Breaking into a WordPress site without knowing WordPress/PHP or InfoSec at all

Reading Time: 1 Minute

Someone posted to notehub.org an article on how he broke into his college’s WordPress website, without having any prior knowledge of WordPress, PHP, and without any experience with hacking web servers. The attempts were spread out over a month, but effectively totaled a day maybe. The author said to have learned a lot of things while doing the research part which accounted for most of his time, though. On NoteHub, he shares some of the relevant details and how he went along doing this.

My college has a website. And I simply wanted to find a vulnerability, exploit it, and post troll pictures on the front-page. While that’s not a very nice thing to do, but that’s irrelevant here. I knew the site ran wordpress, as my teacher vaguely recited in the webdev class.

Advertisement:

So I googled “how to hack wordpress”, and after a couple results, I found a tool called “wpscan”, which examines a wordpress site and shows you a list of possible vulnerabilities.

It isn’t that simple though. The scan doesn’t automatically attack the website and magically understands what a script kiddie wants to do. It just puts out a list of possible issues.

Anyways, it gave me some pretty good info. The interesting bits for our story are…


Advertisement:

Hi! Join the discussion, leave a reply!