Hacking the WordPress Login by Capturing WordPress Usernames and Passwords

Apr 11, 2017 | 5:44 pm

Published by | Payal Gautam

WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress is installed on a web server that is either part of an Internet hosting service or a network host in its own right. The first case may be a service like WordPress.com, for example, and the second case could be a computer running the software package WordPress.org. A local computer may be used for single-user testing and learning purposes.

Hacking the WordPress Login – Stealing Usernames and Passwords Using Free Tools:

You access your WordPress dashboard or admin web pages over an HTTPS interconnection (using an SSL web server certificate), the user name and password are delivered in clear text over the internet, hence you risk of having them stolen.

With this WordPress security blog post we will describe how malicious cybercriminals can hack your WordPress login by detecting (also known as capturing) your WordPress username and security password using free tools.

How to Capture & Hack WordPress Passwords:

Routing of Clear Text Data Over the Internet

Whenever you access your WordPress dashboard (wp-admin section) or any other website, the data is not delivered directly from your computer browser to the web server. It is sent through a number of devices on the internet. Therefore prior to the data gets to your server, your data is passing through and being accessed by a range of routers, switches, servers, web proxy servers etc which are administered by different organizations.

Depending on the geographical location of your computer and web server, your data might be routed through 5 to 20, or more devices until it finally reaches its destination. Since such data is posted clear text, should a malicious hacker tap into one of those devices and captures its traffic, the hacker may easily access your WordPress username or password as explained below.

Hacking WordPress Login (Capturing the Credentials):

Once a malicious hacker can access your data by tapping into a device from where your data is being sent (which could also be your very own cellular router), he can use free tools such as Wireshark for capturing your WordPress login session, which will include your WordPress account information.

Depending on the sort of access the hacker manages to gain, they can also route all of the device’s traffic through his own web proxy software, such as Fiddler, which is also a free tool.

At this stage hacking your WordPress login is very easy because the malicious hacker can capture all of the web traffic getting through that device. Intended for example below is a screenshot from Fiddler acquiring a WordPress login program (i. e. the traffic exchanged between a customer’s web browser and a WordPress website while visiting into WordPress dashboard or admin pages).

Detecting and Capturing WordPress Passwords:

When the malicious hacker has a duplicate of the web data exchanged between your web browser and your WordPress blog or website, he can surf through it to identify your WordPress password. In this test case, we used admin as the username with password StrongPass. By simply identifying the HTTP CONTENT request from the above screenshot, i. e. when the browser sent the password to the WordPress site, the hacker can see your account information in clear text as highlighted in the below screenshot.

From the above screenshot, you observe that the Log parameter provides the username used to sign into WordPress (admin) and the PWD parameter provides the password (StrongPass).

Note: This screenshot shows exactly the clear text (including your WordPress username and password) your web browser sends to the WordPress login page to sign in.

A hacker does not be tech penetration himself to do such jobs. These free tools are incredibly user-friendly and anyone who has a simple idea of how the web works may easily capture and steal WordPress passwords, hence why we always recommend one to turn on WordPress SSL for your login web pages.

Protect Your WordPress Login and Password:

There are many ways how to protect your WordPress sign in details, i. e. the WordPress account information and avoid having them thieved. The first and most secure way is to access your WordPress dashboard over an HTTPS interconnection. Refer to the WordPress HTTPS (SSL) security article to configure WordPress SSL by using a plugin or consider our Definitive Guide to Implementing WordPress SSL to implement SSL manually on your WordPress.

Although we recommend every WordPress managers to implement both an SSL Web server record for WordPress SSL (HTTPS) connection, it is suggested to also add two-factor authentication. It is important to add two-factor authentication as well because even though malicious hackers are not able to steal your credentials when the WordPress login web page is over SSL, your WordPress is still vulnerable to brute force attacks. Two-factor authentication protects your WordPress from automated brute force attacks. Remember, the more layers of WordPress security you can implement, the better it is.

WordPress Hosting, Firewall, and Backup:

WordPress White Security is managed on A2 Hosting, guarded with BBQ: Block Bad Queries Firewall and supported up with BlogVault online WordPress backup service.