Hacking the WordPress Login – Stealing Usernames and Passwords Using Free Tools

As explained in the previous security post Website SSL and HTTPS explained, unless you access your WordPress dashboard or admin pages over an HTTPS connection (using an SSL web server certificate), the username and password are sent in clear text over the internet, hence you risk of having them stolen.

In this WordPress security blog post we will explain how malicious hackers can hack your WordPress login by sniffing (also known as capturing) your WordPress username and password using free tools.

How to Capture & Hack WordPress Passwords

Routing of Clear Text Data Over the Internet

When you access your WordPress dashboard (wp-admin section) or any other website, the data is not sent directly from your computer browser to the web server. It is routed through a number of devices on the internet. Therefore before the data reaches your server, your data is passing through and being accessed by a number of routers, switches, servers, proxy servers etc which are administered by different entities.

Depending on the geographical location of your computer and web server, your data might be routed through 5 to 20, or more devices until it reaches its destination. And since such data is sent in clear text, should a malicious hacker tap into one of these devices and captures its traffic, the hacker can easily retrieve your WordPress username or password as explained below.

Hacking WordPress Login (Capturing the Credentials)

Once a malicious hacker can access your data by tapping into a device from where your data is being routed (which could also be your very own wireless router), he can use free tools such as Wireshark to capture your WordPress login session, which will include your WordPress username and password.

Depending on the type of access the hacker manages to gain, he can also route all of the device’s traffic through his own proxy software, such as Fiddler, which is also a free tool.

At this stage hacking your WordPress login is very easy because the malicious hacker can capture all of the web traffic passing through that device. For example below is a screenshot from Fiddler capturing a WordPress login session (i.e. the traffic exchanged between a user’s web browser and a WordPress website while logging in to the WordPress dashboard or admin pages).

Using Fiddler to sniff (capture) web traffic and analyze a WordPress login session

Sniffing and Capturing WordPress Passwords

Once the malicious hacker has a copy of the web data exchanged between your web browser and your WordPress blog or website, he can browse through it to identify your WordPress password. In this test case we used admin as username with password Str0ngPass. By identifying the HTTP POST request from the above screenshot, i.e. when the browser sent the password to the WordPress site, the hacker can see your username and password in clear text as highlighted in the below screenshot.

Capturing (sniffing) a WordPress login with free tools such as Fiddler

From the above screenshot we can see that the Logparameter contains the username used to login to WordPress (admin) and the pwd parameter contains the password (Str0ngPass).

Note: The above screenshot shows exactly the clear text (including your WordPress username and password) your web browser sends to the WordPress login page to login.

A hacker does not need to be tech savvy himself to do such tasks. These free tools are very easy to use and anyone who has a basic idea of how the web works, can easily capture and steal WordPress passwords, hence why we always recommend you to turn on WordPress SSL for your login pages.

Protect Your WordPress Login and Password

There are several ways how to protect your WordPress login details, i.e. the WordPress username and password and avoid having them stolen. The first and most secure way is to access your WordPress dashboard over an HTTPS connection. Refer to the WordPress HTTPS (SSL) security tutorial to configure WordPress SSL using a plugin or refer to our Definitive Guide to Implementing WordPress SSL to implement SSL manually on your WordPress.

Although we recommend every WordPress administrators to implement both an SSL Web server certificate for WordPress SSL (HTTPS) connection, it is recommended to also  add two-factor authentication. It is important to add two-factor authentication as well because even though malicious hackers are not be able to steal your credentials when the WordPress login page is over SSL, your WordPress is still susceptible to brute force attacks. Two-factor authentication protects your WordPress from automated brute force attacks. Remember, the more layers of WordPress security you can implement, the better it is.

Comments

  1. Pretty awful reading your posts. We are in a dangerous environment. Every time we are in danger.

    This probably will not be a problem for young website. But it is very worrying for a website that has a large and produce

  2. Does it happen with the current 3.8 version too?

    • Hi Saad,

      Yes it happens with the current version. Please note that this is not a WordPress or any other web application problem. This is how the web works and you can simply overcome this particular problem by using HTTPS.

  3. Solomon Closson says:

    I don’t see how your WordPress site can be hacked here. This explanation uses a request that you have to initially type in a username and password. So, how do you get a request if your username and password are incorrect? How do you get a correct username and password if you didn’t type it in to begin with?

    This seems far-fetched and doesn’t seem like a security issue at all.

    • Hi Solomon,

      I think you misunderstood the article. The article explains how a malicious hacker can perform a man in the middle attack to capture your login details in case you are not using HTTPS because your credentials are being sent using a clear text connection. Hence why you should enable WordPress SSL to encrypt the connection so such type of attack can be avoided.

  4. Hi There!
    There are many other ways through which a wordpress blog can be harmed.
    But here showd just one, and this is rare because we don’t know the actual user and the place from which he/she is logging in and also it is not so easy to place a packet sniffer in his/her network.

    You should clearify many other methods also.

    • HI Anshul,

      Thank you for your comments.

      Of course there are many other ways how one can hack WordPress but this article is specifically focusing on this particular attack subject. We cannot mention all attack vectors in one article, ay? If you browse through our blog you will find more attack vectors, so feel free to have a look.

      As regards placing a sniffer, it is not as difficult as you think, in fact unfortunately it is a very common occurrence :(

  5. Sir Robert,
    Thank you for your blog posts, they truly enlighten us of so many vulnerability attacks

    “As regards placing a sniffer, it is not as difficult as you think, in fact unfortunately it is a very common occurrence :(”
    May we request for examples? I find it difficult for hackers to do such acts nowadays.

    Thank you and more power!

    • Hi there,

      Here is a practical example; Cisco just released a patch for a remote code execution vulnerability which was discovered in a number of Residential wireless routers and modems models; http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm.

      If such vulnerability is exploited the attacker can execute code remotely, which means he can trigger a download, an installation of a sniffer and control it. The question is how many home users do you think will upgrade their modem’s or router’s firmware? As history taught us, very few. This means that all these devices connected to the internet can be exploited and controlled. So if a WordPress owner uses such device at home to update his WordPress (which is a common occurrence) the risks of having is WordPress site hacked are very high.

      Trust this answers your question.

  6. I still cant digest that it is sent as plain test. I think it must be hashed before sending.

Speak Your Mind

*

Get Notified Instantly of Changes on Your WordPress

The WSAL Notifications Extension plugin enables WordPress administrators to setup monitoring rules so they are notified instantly via email when important changes happen on their WordPress.

Learn More