Example of a WordPress Website Hack Attack

Example of a WordPress Website Hack Attack

Clients with WordPress sites often come to me with questions like ‘How did my site get hacked? How did this spam get sent from my server? How did this phishing page that looks like a PayPal login get buried deep within my website?’

If you are using WordPress and have not upgraded it to at least version 4.0 then your website is probably already compromised. Contact me if you have questions.

A Description of the Hack Attack

If the WordPress blog has not been updated for awhile, the hacking technique that I have seen most often uses this procedure…

  1. The attacker posts a comment on one of your blog posts that contains a special combination of characters that hides the malicious payload code using base64 encoding.
  2. The hidden code relies on an older version of WordPress being used like version 3.5 for example. In these older versions, there are tricks that have been found. These tricks fool the safeguards that try to prevent scripts from being inserted into comments. It is done using a carefully crafted combination of characters that are misinterpreted as shortcodes, HTML and text in a way that allows access to the mouseover javascript event.


  3. When the mouseover is triggered by someone logged in as an administrator, any malicious code in the comment is executed as if the adminstrator executed it.

Let’s Hack a WordPress Blog

  • Okay, so I know how to make a malicious comment.
  • I know how to make it run any javascript I desire when the mouseover event is triggered.
  • I know how to write a 20 line snippet of jQuery code that opens the Add User form and creates a new Administrator user in a blink of the eye that no one will notice.

    Let’s go!

    We find a blog running WordPress 3.5

    Before we attack, here is what the list of users looks like.

    Here I am entering my malicious comment

    Subsequently, the real administrator logs into his dashboard and looks at the comments. He moves his mouse over the comment at some point and logs out thinking nothing weird is going on. He has no clue that he triggered my jQuery code that created a new administrative user as if he had done it himself.
    Notice how the comment looks normal except the tiny ‘[a’.

    If he had taken time to click EDIT and looked at the comment that way he would have seen this instead.

    Here is what the list of users looks like now.

    and here I am later that night logging in as the new administrative user that was created.

    Now I’m hiding pages for spam and phishing all over the website.

    These are real pictures. This is a real WordPress 3.5 blog that I set up and that is real hack code that I used to do this. It should make it very clear that it is neccessary to keep your WordPress up to date.

    I understand that stuff happens and if you think you are in trouble, contact me or leave a comment (no hidden code in comments please 🙂 ) and I’ll try to answer your questions and help you determine what you should do next.

4 Replies to “Example of a WordPress Website Hack Attack”

  1. Thanks a lot for this article.
    Now I realized how much we can do with XSS hole.
    I tried to simulate the article with my own test installation.
    But I don’t understand how we can add an admin user with jQuery if we do not know the _ wpnonce_create-user.

    1. Hi Taha

      Without giving too much away, let me simply say that the jQuery opens the add user form in an iframe that is out of view of the main viewport. Since this happens while the administrator is logged into the dashboard it behaves as if the administrator opened the form and added the new user.


  2. Hi james
    Thanks I understand.
    The article is so far clear, I do receive many comments and email with eval and code encoded.
    Now ill understand how could be dangers those XSS exploits.

    Thanks again for this article.

  3. Hi James
    I do have a little demand, it would be appreciated if we receive an notification when a new or response to our comment on article.

Comments are closed.