Hacking WordPress websites – capturing WordPress passwords with free tools

If your WordPress website is on HTTPS, the communication between your browser and website is encrypted. There is nothing to worry about. However, credentials are sent over the internet in clear text if your website is on HTTP.

Hacking WordPress websites – capturing WordPress passwords with free tools

When you log in to your WordPress website, the username, and password are sent in cleartext.

If your WordPress website is on HTTPS, the communication between your browser and website is encrypted. There is nothing to worry about. However, credentials are sent over the internet in clear text if your website is on HTTP.

Clear text traffic, such as your WordPress credentials, can be easily by malicious users. So the risk of having your WordPress username and password stolen is very high.

This post uses real-life examples to highlight how easy it is for malicious hackers to steal WordPress passwords using free software. Then it recommends how best to protect your WordPress password and site.

How to steal WordPress credentials (Usernames and Passwords)

Routing of clear text data over the internet

When you access a website data is not sent directly from your browser to the webserver. It is routed through a number of devices on the internet which are administered by different entities (ISPs, web hosts, etc).

Depending on the geographical location of your computer and website, your WordPress login details are routed through 5 to 20 or more devices before they reach the destination. When data is sent in clear text if a malicious hacker taps into one of these devices they can easily capture your WordPress password and username. One should not go far. Such a device can also be your own home Wi-Fi router-modem.

Hacking WordPress websites – stealing passwords & login details

To emulate a malicious hacker, you can use free software such as Wireshark (sniffer) or Fiddler (proxy). Both these applications can capture web traffic.

Capturing the WordPress password and login details

Let’s assume the attackers hacked your home modem and redirected all your web traffic through a Fiddler proxy server. When you login to your WordPress site the attacker can see the traffic (data) exchanged between your browser and website, as seen in the below screenshot.

Using Fiddler to sniff (capture) web traffic and analyze a WordPress login session

Finding the stolen WordPress password & username in the sniffed traffic

Now that the malicious hacker has the captured data he just needs to find in which HTTP request the WordPress username and password are. Note that such data is stored on Fiddler, so you do not need to be logged in for the attacker to extract such information.

For this test, we used the following credentials: username admin and password Str0ngPass. The below screenshot shows the clear text username and password captured by the proxy the attacker set.

Capturing (sniffing) a WordPress login with free tools such as Fiddler

The log parameter contains the username and the PWD parameter contains the password (Str0ngPass).

How easy it is to capture WordPress login details?

If your website is running on HTTP it is very easy for an attacker to capture your WordPress password and username. As this article highlights, one does not have to be tech-savvy. Most tools are available for free and very easy to use.

Protecting your WordPress login details (and website)

To avoid these types of attacks set up HTTPS on your WordPress website. However, do not stop there. There are a few other things that you should do:

  1. Add two-factor authentication,
  2. Enforce strong WordPress passwords,
  3. keep a WordPress activity log,
  4. install a WordPress file integrity monitor,
  5. setup a WordPress firewall and security solution.

What's Your Reaction?

like
0
dislike
0
love
0
funny
0
angry
0
sad
0
wow
0