Hacking WordPress websites – capturing WordPress passwords with free tools

Last updated on March 24th, 2020 by Robert Abela. Filed under WordPress Security

When you login to your WordPress website, the username and password are sent in clear text.

If your WordPress website is on HTTPS, the communication between your browser and website is encrypted. There is nothing to worry about. However, credentials are sent over the internet in clear text if your website is on HTTP.

Clear text traffic, such as your WordPress credentials, can be easily by malicious users. So the risk of having your WordPress username and password stolen are very high.

This post uses real life examples to highlight how easy it is for malicious hackers to steal WordPress passwords using free software. Then it  recommends how best to protect your WordPress password and site.

How to steal WordPress credentials (Usernames and Passwords)

Routing of clear text data over the internet

When you access a website data is not sent directly from your browser to the web server. It is routed through a number of devices on the internet which are administered by different entities (ISPs, web hosts etc).

Depending on the geographical location of your computer and website, your WordPress login details are routed through 5 to 20 or more devices before they reach the destination. When data is sent in clear text,  if a malicious hacker taps into one of these devices they can easily capture your WordPress password and username. One should not go far. Such device can also be your own home Wi-Fi router modem.

Hacking WordPress websites – stealing passwords & login details

To emulate a malicious hacker, you can use free software such as Wireshark (sniffer) or Fiddler (proxy). Both these applications can capture web traffic.

Capturing the WordPress password and login details

Let’s assume the attackers hacked your home modem and redirected all your web traffic through a Fiddler proxy server. When you login to your WordPress site the attacker can see the traffic (data) exchanged between your browser and website, as seen in the below screenshot.

Using Fiddler to sniff (capture) web traffic and analyze a WordPress login session

Finding the stolen WordPress password & username in the sniffed traffic

Now that the malicious hacker has the captured data he just needs to find in which HTTP request the WordPress username and password are. Note that such data is stored on Fiddler, so you do not need to be logged in for the attacker to extract such information.

For this test we used the following credentials: username admin and password Str0ngPass. The below screenshot show the clear text username and password captured by the proxy the attacker set.

Capturing (sniffing) a WordPress login with free tools such as Fiddler

The log parameter contains the username and the pwd parameter contains the password (Str0ngPass).

How easy it is to capture WordPress login details?

If your website is running on HTTP it is very easy for an attacker to capture your WordPress password and username. As this article highlights, one does not have to be tech savvy. Most tools are available for free and very easy to use.

Protecting your WordPress login details (and website)

To avoid these type of attacks setup HTTPS on your WordPress website. However, do not stop there. There are a few other things that you should do:

  1. Add two-factor authentication,
  2. Enforce strong WordPress passwords,
  3. keep a WordPress activity log,
  4. install a WordPress file integrity monitor,
  5. setup a WordPress firewall and security solution.

WordPress Hosting, Firewall and Backup

This Website is:


Pretty awful reading your posts. We are in a dangerous environment. Every time we are in danger.

This probably will not be a problem for young website. But it is very worrying for a website that has a large and produce

Robert Abela 03/01/2014

Hi Jasa,

If you implement a two factor authentication solution on WordPress and access your WordPress dashboard over HTTPS you are safe from such security issues. Here is more information on how to implement Invisible Two-factor authentication for WordPress and how to enable WordPress SSL for your WordPress dashboard.

sedot wc 24/10/2016

Thanks alot!, this article is very interesting and useful. Website security had to be improved. such as by installing SSL is also important for the security of the website.

Saad 06/01/2014

Does it happen with the current 3.8 version too?

Robert Abela 06/01/2014

Hi Saad,

Yes it happens with the current version. Please note that this is not a WordPress or any other web application problem. This is how the web works and you can simply overcome this particular problem by using HTTPS.

Solomon Closson 09/05/2014

I don’t see how your WordPress site can be hacked here. This explanation uses a request that you have to initially type in a username and password. So, how do you get a request if your username and password are incorrect? How do you get a correct username and password if you didn’t type it in to begin with?

This seems far-fetched and doesn’t seem like a security issue at all.

Robert Abela 10/05/2014

Hi Solomon,

I think you misunderstood the article. The article explains how a malicious hacker can perform a man in the middle attack to capture your login details in case you are not using HTTPS because your credentials are being sent using a clear text connection. Hence why you should enable WordPress SSL to encrypt the connection so such type of attack can be avoided.

Anshul 01/06/2014

Hi There!
There are many other ways through which a wordpress blog can be harmed.
But here showd just one, and this is rare because we don’t know the actual user and the place from which he/she is logging in and also it is not so easy to place a packet sniffer in his/her network.

You should clearify many other methods also.

Robert Abela 02/06/2014

HI Anshul,

Thank you for your comments.

Of course there are many other ways how one can hack WordPress but this article is specifically focusing on this particular attack subject. We cannot mention all attack vectors in one article, ay? If you browse through our blog you will find more attack vectors, so feel free to have a look.

As regards placing a sniffer, it is not as difficult as you think, in fact unfortunately it is a very common occurrence 🙁

Martin 06/03/2020

Most common way i use to find users names is trough wordpress json where you can see everything. Most of the wordpress websites doesnt use it but they leave it unprotected. A few times i asked wordpress team why by default this is not disabled and if you need then enable it. They didnt response to it at all….

Robert Abela 12/03/2020

The WordPress user disclosure issue is quite a hot debate Martin and it is something that comes up from time to time. I and many other security professionals think it is a a security issue and should be fixed, however, the WordPress team seems to not agree. Anyway, it’s not critical and so far it has never been the source of a major hack, so I guess it will remain as is for the foreseeable future.

Soul 21/07/2014

Sir Robert,
Thank you for your blog posts, they truly enlighten us of so many vulnerability attacks

“As regards placing a sniffer, it is not as difficult as you think, in fact unfortunately it is a very common occurrence :(”
May we request for examples? I find it difficult for hackers to do such acts nowadays.

Thank you and more power!

Robert Abela 22/07/2014

Hi there,

Here is a practical example; Cisco just released a patch for a remote code execution vulnerability which was discovered in a number of Residential wireless routers and modems models; http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm.

If such vulnerability is exploited the attacker can execute code remotely, which means he can trigger a download, an installation of a sniffer and control it. The question is how many home users do you think will upgrade their modem’s or router’s firmware? As history taught us, very few. This means that all these devices connected to the internet can be exploited and controlled. So if a WordPress owner uses such device at home to update his WordPress (which is a common occurrence) the risks of having is WordPress site hacked are very high.

Trust this answers your question.

Ankur 05/10/2014

I still cant digest that it is sent as plain test. I think it must be hashed before sending.

Robert Abela 08/10/2014

HI Ankur,

Unfortunately it is so and will remain so for the foreseeable future it seems. Test it out yourself and you will see it 🙂

Wireshark 07/12/2014

Ok but for easy Wireshark you must b in the home network if not it won’t work

Robert Abela 08/12/2014

Not specifically. If an attacker manages to gain access to your ISP’s router, or some other server he can also capture your connection. In other words if an attacker has access to any point from where your traffic is routed, he can capture your traffic hence why implementing SSL is a must.

banglablog 20/12/2014

what an article! thanks ‘Robert Abela’ << for sharing this 🙂

Pooria 25/12/2014

I read your great article but I have same question like Anshul said, is there any way to sniffing websites log in page from other network actually when I did not have access to administrator network how sniffing administrator data!

Robert Abela 07/01/2015

The only way to capture someone’s data, in such case the WordPress credentials is to have access to a hop from where the data is passing, be it a wireless router or even an ISP router.

Cara Bikin Web 08/11/2016

does fiddler applies with WP current version ?

Robert Abela 24/11/2016

This issue is not related to a specific WordPress version. This is how web applications work in general, including WordPress. The best thing to do is to implement TLS (run the login page on HTTPS).

micheal 10/03/2017

HTTPS can also be hack if any Vulnerabilities in your site.

Robert Abela 15/03/2017

Of course Micheal. HTTPS is not a means of protection but a means of encryption. Therefore its use is to encrypt the traffic between the user and the server.

mcx free tips 02/10/2017

Great post can you please tell me which software of applicable they used to get user name and password from which software have you taken screen shot

Robert Abela 11/10/2017

The software is a web debugging proxy. It is called Fiddler and can be downloaded from here: http://www.telerik.com/fiddler

bokepjav69 20/01/2018

I think it should hash before sending. To make it easier for Wireshark you have to b in home network otherwise it will not work.

Robert Abela 12/02/2018

Thanks for you comment. There are many ways how to avoid this from happening. The simplest one is to switch to HTTPS (use Let’s Encrypt. It is free!). Regarding Wireshark, as long as you can hook it somewhere from where the data is sent between the client and the server, it will capture the data.

Binod Jha 28/03/2018

Great post can you please tell me which software of applicable they used to get user name and password from which software have you taken screen shot

Robert Abela 05/04/2018

The tool is Wireshark, a network packet capturing tool.

blanco 29/11/2019

Seeing that Google punishes sites who aren’t using HTTPS/SSL, and most decent hosts include SSL certs automatically, almost every site made or updated in the last couple years is going to be using HTTPS. If you’re not on HTTPS by now, you have much bigger problems.

rajiv 25/01/2020

Can anyone help me how to exploit a WordPress website?
which helps to my studies.

Robert Abela 13/02/2020

Hello Rajiv,

There are many ways how you can exploit a vulnerability and hack a WordPress website. It all depends on what vulnerabilities and security weaknesses the website have. I’m pretty sure you’ll find ample of information and tutorials online about this.

Sunny Kumar 26/01/2020

Ok but for easy Wireshark you must b in the home network if not it won’t work

Robert Abela 13/02/2020

Not specifically, no. As long as wireshark is installed somewhere along the route from where the credentials are sent, then it can capture the credentials. A home router is an easy target because many people do not even set a password on them, but there are many other places where you can tap in, such as the ISP, the web host etc.

Leave a Reply

Your email address will not be published. Required fields are marked *