There are many potential vulnerabilities but here we’ll just consider two.
- Administrator username of “admin”
- Easy to crack password
Administrator username of “admin”
With the current version of WordPress (3.5.1) it’s very easy to determine if the site has a user name of “admin”. Just attempt to login with the user name you want to test for. e.g. admin
If the user name is invalid you will get:
If the user name is valid you will either get:
OR you’ll be logged in 🙂
Note: This was raised as a bug (#12129 – Generic login failure message) a long time ago but it was closed as “wontfix”
Easy to crack password
Once you’ve determined that the user name is valid you can then try different passwords. By default WordPress does not lock you out after a certain number of failed attempts. An automated machine can try hundreds of the more common passwords. And it will keep going until it’s logged in or run out of ideas. It’s easy to find the 600 most common passwords. Some plugins even deliver a file that contains a list of them.