How To Hack A WordPress Website | Ethical 💤

Welcome fellow security enthusiasts! Today we will show you how to hack a WordPress Website using the Mr. Robot CTF

A CTF is a so-called Capture the Flag game, where your goal is to collect a certain number of flags (or keys, for that matter). CTF’s are used to practise your hacking skills in a safe and legal environment. I can recommend Vulnhub as a resource for a selection of an excellent CTF’s.

Before we get started, a disclaimer:

All the techniques provided in the tutorials on the ceos3c tutorials YouTube channel and on the website are solely meant for educational purposes only. All of the techniques taught here are only meant to be used in a closed laboratory environment or in consent with a second party.

If you are using any of those techniques for illegal purposes, Ceos3c can’t be held responsible for possible lawful consequences.

I teach Cyber Security so that you can better understand and protect YOUR OWN Network and for Offensive Security Professionals.

Step 1 — Evaluating if a Website is using WordPress

If you don’t know if a Website is using WordPress or not, there mostly is a very easy way to find that out.

You can simply type:

Which in most cases will bring up a wp-admin login gui, except the admin has disabled it.

Another great way to check if a Website is running WordPress is by using wpscan. Wpscan comes pre-installed in both Kali and ParrotSec.

wpscan -u

In my case, scanning the Mr. Robot VM reveals the following.

As you can see, it clearly indicates that the site is using WordPress. Also, it presents you with 46 identified vulnerabilities. Now, most hosters and recent versions of WordPress will block a scan like this by default. So most likely this is only going to work with outdated WordPress versions without any protection from a hoster.

Ok, so far so good. Now we can verify that by checking if the login page exists by navigating to the website URL + /wp-admin like so:

And sure enough, the Login mask comes up.

Step 2 — Grabbing Code with Burpsuite

Now comes the difficult part, finding out the username. You could start with admin, but WordPress usually generates a random username, so it might be difficult to figure out and you might need to do some further research on the target.

In the Mr. Robot example, I know that the username is Elliot (not too hard to guess). You could also try to run hydra against a couple of username lists, but first, we need to use burpsuite to grab some code from the login page.

Start burpsuite by typing

sudo burpsuite

Create a new Temporary Project using the Burp defaults.

Navigate to the Target → Scope Tab and click on Add to Include the wp-login page to the scope. Select Yes in the pop-up dialogue.

Next, go to the Preferences Menu of Firefox and scroll all the way down until you find Network Proxy. Click on Settings.

Select Manual proxy configuration and enter the IP and the port 8080. Tick “Use this proxy server for all protocols”. Click OK.

Back to Burpsuite. Open the Proxy Tab. Now back to the WP-Login page. Enter any random username and password and click Log In. Make sure Privacy Badger, uBlock Origins, and NoScript are disabled for the site.

Once you click on login, go back to Burpsuite and look at the output.


Now we got something we can feed to Hydra.

Step 3 — Finding the correct Username

Let’s have a little bit of fun to give you an idea how you could find out a username for your target. The VM we are using for this example, as mentioned above, is Mr. Robot themed. So it’s very likely that the username will be found in some trivia that has to do with Mr. Robot.

First go back to your Burpsuite and close it. We don’t need it any more right now. Also go back to your Proxy settings and disable the Proxy again.

Now I head to the Mr. Robot Wikipedia page:

And I will create a username list from this exact page using CeWL.

Open a new Terminal Window and type

sudo cewl -w usernames.txt -d1 -m4

Let’s break this down.

  • -w usernames.txt — should be pretty clear, this is the name of the wordlist that will be created
  • -d1 — Defines the depth in which CeWL will crawl the website. 1 indicates that it will stay on this exact site and not open any links on it.
  • -m4 — Defines the minimum length of the word that will be put in the list
  • — obviously the website we are going to crawl.

So as you see, you could apply this technique to any target relevant website.

Running a quick


Shows us, that our usernames.txt was created.

In some cases you get lucky using wpscan to enumerate the username, so always try this too:

wpscan --url []( --enumerate u

Now we are going to use Hydra to Bruteforce this list against the wp-login page.

Step 4 — Bruteforcing Usernames with Hydra

Alright, time to feed the Usernames to our Hydra. I found this particular method on one of the many Walkthroughs from Vulnhub, although don’t remember exactly which one it was, but I give credit where credit is due. Open a new terminal window and type:

hydra -V -L usernames.txt -p whatever http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log:F=Invalid username’

Let’s break this down.

  • -V — Verbose
  • -L — Our usernames.txt list
  • -p whatever — The password, we don’t care, because we want to find out the username
  • http -post-form — The type of Brute Force attack we want to run
  • /wp-login.php — The path to the login form
  • log = ^USER^&pwd=^PASS^&wp-submit=Log+In — The values that will be sent to the form, where ^USER^ and ^PASS^ are placeholders for our -L and -p options
  • F=Invalid username — Tells hydra that the attempt failed if it returns Invalid username

Alright, let’s run that command, shall we?

And sure enough, we get returned that the login with the username elliot was successful (Which it wasn’t, it just confirmed that the web form didn’t return invalid username).

So we still need to figure out the password. But at least we have a username.

Step 5 — Brute Forcing the Password

Now we could also use Hydra to Brute Force the User’s password, but I prefer using wpscan as the syntax is easier.

wpscan --url --wordlist /usr/share/wordlists/rockyou.txt.gz --username elliot --wp-content-dir

rockyou.txt.gz is just an example, replace with whatever password list you want to use.

And voila, we got the Username and the Password.

Step 6 — Implementing malicious Code into WordPress

Alright, now that we got Admin Access to WordPress, there are a couple of ways we can go from here. I will show you one of the easier ones.

On your Attacking Computer go to Places → File System → usr → share → webshells → php and open php-reverse-shell.php

Copy all of it’s content:

Now in WordPress, navigate to Appearance → Editor and select the 404.php Template. This is just an example, you can implement the code in many different ways.

Now paste your code in here so it looks something like this:

Edit the lines marked in yellow so the IP points to your attacking computer and choose a port.

Scan for open Ports with Netcat

Step 7 — Starting a Netcat listener

Now back on the attacking computer, we start a Netcat listener:

nc -lvp 443

Then you are going to open the 404 page like just going to the link:

And we are in! Not only did we hack the WordPress Admin Account, we also got access to the Server itself. From here you need to use your skills to gain elevated access, but that shouldn’t be too hard anymore now.

You can see, CTF’s are a great way to learn new stuff.

Until next time, keep on hacking!



Thanks. I will test this out.