An Empricial Study of Brute Force Attack on Wordpress Website

Abstract—This paper demonstrates the brute force attack on WordPress web site and proposes the counter solution for the same. It gives step by step procedure for launching of brute force attack to enumerate the usernames and passwords of the users on the control panel of WordPress web site. This paper is motivated by the recent attack on Optus by hackers and throws light on the modus of operandi of hackers. All demonstrations depicted in this paper are for educational and research purposes only and in case of any misuse authors do not take any responsibility.

Keywords—brute force attack, kali Linux, WP scan etc

I. INTRODUCTION

A. What is Brute force attack?

A brute force attack occurs when hackers attempt to access your website by trial and error. Automated software is usually used to guess your login information. Hackers will try several password and username combinations until they find one that works[1].

By contrast, brute force attacks rely on weak login credentials. Hackers can use automated software to enter your site if you have a guessable password, such as "password"[2].

It is not unusual for hackers to be attacked by brute force. They're becoming more dangerous than ever before. A 160 percent increase in brute force attacks was recorded at the end of 2021. The recent Optus data breach in Australia may have been caused by a brute force attack.

In case web site is compromised by brute force attack it may result in the following consequences-

Hacker can steal your private data

Hacker can add malware to your site

It will decrease web credibility and/or search rankings

Hacker can remove your content completely

B. Hosting of WordPress web site

Before launching brute force attack, we need to host a web site with the Bitnami WordPress tool. WordPress packaged by Bitnami provides a one-click install solution for WordPress. You need to download installers from page https://bitnami.com/stack/wordpress.

WordPress is the script available on major web hosting control panels for the hosting of mobile friendly web sites. WordPress provides various themes suitable for the scope of web site and it gives facilities to customization of those themes as per user requirements. You can also integrate payment gateways for Ecommerce transactions on WordPress web sites. As per recent data, 80 percent of the web master gives preference to WordPress for its elegant look on smart phones.

In our experimentation, we will install Bitnami WordPress on Oracle virtual box which is a hypervisor[3] as shown in Fig 1. Once plugin is installed, log in with username as 'bitnami' and password 'bitnami' [4].

Fig 1 explains the download and hosting of WordPress web site where command 'ip addr' is used to know the IP address of web site. As shown in Fig 1, the IP address of newly hosted web site is 192.168.0.90

Fig 1 IP address of WordPress web site

II. CHECK THE WEB SITE IN BROWSER WITH IP ADDRESS

The next step is to check that whether newly hosted web site is functional by typing the IP address of web site in the browser of your computer. The IP address of web site is 192.168.0.90 which indicates that this web site is visible for all users in the given WiFi network.

You can also launch a brute force attack on real WordPress web site but it is illegal and may result in legal action against you. So, authors advises to use Binami WordPress plugin for this purpose. Fig 2 shows newly hosted WordPress web site.

Fig 2 Hosting of WordPress web site

A. Login procedure as web master

Type in browser IP address of web site followed by /wp admin. For e.g. in our case, we will type, http://192.168.0.90/wp-admin. You can see that user name and passwords are required to login as web admin as shown in Fig 3 below.

Fig 3 Login as web admin

You can retrieve the credentials of web admin by tying the following command in Bitnami shell.

sudo cat /home/bitnami/bitnami_credentials

Fig 4 indicates, the user name and password required for login to the control panel as a web admin of newly launched WordPress web site.

Fig 4 Retrieving credentials of web master

III. LOGIN TO THE CONTROL PANEL OF WEB SITE

Once you login to the control panel by using above credentials, welcome page of control panel appears which allows you to set web site themes and to create users. It also allows you to install various plugins for the effective running of the web site. Discussing various features of WordPress is beyond the scope of this paper and authors will concentrate on only creating users on the data base of web site for hacking purpose in the next section.

Fig 5 Control panel of web site

We will create a few users by providing them passwords for the use of this WordPress web site.

Fig 6 Adding new user to the web site

Fig 6 shows the procedure to add a new user to the web site where we have provided password with the use of lower case alphabets to complete the brute force attack in moderate time for the demonstration purpose. The password provided to the user admin is 'password'. If you choose upper case, lower case and some special characters, then brute force attack takes quite bit longer time to crack the password.

Fig 7 shows that there are two users on web site database namely 'admin' and 'user'.

Fig 7 List of users

A. Launching of brute force attack with WPSCAN in Kali Linux

Now let us discuss about kali Linux as most of the readers are not aware about this platform. Kali Linux platform [5] is a collection of offensive security tools. The Kali Linux penetration testing platform contains a vast array of tools and utilities namely Burp Suite, NMAP, Hydra, WPSCAN, John the Ripper, Maltego etc.

From information gathering to final reporting, Kali Linux enables security and IT professionals to assess the security of their systems.

For our experimentation, we are using WPSCAN tool. The WPSCAN tool is inbuilt in kali Linux and is available free of cost for noncommercial uses. Most of the professional pen tester uses it check security of their web applications. The WPSCAN tool contains definitions of 37,502 WordPress vulnerabilities [6].

B. What does WPScan check for?

Fig 7 basic commands of WPSCAN [7]
Fig 7 shows basic command usages of WPSCAN. For e.g.if you want to scan web site with default options, simply type command,
$ wpscan – url ( name of web site or IP address)

WPSCAN can be used for hacking various details listed as below-

The version of WordPress

Information about various plugins installed

Information about themes web site is using.

Enumeration of all users on the database of web site

Passwords of all users with Brute force attack

Various configuration files

Database dumps

Error logs

Media file

Directory listing

For launching Brute force attack as discussed above we will use WPSCAN in this demonstration. Open WPSCAN in Kali Linux and Type following command in the shell,

wpscan --url http://192.168.0.90 -e u -U admin -P /root/rockyou.txt

In this command, you need to type the domain or IP address of the web site followed by letter 'e' which indicates 'enumerate the users'. The letter U indicates username which is 'admin' in our case followed by 'P' for password. In this case the password of user 'admin' will be matched with standard word dictionary called as a rockyou.txt and its path is indicated in command.

Fig 8 WPSCAN for launching of brute force attack

Fig 9 Valid combination of password found for user admin

As shown in fig 9 the password for user admin found as a 'password'. Brute force attack took 43 seconds approximately to retrieve the password of the user.

CONCLUSION

All WordPress web sites are susceptible to brute force attack for enumeration of users and their passwords with WPSCAN tool. These attacks can be avoided by installing a brute force protection plugin like Jetpack, Malcare, Word fence security, Sucuri etc. Web master can also enable two-factor authentication which can make it harder for hackers to enter website.