The easiest way to detect if WordPress is not secure

How easy is it to find your login page?

WordPress wp-admin

If you can type /wp-admin after your domain name and get this screen below, then please read on. Find out how easy it could be to hack into your site.

What about the username and password?

Now we need the login credentials. Both of these could be brute forced fairly easily, especially if the default settings with the user ID of 1 and Admin have not been changed. But, what if we could find the username?

It may be easier to find your login ID (username) than you think. Scan your site with the Hacker Target WordPress Security Scan and see if your User IDs are available. You are looking for something like this:

exposed user IDs

Is user Enumeration possible? That is to say, are your IDs are showing similar to the above screenshot?

If so then all it takes is a brute force attack on your password field, and that is a lot easier than you could probably imagine.

What is a brute force attack?

A brute force attack is an automated script that guesses your password. Usually, this takes the form of checking against a list of known passwords.

Statistically, there’s a 91% chance that your password is within the first 1,000 on a list of 10,000 passwords which is freely available on the internet. So, it will probably only take a couple of minutes to hack your website this way.

Feeling vulnerable?

I would. I know what can happen.

Filed under: Best practice, GDPR, Security