Though in the past it was extremely challenging learning how to build professional looking websites, today the process has become much easier and also much easier for hackers to find out how to hack wordpress. Believe it or not, WordPress account for approximately 19% of all websites in existence (almost 1 out of every 5 websites), and there are about 75 million websites that utilize this amazing platform. And as we all know, no software will ever be 100% infallible. This gives hackers the opportunity to hack WordPress sites with a variety of techniques.
There are several different types of attacks hackers can use to break, disrupt, and hack websites, but today we’re going to take a closer look at SQLi injections, WPScan, and man-in-the-middle attacks.
SQLi, or SQL injection attacks, are among the most popular types of attacks designed to break websites. And unfortunately, they are also one of the most common vulnerabilities. But what the heck is an SQLi attack, you ask?
Essentially, it’s a way to take advantage in the backend database on a website by entering malicious commands designed to break the system. Because of coding errors with the backend database, there are ways to steal, delete, or change entire volumes of information. But the first step to any SQLi attack is to identify websites that are vulnerable. Even though there are so many websites vulnerable to this type of attack, the first challenge is finding one that hasn’t plugged up these security holes.
And this will most likely be the most time-consuming portion of the entire exploit. One technique that can be used to potentially find a vulnerable website is called Google Dorking. The idea is to use Google search queries to help identify websites that meet advanced search criteria. The following are just a few examples, but entire lists of valid queries can be found online.
These are just a few examples, and there are many other related searches a hacker can use. Just realize that the main focus is aimed at finding websites that utilize PHP scripts to create dynamic content based on a backend SQL database.
I would also like to point out that SQLi attacks aren’t limited to PHP-based websites. In fact, they can work on any type of SQL database. However, PHP is usually the easiest target because they don’t take a lot of technical know-how to setup; ensuring that there are a lot of potential targets and that these targets may not know advanced ways to prevent attacks. After you have identified some potential targets, the next step is validating that they are indeed vulnerable to SQLi.
To test if the website is truly vulnerable, go ahead and pull up that webpage. In this example, assume that the following fictitious webpage actually exists:
Now you will want to add an apostrophe to the end of the URL and see how the site reacts. So, in my browser’s URL bar, I would enter the following:
After pressing the enter key, I can discern whether or not the website is vulnerable. If the website returns an SQL error, the website can be taken advantage of. However, if the page loads without a hitch, it is not a good target. Generally speaking, as long as it throws an SQL error, it can be attacked with SQLi methods with few exceptions.
Advancing the Attack
Now we want to see how many fields are contained in the database that can be queried by the attacker. To do so, enter the following code:
- http://www.example.com/index.php?catid=1 order by 1
Continually enter this code after incrementing the “order by” number by one. Eventually you’ll get another error, and you’ll want to remember the highest number in the “order by” statement before the error was thrown.
The next step is to actually see the names of the fields (e.g. columns) in the database. This is done with a special type of SELECT statement called a union select statement. Use the following code:
- http://www.example.com/index.php?catid=-1 union select 1,2,3,4
In this example, we’re pretending that we were able to increase the “order by” field to a value of “4” before getting an error. This command will return data describing the different columns in the database accepting your queries. Then it’s just a matter of leveraging SQL code (such as inserts, updates, and deletes) in conjunction with the learned column names to manipulate data to your advantage.
There’s also a handy tool called WPScan that will allow administrators to check for security vulnerabilities in their websites as well as help hackers attack websites. If you’re reading this guide, you should fall into the latter category. Not only can it run brute force and dictionary based password attacks, but it can also detect vulnerabilities in individual WordPress themes. A cool thing about this tool is that the password dictionaries are completely modular, allowing users to download and plugin new dictionaries that contain anywhere between a few hundred and thousands upon thousands of passwords.
Users can also leverage man-in-the-middle attacks against users who share the same LAN. A prime example of this is a user who connects to an unsecured public Wi-Fi hotspot to make changes to their website (like at a coffee shop). As long as the login credentials aren’t encrypted with a VPN tunnel or other code like HTTPS, the login information will be able to be seen in plain text. Common software that will enable users to use this type of attack include Ettercap, Metasploit, Evilgrade, and Cain and Abel. It is able to brute force plugins, detect vulnerable themes, and enumerate users.
These are among the most common ways for hackers to attack WordPress administrative accounts and the actual website. SQLi attacks are by far the most prevalent because they are relatively simple to perform and don’t cost a dime. These days it is fairly easy finding out how to hack wordpress that even novices can perform them, though man-in-the-middle attacks are a little more difficult to successfully perform.