Takeover web hosting server using WordPress files

WordPress is widely used CMS out there today. This website is also built-in using WordPress. There is absolutely no need for any explanation why I choose WordPress. I can talk the benefits of using WordPress all day long. Anyway, the post is not about the greatness of WordPress. Few days back, I stumbled upon a WordPress site. The WordPress files was downloaded and left uninstalled. When I browsed the website, I saw the WordPress installation page.


So, what is the big deal here? Is it bad to left the WordPress files without installing? Well, yes it is. It is totally unsafe. If you are going to install a WordPress in your website then you should completely install it or at least do not upload files inside your webroot directory ie public_html. Most of the developers are not aware of security risk here. Therefore, in this post I am going to talk about what can a malicious user can do.

To regenerate the issue I have downloaded WordPress files in my machine. As a malicious user perspective lets see what can he do. Click on Let's Go button.

In this page, we need to enter MySQL credentials. There are third party website which host MySQL database for free. We can quickly sign up on those site and get the database login credentials. One of these website is called https://remotemysql.com. Registering an account here is child’s play. Quickly sign up and login to the dashboard.

Click on Database and then Create New Database

create database using third party hosting

We got database login details. Now we can use these to install WordPress website. Enter them as below

Click on Submit. In next window, click on Run the installation

In next window fill the form as below and click on Install WordPress

We have successfully installed WordPress in someone else website.

Lets login to the admin panel

After login, admin dashboard will open. How great is that and how unfortunate it is for the owner of the website? We own WordPress website that does not belong to us.

This is just the beginning. We have only installed WordPress using remote MySQL hosting service. No fun in this. The real fun starts from here. In next part, we will see how can a malicious can take whole control of a web hosting shared server.

Leave a Reply

Your email address will not be published. Required fields are marked *