WordPress is widely used CMS out there today. This website is also built-in using WordPress. There is absolutely no need for any explanation why I choose WordPress. I can talk the benefits of using WordPress all day long. Anyway, the post is not about the greatness of WordPress. Few days back, I stumbled upon a WordPress site. The WordPress files was downloaded and left uninstalled. When I browsed the website, I saw the WordPress installation page.
So, what is the big deal here? Is it bad to left the WordPress files without installing? Well, yes it is. It is totally unsafe. If you are going to install a WordPress in your website then you should completely install it or at least do not upload files inside your webroot directory ie
public_html. Most of the developers are not aware of security risk here. Therefore, in this post I am going to talk about what can a malicious user can do.
To regenerate the issue I have downloaded WordPress files in my machine. As a malicious user perspective lets see what can he do. Click on
Let's Go button.
In this page, we need to enter MySQL credentials. There are third party website which host MySQL database for free. We can quickly sign up on those site and get the database login credentials. One of these website is called https://remotemysql.com. Registering an account here is child’s play. Quickly sign up and login to the dashboard.
Database and then
Create New Database
We got database login details. Now we can use these to install WordPress website. Enter them as below
Submit. In next window, click on
Run the installation
In next window fill the form as below and click on
We have successfully installed WordPress in someone else website.
Lets login to the admin panel
After login, admin dashboard will open. How great is that and how unfortunate it is for the owner of the website? We own WordPress website that does not belong to us.
This is just the beginning. We have only installed WordPress using remote MySQL hosting service. No fun in this. The real fun starts from here. In next part, we will see how can a malicious can take whole control of a web hosting shared server.