Cracking WordPress Passwords

Cracking WordPress passwords using Kali Linux and John the Ripper

WordPress is the world’s most widely used CMS (Content Management System). It has a long history of software bugs in its core and plugins, some of which are vulnerabilities (such as SQL injection and remote code execution) that attackers can exploit to leak information from the database.

One such type of information is WordPress login passwords. These passwords may allow the attacker to log in as an admin user and further compromise the site.

Dumping WordPress Passwords

One way to extract passwords from WordPress is to do it from its database. Now, assuming that you have access to the database either via a shell on the server or a database console like PHPMyAdmin, all you need to do is get the user_login and user_pass fields from the wp_users table:

wordpress mariadb passwords user_pass hash

Now, we have two WordPress hashes, which usually begin with $P$B. This was tested on WordPress version 6.5.3.

Cracking WordPress Passwords with John the Ripper

Now that we have the hashes, we can use a password-cracking tool called John the Ripper (john) to crack it. It comes pre-installed on Kali Linux and is available in most other Linux distros via their package managers (e.g. apt install john). Unfortunately, the john package shipped with apt in Ubuntu and Debian are incomplete (they are not the jumbo version which includes support for everything), so you might have better luck running it with Docker on non-Kali distros.

We will also need a wordlist (which is a big list of passwords to try); we can use the famous rockyou.txt, which you can download here.

Put those two hashes in a text file called hashes (one per line, in the format of username:hash). Specifying the username in front, followed by a colon, will allow John to indicate which user has the hash that we cracked so we don’t have to manually check later. The hashes file should look like this:

wordpress password hashes

Now, you can crack them by specifying the file and the wordlist to John:

john hashes --wordlist=rockyou.txt

Boom, there it is! We have cracked the password to the account robert. The password is robert123! Now we can go to /wp-login.php of the WordPress site and validate if the password is correct:

wordpress login screen
wordpress successful login profile

Now we are logged in to the site as Robert. Note that stronger passwords will take bigger wordlists to crack, and strong enough passwords won’t be crackable in a reasonable amount of time. So make sure you set a strong password for your WordPress site!

Conclusion

Dumping database contents is one of the most common steps for an attacker after hacking into a WordPress website with vulnerabilities. To defend against password cracking, make sure that your passwords are strong (15 characters+ with a mix of lowercase, uppercase, numbers and symbols), and keep your WordPress and plugins up to date against new vulnerabilities that can be used to compromise your passwords.

If you want to run a security scan on your website today, visit wpsec.com and get free instant access to your online security scan results.

4 thoughts on “Cracking WordPress Passwords”

  1. Why would you hack the passwords if you have admin access? I cannot see any valid reason.

    1. It’s like
      “Stealing all residents keys is one of the most common steps for a burglar after breaking into a house with open windows. To defend against home robberies make sure that your keys are a safe spot…”

  2. A hacker may have access to a server, lets say a shared hosting server which could contain hundreds or thousands of WordPress installs. Sometimes it could be easier to hack one server rather than thousands of WP websites.

  3. Absolutely agree, it’s like…

    “stealing all residents keys to a house is one of the most common steps for a burglar after getting into it with open windows. So make sure you keep those keys in a safe spot.”

Leave a Comment

Your email address will not be published. Required fields are marked *