Hacking WordPress – Capturing WordPress Usernames & Passwords with free tools

Last updated on June 17th, 2018 by Robert Abela. Filed under WordPress Security Readings

Google have been pushing the HTTPS agenda for a few years now – they want all websites to run on HTTPS. If your WordPress is still running on HTTP, when you login to WordPress and access the dashboard or admin pages, all data is sent in clear text. This means that your WordPress credentials are also sent over the internet in clear text.

Therefore the risks of having your WordPress username and password stolen are very high. This post explains how malicious hackers can steal your WordPress login details using free software. It also recommends what you can do to protect your website from such attacks and how to use WordPress activity logs to spot suspicious behaviour early.

How to steal WordPress credentials (Usernames and Passwords)

Routing of Clear Text Data Over the Internet

When you access a website or your WordPress, the data is not sent directly from your computer browser to the web server. It is routed through several devices on the internet which are administered by different entities (ISPs, web hosts etc).

Depending on the geographical location of your computer and WordPress website, your login details might be routed through 5 to 20, or more devices before it reaches the destination. And since such data is sent in clear text, should a malicious hacker tap into one of these devices, which could be your own home router, they can easily retrieve your WordPress username or password.

Hacking WordPress websites by stealing login details

Malicious hackers use software such as Wireshark (sniffer) or Fiddler (proxy) to capture your WordPress login details.

For example the screenshot below is of Fiddler, which is a proxy software that the attacker might use to capture your WordPress credentials by proxying the traffic through it.

Using Fiddler to sniff (capture) web traffic and analyze a WordPress login session

Finding the stolen WordPress credentials in the traffic capture

Once the malicious hacker has a copy of the data exchanged between your web browser and your WordPress website, all he needs to do is to identify the request sent to WordPress which includes the credentials.

In this test case we used admin as username with password Str0ngPass as can be clearly seen in the below screenshot.

Capturing (sniffing) a WordPress login with free tools such as Fiddler

The log parameter contains the username used to login to WordPress (admin) and the pwd parameter contains the password (Str0ngPass).

Malicious hackers do not need to be tech savvy to do such tasks. These free tools are easy to use and anyone with basic computer skills can easily capture and steal WordPress passwords. Hence why Google recommends to turn on WordPress SSL for your login pages.

Protecting your WordPress login details (and password)

There are several ways how to avoid having your WordPress login details stolen. The first and most secure way is to access your WordPress dashboard over an HTTPS connection. Refer to the WordPress HTTPS (SSL) security tutorial to configure WordPress SSL using a plugin or refer to our Definitive Guide to Implementing WordPress SSL to implement SSL manually.

You should also add two-factor authentication to your WordPress because even though malicious hackers can’t steal your credentials when accessing the WordPress admin pages over SSL, it is still susceptible to brute force attacks. Two-factor authentication protects your WordPress from automated brute force attacks.

Keep a WordPress activity log to identify suspicious logins and hack attacks

As a rule of thumb, the more security layers you can implement on your WordPress website, the better it is. So since no WordPress security solution is perfect, you should also keep a WordPress activity log to be able to spot suspicious logins and other activity on your WordPress websites.

By using a plugin such as WP Security Audit Log on your WordPress website you will be able to keep a log of everything that is happening on your website, therefore will be able to take the necessary evasive action before your website is damaged in case of a potential WordPress hack attack.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

28 comments

Pretty awful reading your posts. We are in a dangerous environment. Every time we are in danger.

This probably will not be a problem for young website. But it is very worrying for a website that has a large and produce

Robert Abela 03/01/2014

Hi Jasa,

If you implement a two factor authentication solution on WordPress and access your WordPress dashboard over HTTPS you are safe from such security issues. Here is more information on how to implement Invisible Two-factor authentication for WordPress and how to enable WordPress SSL for your WordPress dashboard.

sedot wc 24/10/2016

Thanks alot!, this article is very interesting and useful. Website security had to be improved. such as by installing SSL is also important for the security of the website.

Saad 06/01/2014

Does it happen with the current 3.8 version too?

Robert Abela 06/01/2014

Hi Saad,

Yes it happens with the current version. Please note that this is not a WordPress or any other web application problem. This is how the web works and you can simply overcome this particular problem by using HTTPS.

Solomon Closson 09/05/2014

I don’t see how your WordPress site can be hacked here. This explanation uses a request that you have to initially type in a username and password. So, how do you get a request if your username and password are incorrect? How do you get a correct username and password if you didn’t type it in to begin with?

This seems far-fetched and doesn’t seem like a security issue at all.

Robert Abela 10/05/2014

Hi Solomon,

I think you misunderstood the article. The article explains how a malicious hacker can perform a man in the middle attack to capture your login details in case you are not using HTTPS because your credentials are being sent using a clear text connection. Hence why you should enable WordPress SSL to encrypt the connection so such type of attack can be avoided.

Anshul 01/06/2014

Hi There!
There are many other ways through which a wordpress blog can be harmed.
But here showd just one, and this is rare because we don’t know the actual user and the place from which he/she is logging in and also it is not so easy to place a packet sniffer in his/her network.

You should clearify many other methods also.

Robert Abela 02/06/2014

HI Anshul,

Thank you for your comments.

Of course there are many other ways how one can hack WordPress but this article is specifically focusing on this particular attack subject. We cannot mention all attack vectors in one article, ay? If you browse through our blog you will find more attack vectors, so feel free to have a look.

As regards placing a sniffer, it is not as difficult as you think, in fact unfortunately it is a very common occurrence 🙁

Soul 21/07/2014

Sir Robert,
Thank you for your blog posts, they truly enlighten us of so many vulnerability attacks

“As regards placing a sniffer, it is not as difficult as you think, in fact unfortunately it is a very common occurrence :(”
May we request for examples? I find it difficult for hackers to do such acts nowadays.

Thank you and more power!

Robert Abela 22/07/2014

Hi there,

Here is a practical example; Cisco just released a patch for a remote code execution vulnerability which was discovered in a number of Residential wireless routers and modems models; http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscosa-20140716-cm.

If such vulnerability is exploited the attacker can execute code remotely, which means he can trigger a download, an installation of a sniffer and control it. The question is how many home users do you think will upgrade their modem’s or router’s firmware? As history taught us, very few. This means that all these devices connected to the internet can be exploited and controlled. So if a WordPress owner uses such device at home to update his WordPress (which is a common occurrence) the risks of having is WordPress site hacked are very high.

Trust this answers your question.

Ankur 05/10/2014

I still cant digest that it is sent as plain test. I think it must be hashed before sending.

Robert Abela 08/10/2014

HI Ankur,

Unfortunately it is so and will remain so for the foreseeable future it seems. Test it out yourself and you will see it 🙂

Wireshark 07/12/2014

Ok but for easy Wireshark you must b in the home network if not it won’t work

Robert Abela 08/12/2014

Not specifically. If an attacker manages to gain access to your ISP’s router, or some other server he can also capture your connection. In other words if an attacker has access to any point from where your traffic is routed, he can capture your traffic hence why implementing SSL is a must.

banglablog 20/12/2014

what an article! thanks ‘Robert Abela’ << for sharing this 🙂

Pooria 25/12/2014

Hi
I read your great article but I have same question like Anshul said, is there any way to sniffing websites log in page from other network actually when I did not have access to administrator network how sniffing administrator data!

Robert Abela 07/01/2015

The only way to capture someone’s data, in such case the WordPress credentials is to have access to a hop from where the data is passing, be it a wireless router or even an ISP router.

Cara Bikin Web 08/11/2016

does fiddler applies with WP current version ?

Robert Abela 24/11/2016

This issue is not related to a specific WordPress version. This is how web applications work in general, including WordPress. The best thing to do is to implement TLS (run the login page on HTTPS).

micheal 10/03/2017

HTTPS can also be hack if any Vulnerabilities in your site.

Robert Abela 15/03/2017

Of course Micheal. HTTPS is not a means of protection but a means of encryption. Therefore its use is to encrypt the traffic between the user and the server.

mcx free tips 02/10/2017

Great post can you please tell me which software of applicable they used to get user name and password from which software have you taken screen shot

Robert Abela 11/10/2017

The software is a web debugging proxy. It is called Fiddler and can be downloaded from here: http://www.telerik.com/fiddler

bokepjav69 20/01/2018

I think it should hash before sending. To make it easier for Wireshark you have to b in home network otherwise it will not work.

Robert Abela 12/02/2018

Thanks for you comment. There are many ways how to avoid this from happening. The simplest one is to switch to HTTPS (use Let’s Encrypt. It is free!). Regarding Wireshark, as long as you can hook it somewhere from where the data is sent between the client and the server, it will capture the data.

Binod Jha 28/03/2018

Great post can you please tell me which software of applicable they used to get user name and password from which software have you taken screen shot

Robert Abela 05/04/2018

The tool is Wireshark, a network packet capturing tool.

Leave a Reply

Your email address will not be published. Required fields are marked *