Hacking the WordPress Login – Stealing Usernames and Passwords Using Free Tools
As explained in the previous security post Website SSL and HTTPS explained, unless you access your WordPress dashboard or admin pages over an HTTPS connection (using an SSL web server certificate), the username and password are sent in clear text over the internet, hence you risk of having them stolen.
In this WordPress security blog post we will explain how malicious hackers can hack your WordPress login by sniffing (also known as capturing) your WordPress username and password using free tools.
How to Capture & Hack WordPress Passwords
Routing of Clear Text Data Over the Internet
When you access your WordPress dashboard (wp-admin section) or any other website, the data is not sent directly from your computer browser to the web server. It is routed through a number of devices on the internet. Therefore before the data reaches your server, your data is passing through and being accessed by a number of routers, switches, servers, proxy servers etc which are administered by different entities.
Depending on the geographical location of your computer and web server, your data might be routed through 5 to 20, or more devices until it reaches its destination. And since such data is sent in clear text, should a malicious hacker tap into one of these devices and captures its traffic, the hacker can easily retrieve your WordPress username or password as explained below.
Hacking WordPress Login (Capturing the Credentials)
Once a malicious hacker can access your data by tapping into a device from where your data is being routed (which could also be your very own wireless router), he can use free tools such as Wireshark to capture your WordPress login session, which will include your WordPress username and password.
Depending on the type of access the hacker manages to gain, he can also route all of the device’s traffic through his own proxy software, such as Fiddler, which is also a free tool.
At this stage hacking your WordPress login is very easy because the malicious hacker can capture all of the web traffic passing through that device. For example below is a screenshot from Fiddler capturing a WordPress login session (i.e. the traffic exchanged between a user’s web browser and a WordPress website while logging in to the WordPress dashboard or admin pages).
Sniffing and Capturing WordPress Passwords
Once the malicious hacker has a copy of the web data exchanged between your web browser and your WordPress blog or website, he can browse through it to identify your WordPress password. In this test case we used admin as username with password Str0ngPass. By identifying the HTTP POST request from the above screenshot, i.e. when the browser sent the password to the WordPress site, the hacker can see your username and password in clear text as highlighted in the below screenshot.
From the above screenshot we can see that the Logparameter contains the username used to login to WordPress (admin) and the pwd parameter contains the password (Str0ngPass).
Note: The above screenshot shows exactly the clear text (including your WordPress username and password) your web browser sends to the WordPress login page to login.
A hacker does not need to be tech savvy himself to do such tasks. These free tools are very easy to use and anyone who has a basic idea of how the web works, can easily capture and steal WordPress passwords, hence why we always recommend you to turn on WordPress SSL for your login pages.
Protect Your WordPress Login and Password
There are several ways how to protect your WordPress login details, i.e. the WordPress username and password and avoid having them stolen. The first and most secure way is to access your WordPress dashboard over an HTTPS connection. Refer to the WordPress HTTPS (SSL) security tutorial to configure WordPress SSL using a plugin or refer to our Definitive Guide to Implementing WordPress SSL to implement SSL manually on your WordPress.
Although we recommend every WordPress administrators to implement both an SSL Web server certificate for WordPress SSL (HTTPS) connection, it is recommended to also add two-factor authentication. It is important to add two-factor authentication as well because even though malicious hackers are not be able to steal your credentials when the WordPress login page is over SSL, your WordPress is still susceptible to brute force attacks. Two-factor authentication protects your WordPress from automated brute force attacks. Remember, the more layers of WordPress security you can implement, the better it is.