You dont need hours of guessing or hacking to Hack WordPress website. You only need to enter a few commands and you’ll have a good idea how weak or strong your system is.

Firstly, this guide is for educational purposes only. I want to teach you on how hackers are trying to break into your WordPress so you can defend yourselves from them.

Please note that it is illegal to execute this on somebody else’s website without their permission.

Secondly, the main tool will be using is WPScan. This tool normally comes pre-installed with all Kali Linux operating systems. This is a WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security flaws. Moreover, it is free and accessible by millions which is why it is important to give yourself a security audit before somebody else does!


  • Updated Kali Linux box
  • Internet access

Hack WordPress: We Need To WP Scan

WP scan will scan your website and reveal all the information on your system. The program will go and scrape every bit of information it can find in a non invasive way.

wpscan --url
start the wordpress hack

WordPress Hack: Find That User Name

This command will scan over your entire website looking for possible usernames that are used.

wpscan --url --enumerate u

Success! It picked up username. Going forward, I can use this one or put it into a list so that I can test 100s of usernames at once.

Load Up with 1,000,000 Passwords

Now it is time to get a list of the most commonly known passwords. You can easily get lists from Github where you can download and use 1,000,000 passwords against multiple usernames.

Click here to access the 1,000,000 password list

Hack wordpress with 1,000,000 passwords

WordPress Hack: Let It Begin

Its time to hack your WordPress site. Start testing all usernames with passwords.

wpscan –url –passwords path/to/text_file –usernames path/to/file –max-threads 5

Wordpress hack complete


Having your website hacked is just as easy as ABC. This is why we should always have a strong password and username. Without it, a 10 year old could break into our WordPress without much work.

Here’s a recap of the steps:

  • WPscan general command
  • WPscan Username scan
  • Download 1,000,000 password text file from Github
  • WPscan Username and Password attack

I still cant believe how easy it was myself. This is why I would recommend to learn how to defend WordPress at all levels.

To help you defend your website, I have written the ultimate “Defend your WordPress Guide“. With this guide you can increase your defense by 10 fold and not worry about being hacked easily.

If you would like to learn more, remember to sign up to our newsletter to get more tutorials, guides and walkthroughs like this.