Privilege Escalation«, sufficient funds are available in Kali. This is used to track:

  • Exploiting weak points in systems / applications
  • Get system access
  • Access to protected web areas
  • Collection of sensitive data
  • [ … ]

5.1 Brute force WP login

Because administrators have the most extensive Permissions they are a popular target for attackers. Once logged in, you allow, for example, malicious PHP or Javascript commands to be added directly via the dashboard. In the information phase, login information was already collected that can be used specifically for breaking into the backend.

The administration area is protected from a combination of username and password. If an attacker already has the user name, he must "guess" the password in the next step. Using a brute force attack, the appropriate password is determined by trial and error. In the wild, this attack is often successful as many users still use insecure passwords.

Hydra is available especially for this purpose. In addition to WordPress installations, a wide range of systems and applications can be attacked with it.

5.2 The WPScan tool

WPScan is specially tailored for WordPress. It offers numerous functions, such as the recognition the installed plugins, themes and WordPress versions. It is also able to "guess" user accounts for brute force attacks and refer directly to them Vulnerability databasesif conspicuous plugins are found during the scan. In the example, a gap is detected in the W3 Total Cache plug-in (version 0.9.3).

5.3 Metasploit

Metasploit is a species All-purpose weapon or large toolbox for penetration tests and security analyzes. It consists of different sub-areas, sub-projects and modules - the scope allows use in all of them Phases a penetration test. Attackers also use Metasploit to break into foreign systems. Here is just a brief glimpse into the Metasploit universe.

The Metasploit Module »wordpress_login_enum«Is used to determine valid user accounts and can then carry out a password-guessing attack.

6. Other options

The tools and options shown above are only a mini-selection practice There are countless tools and variants to hack web applications and their host systems. In the Metasploit and exploit-db.com databases alone there are hundreds of Weak points recorded and described. Again and again the goal are plugins, themes and the WordPress core itself.


Deactivated plugins or themes are also dangerous. Even if they are not actively used, they can normally still be reached. For example, the Asset Manager plug-in (version <= 2.0) allows a file to be uploaded to a temporary directory - then malicious code can be executed from it. The plug-in does not have to be active for this intrusion, it only has to be available on the web space.gap: WordPress Asset Manager PHP File Upload Vulnerability.

6.1 System-level attacks

For phase 1 alone (information gathering) an attacker will spend a lot of time to get data / information that could be useful to him later. After all, the success for the later break-in depends on it indirectly. Even simple ways such as Google hacking (Dorks), DNS information and social networks are important sources of information. Information can often be derived from these that provide crucial clues for a successful attack. A WordPress installation itself may not offer one attackpointwhich focuses on the host system. As an an example:

  • MySQL database
  • FTP / SSH service
  • CPanel or other tools for web-based administration
  • phpMyAdmin access
  • [ … ]

For WordPress security, everyone must Gears interlock - in the end, an attacker always has the goal of finding the weakest gear.

7. Conclusion

The article WordPress Hacking is supposed to be a impression Communicate about the course of an attack - even if the phases are slightly mixed up. Attackers usually pursue different goals. Infected WordPress installations often serve as starting point for further attacks or for sending spam mail. In addition to vandalism and the desire for revenge, there are practically innumerable intentions.

If your WordPress installation has already been hacked or you want to improve security in advance, then I recommend the following instructions again: »Hardnening WordPress« and my article series »Securing WordPress«.

Image sources:

Skull: "# 9358035", https://de.fotolia.com/id/9358035

Hacking WordPress - A look behind the scenes January 19th, 2021Mike Kuketz

Spread the word | Support

If you liked the post, then share him with your friends, acquaintances and fellow human beings. Use social networks, forums, emails or simply the next celebration / event. You are also welcome to support my work!

About the author

My name is Mike Kuketz and I am writing this blog to security- and data protection relevant Making topics easier to understand and accessible to everyone.

In my freelance work as Pentester (Kuketz IT-Security) I slip into the role of a »hacker« and look for weak points in IT systems, web applications and apps. Furthermore, I am Lecturer for IT security at the dual university in Karlsruhe and among other things as an author for the computer magazine c’t.

The Kuketz blog or my person is regularly represented in the media (heise online, Süddeutsche Zeitung, etc.).

Learn more ➡

If you want to be informed about the latest posts, you have several options to follow the blog:

Stay up to date ➡