How to hack a WordPress website, 8 ways to hack (or protect) your website

How to hack WordPress

First off, if you’re trying to learn how to hack WordPress I have to tell you upfront that you’re out of luck. Right out of the box it’s nearly impossible to hack WordPress for the average user, but there are still a number of ways to do it if you’re dedicated, or if the website owner has left the door open. So let’s start by looking what website owner should do to protect against people who want to hack WordPress, as well as how to hack into it if you’ve lost your keys.

How to Hack WordPressOnly a complete fool would ever suggest that WordPress was hack proof, but over the past eight years of working with WordPress, I have personally never seen an incident of WordPress hacking that involved the WordPress Core files, that’s because the files that form the core of WordPress are checked, and rechecked by people around the world. So how do you hack WordPress?

Hacking WordPress through poor hosting

One of the easiest means to hack WordPress is through poor hosting practices, this includes mistakes on both the web serving company, as well as mistakes by the website owner related to their hosting account but regardless of the culprit, website operators should ensure their WordPress websites are safe from hacking by ensuring a few key things:

Choosing a WordPress hosting company

Hack WordPress by exploiting the weakest linkIt is absolutely no secret that I’m in love with the work Bluehost and WP Engine do for hosting WordPress powered websites, but what may surprise people is that my primary reason for using both of these companies is because they both take WordPress security seriously. Whoever you’re using for WordPress powered hosting, be sure that they’re conforming to these basic guidelines:

  • allowing, and enforcing auto updates of your WordPress Core files;
  • running the latest versions of your hosting software such as Apache, PHP and MySQL;
  • have a secure facility both physically, and through connection methods such as SFTP (Secure File Transfer Protocol) or GIT;
  • run an SSL certificate on your domain name, and enforce it for connectivity;

I suspect the best analogy for hacking WordPress through hosting would be for a website owner to imagine their website like a retail store in a mall. Clearly you need to protect your store from the general public, but you also need to worry about the other merchants and mall owners keeping up with their basic security requirements. In the case of WordPress security, one weak link will allow hacking.

Securing your WordPress hosting environment

Once you’ve ensured you can trust your hosting provider to host a secure WordPress environment, and properly maintain that environment, the next single weakest link when it comes to WordPress hosting is poor server practices, so if I was looking to exploit a WordPress environment and hack a WordPress website, this is where I would focus my efforts.

Hacking WordPress through poor account management

The first, and easiest way to hack a WordPress website is through poor account management. For example:

  • websites that use admin as the WordPress administrator login show a blatant lack of respect for basic security processes;
  • administrator’s who use simple passwords to protect the website;

Right off the bat, to help protect your website from hackers you should take a few moments and change your default login from admin to something more user specific. This is a great first step since it now removes one of the two pieces of information hackers need to guess, but due to a bug in how WordPress Core functions, hackers can easily retrieve your username through a known exploit. To avoid the exploit (which I won’t document here), you’ll need to enforce nicknames on your account. I use Better WP Security, a free plugin that allows me to hide my username from the general public.

It's harder to Hack WordPress with two step authentication

To help protect your website further, take the time to install an external two step authenticator to your website. Two factor logins make it really hard to hack a WordPress website because it forces your website to rely on another service such as Google or SMS messaging to generate a unique, time sensitive code for users to log into your website.

You can add more security to your WordPress login prompt by adding a simple .htpassword file to your wp-admin directory, limiting the number of login attempts, and the IP range a user can attempt to login from.

Finally, to help ensure hackers have a truly difficult time hacking WordPress through the user login prompt, I use a long, complex password with a deeply personal but completely nonsensical logic. I find this much better than randomly generated passwords such as 0%&+Y3L~”{g\]{e because while I appreciate nobody is likely to guess that, I’m also unlikely to remember it. Instead, I prefer to use passwords such as:

  • Doyouhavethetimetolistentomywine (a simple play Green Day);
  • thereareatleastfivereasonsiloveyou (you’re free to guess what they are);

Remember that securing your WordPress website isn’t just about the user prompt for your WordPress admin, you also need to protect WordPress from hacking attempts in a number of other places:

  • your WordPress admin account;
  • your WordPress authoring account (yes, they should be separate);
  • your MySQL database password;
  • your SFTP login password;
  • your cPanel, hosting management, and billing login;
  • your doman name registar;

Protecting your WordPress files through proper management

Now that you’re reasonably sure your connection to the website is secure, and your hosting company is reliable, it’s time to look at how to protect your actual files from hackers because when it comes to hacking websites, this is the next place people will attack.

If you take the time to look at an average 404 error log (a 404 error is a file not found error), you’ll likely see a stream of errors for files such as timthumb.phpdatabase.sql, or These are the results of bots (automated robots) scanning websites for known vulnerabilities. If you see these in your web logs, there is a very good chance that hackers are scanning for a backdoor into your site and it’s time to take action:

  • ensure none of your plugins are writing backups to your server;
  • be sure your hosting company is not doing backups directly to your public_html directory;
  • review the contents of your website directory regularly for backups;
  • remove any unused plugins, themes, or extensions;
  • set your WordPress file permissions properly;

Once you’re sure your website is as safe as possible, remember to move your wp-config.php file out of the public_html directory to protect it from hackers. Be default, WordPress will scan not only your hosting directory but the directory above it for your WordPress configuration file.

Hacking WordPress through poor WordPressing

How to Hack WordPressThe server and files are just the start of protecting WordPress from hackers, the next steps are all about people and avoiding the errors that are common across many websites but if you’re serious about protecting your WordPress site from hackers, these next steps are vital.

Ensuring WordPress is up to date

The WordPress community is made up of hundreds of programmers around the world, most of whom run websites just like you. If one person finds a potential security flaw, they either report it to the WordPress Core team, or fix it and submit the patch to the team as quickly as possible. Those fixes are then sent out to millions of WordPress websites immediately but if you’re not updating your WordPress site, you’re inviting hackers to exploit those vulnerabilities.

If, for whatever reason you’re unable to update WordPress automatically, the next best thing will be to hide your WordPress version number and try to trick hackers into not knowing which version of WordPress you’re using.

Hacking a WordPress website with plugins

As I mentioned earlier, I’ve never personally seen a WordPress website hacked through Core (the core files that make up WordPress) but I’ve been hired to fix a lot of hacked WordPress websites that are the result of poorly written plugins and themes. I don’t know what the numbers are, but I suspect that most WordPress hacks come as a result of these add-ons. To help avoid having your website hacked through plugins I suggest:

  • only installing, or activating plugins you need to run your website;
  • removing unused plugins regularly;
  • downloading plugins from trusted sources such as the repository;
  • reviewing plugin code to understand what you’re installing on your website;

I focus the above list on plugins, but themes are just as vulnerable and it’s vital for website owners to realizes that when they activate a theme or plugin on their website, they are giving that code full access to the website, and potentially a backdoor for hackers. Just as I outlined above, it’s vital for plugins and themes to be updated as soon as a new release is put out, to ensure your website is as secure as possible.

How to hack a WordPress website (that you own)

Hacking a WordPress website that you have access to is surprisingly easy, I have to do it regularly for clients who have lost their passwords. To hack a WordPress website that you are managing, here are some simple suggestions.

Recovering your password through the web

The easiest method to reset your password in WordPress is to click the Forgot your password? link on the bottom of your WordPress login prompt. This will ask you for the username or email associated with an account, and send a reset link to the appropriate email.

Hacking WordPress without email

Presuming that you don’t have access to your WordPress website for legitimate reasons, you can still reset your password a few different ways, the problem with most of those methods is that it requires you to know your account ID number before resetting your password. There’s also an emergency password reset form that you can install if you have SFTP access to the website but my preference is to create a new admin user with this simple code sample and use it to log into the WordPress website as an admin user once I’ve run it.

[gist 6048631]

To run this script, you’ll need to SFTP into your site and add the code to a site specific plugin file, or your theme’s function.php file.

Leave a Reply

Your email address will not be published. Required fields are marked *