Is possible to attack a Wordpress website if someone know username and password of admin account?

2018-10-18 10:44:55

Currently, I prevented accessing my wp-admin by htaccess as well as used functions.php to create a function to prevent accessing admin panel if the user is Admin.

If someone knows the username and password of the Admin account, is it possible to change my website appearance as well as deleting posts/comments, etc.?

If possible, how could they?

As every lawyers first sentence: It depends. So without exactly knowing what you did, let's do a little "risk-assessment".

There are multiple ways of compromising wordpress based websites:

knowing the admin-credentials

finding a vulnerability in wordpress

discovering a vulnerability in one of the used plugins

finding a vulnerability in the webserver or it's configuration

Where vulnerability as in: Software-vulnerability, misconfiguration and so on.

Also we have to further split all those possibilities into two options:

going from zero to admin

escalating from user to admin

So let's see what you have accomplished: I

  • As every lawyers first sentence: It depends. So without exactly knowing what you did, let's do a little "risk-assessment".

    There are multiple ways of compromising wordpress based websites:

    knowing the admin-credentials

    finding a vulnerability in wordpress

    discovering a vulnerability in one of the used plugins

    finding a vulnerability in the webserver or it's configuration

    Where vulnerability as in: Software-vulnerability, misconfiguration and so on.

    Also we have to further split all those possibilities into two options:

    going from zero to admin

    escalating from user to admin

    So let's see what you have accomplished: If the admin-access really is blocked and properly blocked, knowing the admin-credentials is not a direct threat to the page anymore (it can still be if you reuse credentials from somewhere else or if your .htaccess or function does not block all the resources properly).

    There is still multiple options to go for when targeting your site. I suggest you have a look

    2018-10-18 12:52:08