How to hack into a WordPress website, the complete guide

The scan duration mainly depends on how large the password dictionary file is and as we are mapping a large number of users with even larger numbers of passwords it could also impact the performance of the website if left running for a long time.

Server not found

Situations you can help yourself in

Method #1 – the MySQL way

Use this method to change the password (or username if needed) of an existing user or to create a new account. You’ll need cPanel access or direct MySQL access to the site’s database. Let’s get started by changing the password of an existing user.

If you’re using cPanel, login (cPanel can always be accessed via the link), locate and open phpMyAdmin. The list of databases and tables is on the left. You’re looking for the table that ends in _users . It’ll probably be wp_users , but if you have more than one WordPress site installed on the server, you have to find the right one.

The right table will have the user you want to edit in it. Follow the same procedure if you’re connecting to MySQL via some external client like SQLyog. Once you locate the table and the actual user record, it’s time to change the password.

As you’ve probably figured out by now, the password is saved in the user_pass field, hashed using the MD5 algorithm. Open the online MD5 generator enter the password you want to use and click “Hash”. Copy the generated string and replace the original password with it. In phpMyAdmin, you can edit the field by double-clicking on it. The procedure is similar to other MySQL clients. Save changes and login to WordPress with your new password.

Still on method #1 – creating a new user

Creating a new user is a bit more complicated but still manageable in less than a minute. Create a new record in the user’s table and populate user_login, user_pass (hashed, using the MD5 function described above) and user_email. All other fields can remain empty; they don’t matter. Save the new record. Once saved, MySQL will give it a unique ID. It’s the number in the ID field. Remember it.

Now go to _usermeta table. Remember, the table’s prefix has to be the same as the users’ one. For instance wp_users and wp_usersmeta . If the prefix is not the same, you’re editing the wrong table (of some other WP installation) and the new account won’t work. We’ll create two new records. Ignore the umeta_id field for both of them. Set user_id field to the value you just remembered (the new ID value in the user’s table). For the first record set meta_key to wpct_user_level and meta_value to 10 . For the second one meta_key to wpct_capabilities and meta_value to a:1: . Save both. You’re done – login!

Method #2 – the functions.php way

This approach can be utilized either by editing functions.php through cPanel or by using an FTP client to do so. If using cPanel find File Manager and open it. First, we have to find the active theme’s folder.

Go to public_html/wp_content/themes folder. If you immediately see your theme and know which one it is – great. Open its folder and start editing functions.php . If not, open the site, right-click anywhere, select “View source”. Then press Ctrl + F and start typing /themes/ soon you’ll have a lot of URLs highlighted, and you’ll recognize the folder name of the active theme.

Find it in the file structure, open it, and start editing functions.php . Copy/paste the following code at the end of the file. Mind the closing ?> PHP tags if you have them. They have to be on the last line. So, insert the code before them.

Edit only the first two lines of the code to reflect your new account. If there’s already a user in WP with that email a new account won’t be created, so make sure it’s new. Change the password as well – don’t get hacked by script kiddies. After saving the file simply open your site, the code will be run, a new account with administrator privileges created and you’ll be able to login with it.

Other hacking methods

By knowing the FTP, cPanel or MySQL password you’re proving that you have legitimate access right to the server and therefore should have access to the WordPress installation(s) as well. If you don’t have any of those accounts, then you’re up to no good (hacking into other people sites), and that’s not nice!

How to create a backdoor in WordPress

When the front door is closed, you might try the back door. This might sound like a malicious way of using the code for entering the site without having the access to it, but there are actually times when you need to control your own site if somebody stole it.

If it’s creating websites for other people something you do, sooner or later there will be a client who will refuse to pay you for your work; a client who will delete your login information and take over control of everything you have done. Sometimes, it will be enough to create a new user via FTP or reset a password. When that’s not enough, you might want to hack your way back in or create backdoor access to your admin pages.

But if you decided to hide a small piece of code in your WordPress environment, you might save yourself some dignity and gain access to the WordPress site with administrator privileges. And that’s where the games begin.

No matter how many times this thief deletes your information or restores a backup on a server he probably owns, there is a chance he doesn’t know anything about backdoor entrances. If he did, he probably wouldn’t even need your help in setting up WordPress, right?

Create a backdoor:

Of course, you can change that in the code above by changing ‘name’ and ‘pass’ to whatever you want. You can also change the link to your back door by changing ‘backdoor’ and/or ‘knockknock’ to anything you come up with.

Try the function – not only it is fun but it can really help you sometime in the future when you’re about to make a website for someone you can’t trust completely. You should also level up your WordPress and blogging skills.

Scanning & Removal of Malware

If any plugins or themes are not updated regularly, then there’s a chance that hackers could use outdated files to access your WordPress website. Once they’re in, they can then create a backdoor to more easily access your website in the future.


The first work for a smart hacker is to establish a backdoor so that he can regain the access after you locate and remote the first point of entry (usually a vulnerability in an outdated plugin or theme). That’s why it’s so important to have a WordPress security audit log plugin installed on your website so you can track any changes made to your website in real-time.

One of the best way to avoid hackers accessing your website through outdated plugin or theme files is simply to keep everything up-to-date! Many plugin updates become available specifically because an older version had a security flaw, to updating will help you avoid this altogether.

To help you pinpoint any backdoors or malicious code installed on your website without your permission, always install and activate a WordPress security plugin that will regularly scan your website. Plugins like iThemes Security will easily find the location of the backdoor and then you can remove it manually.


For this install Burp suite community edition or use the one you get pre-installed in Kali Linux. Fire up Burp Suite and open WordPress login page then turn on intercept tab in Burp Proxy, next supply any username and password of your choice to login into the wordpress website. This will intercept the response of the current request.

Look at the image below and notice the last line of the intercepted message, it shows the captured login credentials as raj:raj which I used to login as username and password respectively. Next, Send the captured message to the intruder by right-clicking the blank message space and choosing to Send to Intruder option or by just pressing ctrl + I. If you are not familiar with burp Intruder working go through this article first ( )

Now open the Intruder tab and you can see the base template request that we sent here. Select Positions tab, hereby default multiple positions are selected, these positions are marked using § characters. Anything between two § characters is replaced by a payload. But we don’t need them all right now so click on the clear button at right bottom corner of the editor window.

Next, select the positions as shown in the screenshot and click on add button to the right of the frame. This will configure these two selected positions as payload insertion points. Now to customize the attack select the attack type. As we are having 2 payload positions, I am choosing cluster bomb (This attack type is useful for a brute-force attack as It puts the first payload in the first position and the second payload in the second position. But when it loops through the payload sets, it tries all combinations. For example, if you have 1000 user names and 1000 passwords, this will perform 1000000 requests.)

In payloads tab, click on payload set drop-down, here you can see numbers 1 and 2. Select number 1 for the first payload position. Choose a simple list from payload type, this list lets you configure a simple list of strings that are used as payloads. you can manually add items to the list using the text box and the Add button, or you can paste a list from the clipboard, or load from file.

Similarly select number 2 for another payload position and select runtime file from payload type, this is useful when a very large list of payloads is needed, to avoid holding the entire list in memory. Add the path of any dictionary file having password only. Click on start attack.

It will match the combination of both payloads and would try to login in with username and password as you can see below. By paying attention to the status and length of the payloads you can see login credentials admin and flower are having status as 302 and length as 1203 which is different than all other combinations indicating these are the results we are looking for. Hence username and password are admin and flower respectively

Limit Login Attempts: Limit the login attempts on your WordPress admin. For example, after three failed login attempts; it should block that particular IP for a certain period of time to stop it for making further login attempts.