WordPress Google Dorking: Find Vulnerabilities & Sensitive Data

Updated on

WordPress Google Dorks Exploits

Have you ever imagined using Google search as a hacking tool? Well yes, in this special post you will learn more about how Google Dorking works, WordPress Dorks & Exploits To Find Vulnerabilities and how to protect your data from accidental leaks. It is in fact possible to use the Google search engine to find interesting data that, by chance, gets exposed on the internet.

This simple search bar has the potential to help protect yourself or your website from unwanted visits from hackers. Google Dork is a threat to eCommerce security. This way, if you are a ecommerce website operator or owner, you wont want to share sensitive information with the world.

Table of Contents [TOC]

What is Google Dorking?

google-dorking-exposes-wordpress-vulnerabilities

A Google Dork is a search query, sometimes referred to as stupid, is a search string that uses advanced search operators to find information that is not available on a website.

Also known as Google Dorking, it is a “hacking” technique sometimes only referred to as a dork. It uses Google’s advanced search to find security loopholes in a website’s code and settings.

In other words, we can use Google Dorks to find vulnerabilities, hidden information, and access pages on certain websites. Because Google has a search algorithm and indexes most websites, it can be helpful for a hacker to find vulnerabilities in the target.

The basic syntax for advanced operators in Google is:

operator_name: keyword

For example, this operator_name: keyword syntax can be written as ‘filetype: xls intext: username’ in the standard search box, resulting in a list of Excel files that contain the term ‘Username’.

The simple syntax of Google Dorks

  • site – it will return the website in the following domain.
  • allintitle and intitle: contains the phrase specified in the title on the page.
  • inurl: restricts the results contained in the URLs of the specified phrase.
  • file type – searches for specific file formats.

What can you find with Google Dorks?

A Google Dork is just a search that uses one or more of these advanced techniques to reveal something interesting. It is important to note that anyone can crawl the Web. Google automatically indexes a website, and unless sensitive information (nofollow, robots.txt) is explicitly blocked, all content can be searched using dorks or advanced search operators.

With this technique, you can find a lot of sensitive information such as usernames and passwords, administrator login pages, sensitive documents, government and military data, email lists, bank account details, and probable can hack a WordPress website.

  • Admin login pages
  • Username and passwords
  • Vulnerable entities
  • Sensitive documents
  • Government/military data
  • Mailing lists
  • Bank account details and much more

Google Dorks can also be used for network mapping; we can find the subdomain of the destination site using Simple Dorks.

You can use some of these techniques to filter the information and get better search results, but in this case, you focus on information that is not normally accessible, such as displaying images from security cameras or certain documents.

The term began to be used in 2002 when Johnny Long began collecting queries that worked in Google search and with which he could discover vulnerabilities or reveal sensitive or hidden information. He labeled them Google Dorks. Later this became a large database, eventually organized into the Google Hacking Database.

The technique known as Google Hacking involves using advanced Google operators in your search engine to locate specific strings of text within search results.

How to use Google Dorks?

Well, you can’t hack sites directly using Google, but since it has tremendous web crawling capabilities, it can index almost anything within your website, including sensitive information. This means that you could be exposing too much information about your web technologies, usernames, passwords, and general vulnerabilities without even knowing it.

In other words: Google “Dorking” is the practice of using Google to find vulnerable web applications and servers by using the native capabilities of Google’s search engine.

Unless you block specific resources on your website using a robots.txt file, Google indexes all the information that is present on any website. Logically, after a while, anyone in the world can access that information if they know what to look for.

Important note: While this information is publicly available on the Internet, and is provided and encouraged by Google to use it legally, hackers could use this information to harm your online presence.

These are the common reason a website hacked by hackers using different technique and Google Dork is one of them. Keep in mind that Google can easily identify, who you are when you make these types of queries.

For this reason and many others, it is recommended to use it only with good intentions, either for your own research or while looking for ways to defend your website against this type of vulnerability.

While some webmasters expose confidential information themselves, this does not mean that it is legal to exploit that information. Doing so will mark you as a cybercriminal. It is quite easy to track your browsing IP, even if you are using a VPN service. It is not as anonymous as you think.

Before reading further, keep in mind that Google will start blocking your connection if you connect from a single static IP. It will request captcha challenges to avoid automated queries.

To start using Google Dorks, you have to insert in the search bar the commands that you want to find according to the search criteria.

Popular Google Dork Operators

Basic Google Dork Operators

The Google search engine has its own built-in query language. The following query list can be run to find a list of files. You can find information about your competition, track people, get information on SEO backlinks, create email lists, and of course, discover web vulnerabilities.

Let’s take a look at the most popular Google Dorks and what they do.

  • cache: this will show you the cached version of any website, for example, cache: securitytrails.com
  • allintext – Searches for specific text contained on any web page, eg. ex. allintext: hacking tools
  • allintitle: exactly the same as allintext, but will show pages containing titles with X characters, eg. ex. allintitle: »Security Companies»
  • allinurl: can be used to get results whose URL contains all the specified characters, for example: allinurl: clientarea
  • filetype: used to search for any type of file extension, for example, if you want to search for pdf files you can use: email security filetype: pdf
  • inurl – This is exactly the same as allinurl, but is only useful for a single keyword, e.g. e.g. inurl: admin
  • intitle: used to search for multiple keywords within the title, for example, intitle: security tools will search for titles that start with “security”, but the “tools” may be elsewhere on the page.
  • inanchor: this is useful when you need to search for an exact anchor text used in any link, eg. ex. inanchor: »cyber security»
  • intext: useful for locating pages that contain certain characters or strings within their text, eg. ex. intext: »safe internet»
  • site: it will show you the complete list of all the URLs indexed for the specified domain and subdomain, eg. ex. site: securitytrails.com

*: wildcard used to search for pages that contain “anything” before your word, for example how to * a website, it will return “how to …” design / create / hack, etc … “a website”.

|: this is a logical operator, for example, “security” “tips”, it will show all sites that contain “security” or “tips”, or both.

+: used to concatenate words, useful for detecting pages that use more than one specific key, eg. ex. security + trails

– : the minus operator is used to avoid showing results that contain certain words, for example, security -trails, it will show pages that use “security” in their text, but not those that have the word “trail”.

Google Dork Examples

Let’s take a look at some practical examples. You will be surprised to know how easy it is to extract private information from any source. You can do it by using Google’s hacking techniques.

Log files

Log files are the perfect example of how sensitive information can be found on any website. Error logs, access logs, and other types of application logs are often discovered within the public HTTP space of websites. This can help attackers find the version of PHP you are running, as well as the critical system path of your CMS or frameworks.

For this type of dork we can combine two Google operators, allintext and filetype, for example:

allintext: username filetype: log

This will display a lot of results that include the username within all * .log files.

In the results, we discovered a particular website that shows a SQL error log from a database server that included critical information.

This example exposed the current database name, user login, password, and email settings to the Internet.

Vulnerable web servers

The following Google Dork can be used to detect vulnerable or hacked servers that allow you to add “/ proc / self / cwd /” directly to your website URL.

inurl: / proc / self / cwd

To the results of the vulnerable server, along with its exposed directories that can be navigated from your own browser.

Open FTP servers

Google not only indexes HTTP-based servers, but it also indexes open FTP servers.

With the following dork, you will be able to explore public FTP servers, which can often reveal interesting things.

intitle: »index of» inurl: ftp

In this example, we find a major government server with its FTP space open. This was most likely on purpose, but it could also be a security issue.

ENV Files

.Env files are popular web development frameworks used to declare general variables and settings for local and online development environments.

One of the best practices is to move these .env files to a place that is not publicly accessible. However, as you will see, there are many developers who do not care about this and insert the .env file in the main directory of the public website.

By using this dork, unencrypted usernames, passwords, and IP’s are directly exposed in search results. You don’t even need to click links to access the database login details.

SSH private keys

SSH private keys are used to decrypt the information that is exchanged in the SSH protocol. As a general security rule, private keys should always remain on the system used to access the remote SSH server and should not be shared with anyone.

With the following dork, you will be able to find SSH private keys that were indexed by Google.

intitle: index.of id_rsa -id_rsa.pub

Let’s move on to another interesting SSH Dork.

If this is not your lucky day and you are using a Windows operating system with a PUTTY SSH client, remember that this program always records the user names of your SSH connections.

In this case, we can use a simple dork to look up SSH usernames from the PUTTY records:

filetype: log username putty

Email lists

It’s pretty easy to find email lists with Google Dorks. In the following example, we are going to search for Excel files that can contain many email addresses.

filetype: xls inurl: »email.xls»

We filtered to see only .edu domain names and found a popular university with around 1800 emails from students and professors.

site: .edu filetype: xls inurl: »email.xls»

Remember that the true power of Google Dorks comes from the unlimited combinations that you can use. Spammers also know this trick and use it on a daily basis to create and grow their spam lists.

Live cameras

Have you ever wondered if your private live cam could be seen not only by you but also by anyone on the internet?

The following Google hacking techniques can help you get live cam web pages that are not IP restricted.

Here’s the dork for searching for multiple IP-based cameras:

inurl: top.htm inurl: currenttime

To search for WebcamXP-based broadcasts:

intitle: »webcamXP 5 ″

And another for live cameras in general:

inurl: »lvappl.htm»

There are many live camera dorks that can allow you to view any part of the world, live. You can find educational, government, and even military cameras with no IP restrictions.

You can even do some white-hat penetration tests on these cameras; you will be amazed how you can take control of the entire admin panel remotely and even reconfigure the cameras to your liking.

MP3, movie and PDF files

Google Dorking Exposes WordPress

Today hardly anyone downloads music after Spotify and Apple Music appeared on the market. However, if you are one of those classic people who still download legal music, you can use this dork to find mp3 files:

intitle: index of mp3

The same applies to legal free media files or PDF documents that you may need:

intitle: index of pdf intext: .mp4

Weather

Google’s hacking techniques can be used to obtain any type of information, and that includes many different types of electronic devices connected to the Internet.

In this case, we run a dork that allows you to search for transmissions from the Weather Wing device. If you are involved in meteorology issues or just curious, check this out:

intitle: »Weather Wing WS-2 ″

The output will show you various connected devices around the world, sharing weather details like wind direction, temperature, humidity, and more.

Zoom videos

The ‘zoom blitz’ became a popular means of disrupting online meetings in 2020 during the initial shutdown. Since then, the company has imposed some restrictions to make it difficult to find/interrupt Zoom meetings, but as long as a URL is shared, a Zoom meeting can still be found:

inurl: zoom.us/j and intext: scheduled

The only downside to this is the speed at which Google indexes a website. By the time a site is indexed, the Zoom meeting may already be over.

SQL dumps

Misconfigured databases are one way to find exposed data. Another way is to search for SQL dumps that are stored on servers and accessible via domain / IP.

Sometimes these dumps appear on sites through incorrect backup mechanisms used by site administrators who store backups on web servers (assuming they are not indexed by Google). To find a compressed SQL file, we use:

“Index of” “database.sql.zip”

WordPress Administrator

The web administrator’s opinion on whether to obfuscate your WordPress login page has arguments on both sides. Some researchers say it is unnecessary and that using tools like a web application firewall (WAF) can prevent attacks much better than obfuscation.

Finding the WP Admin login pages is not too difficult with a dork:

intitle: »Index of» wp-admin

Apache2

This can be considered a subset of the “vulnerable web servers” mentioned above, but we are discussing Apache2 specifically because:

  • LAMP (Linux, Apache, MySQL, PHP) is a popular stack for hosted applications/websites
  • These Apache servers could be misconfigured/forgotten or in some configuration stage, making them great targets for botnets.

Find Apache2 web pages with the following dork:

intitle: »Apache2 Ubuntu Default Page: It works»

phpMyAdmin

Another risky but frequently discovered tool on LAMP servers is the phpMyAdmin software. This tool is another method to compromise data, as phpMyAdmin is used for managing MySQL on the web. The dork to use is:

  • Index of inurl: PHPMyAdmin
  • JIRA / Kibana

Google dorks can also be used to find web applications that host important business data (via JIRA or Kibana).

inurl: Dashboard.jspa intext: »Atlassian Jira Project Management Software»

inurl: app / kibana intext: Loading Kibana

An easier way to find JIRA instances is to use a tool like SurfaceBrowser, which can identify subdomains, as well as the applications in those subdomains (in addition to JIRA, there are many other applications).

CPanel password reset

This dorking technique can be used as the first step to get access to cPanels. It can exploit various weaknesses in password resets to take over the cPanel (along with all the websites hosted on it). The dork for this purpose is:

inurl: _cpanel / forgotpwd

Government documents

Confidential government documents are the last thing that should be exposed on the internet, but with dorks, they are not too difficult to find, as shown below:

allintitle: restricted filetype: doc site: gov

Preventing Google Dorks

There are many ways to avoid falling into the hands of a Google Dork.

These measures are suggested to prevent search engines from indexing your confidential information.

Protect private areas with the user and password authentication and also by using IP-based restrictions.

Encrypt your confidential information (username, passwords, credit cards, emails, addresses, IP addresses, phone numbers, etc.).

Run regular vulnerability scans on your site, these usually already use popular Google Dorks queries and can be quite effective at detecting the most common ones.

Understanding of common mistakes while running a business through a website and what technique hacker user to steal your sensitive data. Also consider WordPress hacking prevention tips regularly published on web based on someone experience.

Run regular dorks queries on your own website to see if you can find important information before the bad guys do.

You can find a great list of popular dorks in the Exploit DB Dorks database.

If you find sensitive content exposed, request its removal using Google Search Console.

Block sensitive content by using a robots.txt file located in your website’s root-level directory.

WordPress Dorks List & Exploits

wordpress dorks hacking google

WordPress Dorks For SQL Injection

Following Google Dork queries can help you find wordpress sites that might be vulnerable for SQL injection attacks. Hacker can use such exploits to inject backdoor and carry out other kinds of hacks such as wordpress redirect malware, japanese keywords hack.

 Google Dorks To Find Targets For SQL Injection

Find Files with usernames and passwords

They allow the hacker to enter your website directly.

ext: pwd inurl: (service | authors | administrators | users) “# -FrontPage-“: users and administrator passwords to modify the web. They are seen directly in Google without having to enter the page. There are more than 1,100 keys like that.

filetype: sql “# dumping data for table “”` PASSWORD` varchar ” : completely dumped SQL databases, including user data and passwords. Modifications can be made in the search string, to get other types of information. Passwords are encrypted in md5, but just Google it and the hacker will find a forum where someone has decrypted it and the original appears.

intitle: ”index of” “Index of /” password.txt: servers with a file called password.txt. It can be centered by countries with the site: .ar or by educational pages.

filetype: inc intext: mysql_connect password -please -could -port: Google offers more than 2,000 MySQL database users and passwords.

These operators can be used by hackers to :

Find Hidden files on web servers

Search as a file type: php site: yoursite.com can help hackers identify PHP files that are not normally available to website visitors.

Hackers will be able to test these files to determine if they have vulnerabilities or send information about files they are not prepared to handle.x

Find Website backups

If you’ve accidentally stored a website backup in one of your website’s public directories, it may become available through Dorking.

Hackers can use a search like filetype: tar.gz site: yoursite.com to find file backups or filetype: SQL site: yoursite.com to find database backups.

Find Website errors

Dorking can be used to locate files with programming errors on your website. Depending on your site’s security settings, these pages may return sensitive information such as file paths or database usernames.

To perform this type of research, the hacker can use site: yoursite.com “warning” “error”.

Find Files containing sensitive information

If your website has not properly secured its directories, there may be directory listings available showing links to files that can sometimes be downloaded.

It is a problem if you accidentally left files with sensitive information on your website. An attacker can use a search such as filetype: txt “login” site: yoursite.com to find text files that contain the word login.

Subdomains pointing to other applications

Many websites maintain additional applications and version control systems on subdomains.

These resources may not be as secure as the main website or perhaps development platforms not designed for the general public. Hackers can use the query site: * yoursite.com to find these resources.

Here are just a few of the ways that WordPress Dorking can be used to find potential hacking targets or sensitive information about websites.

Finding WordPress websites with their wp-content folder exposed

Hackers can use “index of” inurl:wp-content/ to find WordPress websites with the contents of their wp-content folders displayed online.

This can help the hacker find folders and files with the wrong permissions or examine the types of plugins you are running.

They can also use any sensitive information that you have stored in these folders. Running this search gives us more than 12 million results.

Finding WordPress websites contain a plugin with a vulnerability

Once a plugin has been found to have a certain vulnerability, hackers will share details of it. They can then use Google Dorking to find websites that have the vulnerable plugin installed by using a search like inurl:/wp-content/plugins/plugin-name/

Find specific versions of WordPress

There have been serious vulnerabilities in WordPress source code over the years. While these issues are fixed fairly quickly, not all website owners update their website when needed.

Hackers will often find these websites insecure by searching for the ReadMe file included with WordPress and then checking the version number it contains.

They will use inurl: “WordPress readme.html” to get the WordPress revision number of a website or inurl: “wp readme.html” to find a version of a plugin.

Find WordPress Database Backups

A search like a filetype: sql intext: wp_users PHPMyAdmin will find SQL file dumps from WordPress websites.

Searching for server logs

Server logs often contain information that is useful to hackers, including details of files with errors, information about server configuration, and file paths.

They often use the search inurl: log -intext: log ext: log inurl: wp- to find log files on WordPress sites.

How To Prevent WordPress Sensitive information leakage by dorks

Fortunately, it’s relatively easy to protect your website’s sensitive information and prevent search engines from indexing it.

Step # 1 – Avoid storing sensitive information in public folders

Sensitive files such as security certificates, trade secrets, file backups, and database backups should not be stored in publicly accessible folders. While taking WordPress site or database backup manually or using plugin some of the security measure must be taken. Because WordPress database is the core of important and confidential stuff required to run your WordPress website.

Step # 2 – Disable Directory Browsing

Directory browsing allows visitors to browse your website directories through their web browser. It also allows search engines to index the contents of each folder – this is how hackers find these files through Dorking. By disabling the directory to crawl by Google is the best practice to ensure security of WordPress website.

WordPress includes an empty index.php file in the uploads, wp-content / themes, and wp-content / uploads directories to prevent visitors from browsing these directories.

However, the subfolders can still be navigated. To make sure that no directory can be browsed on your website, just add the following line to the .htaccess file in your WordPress installation folder:

-Index option

Step # 3 – Lock Your Download Folders

WordPress upload folder is targeted for downloading malware to a website because it usually has less permissions. Basically, WordPress file permissions are authority roles assigned to users to manage website’s files & folders. So, it is important to set correct permissions to the files and folders. WordPress file and folder permissions play an integral role in the overall security of your WordPress website.

An easy way to prevent people from downloading executable PHP files is to create a .htaccess file in the uploads folder and add:

<* .Php files>

deny everything

</Files>

Step # 4 – Make sure Error Reporting is disabled on production servers

You should only allow your web application to provide detailed error reports or debugging information when it is being tested.

You should always hide this information on production servers as it could be useful to hackers. Open your wp-config.php file of the website.

Look for a line that says define (‘WP_DEBUG’, false); or define (‘WP_DEBUG’, true); Replace it with:

  • ini_set (‘display_errors’, ‘Off’);
  • ini_set (‘error_reporting’, E_ALL);
  • define (‘WP_DEBUG’, false);
  • define (‘WP_DEBUG_DISPLAY’, false);

Step # 5 – Don’t use robots.txt file to hide sensitive files

A robots.txt file is used to provide information to search engine robots that crawl your website. One of the things it lets you do is tell search engine bots which page you don’t want them to scan.

At first glance, you might think this is a great way to stop Google from collecting sensitive information from my website to display it online!

The only problem is that hackers also extract robots.txt files from websites to discover folders and files that the website owner doesn’t want search engines to know about. Robots.txt files can in fact become a source of information leakage.

A better option is to place a meta tag on pages that you don’t want to be indexed. Just add:

<meta name = “robots” content = “noindex”>

Step # 6 – Move your downloads directory

If you really want to secure your WordPress upload folder, you may want to consider moving it. It does involve adding code, but it’s a useful step if you like to maintain high security. Check out this tutorial to learn how.

Step # 7 – Password Protect Sensitive Folders

WordPress sites where hackers attack WP-content/uploads folder using Google Dork and hack WordPress site. To protect such folders you can add server-side password protection to sensitive folders such as downloads, wp-content / themes, wp-content / plugins, wp-admin and wp-content / uploads. It’s a relatively simple process:

Create a file called 401.html and inside that file add text similar to “Authentication Required!” You need a username and password to access this area.

Next, create a .htaccess file, and inside of it add (you will need to modify the AuthUserFile line to match the location of your .htpasswd file):

  • Document Error 401 /401.html
  • AuthName “Secure zone”
  • Basic authentication type
  • AuthName “Zone protected by password”
  • AuthUserFile /path/to/directory/.htpasswd

Require a valid-user

Finally, create a .htpasswd file and upload it to the directory you are protecting. This file will include the username and passwords in the following format:

user:password

Step # 8 – Disable HTTP Headers from the Server

Fortunately, you can remove the header information so that your server doesn’t broadcast which version it is.

You can remove the server signature on Apache by updating the ServerSignature directive in the httpd.conf file:

  • Undefined header Server
  • Server Signature Disabled
  • ServerTokens Prod

Step # 9 – Use Generic Cookie Settings

If your website stores personalized cookies on user’s browsers, use generic names. Always avoid using names that you use for the corresponding database fields or tables.

Step # 10 – Clean Up Data Passed To User

If you pass other types of data to the user’s browser, remove important information such as database IDs or database field names. Keep in mind that hackers will also look at internal data used by your webpage, like AJAX responses.

Step # 11 – Don’t Leave Important Information in HTML Comments

Developers sometimes place comments in the code of their HTML templates, CSS files, and javascript files. This information can be used to tell hackers if a certain plugin or theme is currently installed.

The easiest way to deal with such sources of information leakage is to simply remove all comments using a minification plugin like Fast Velocity Minify.

Step #12 — Scan your WordPress Website for Vulnerabilities

Use WP Hacked Help, a WordPress Security Scanner for detailed analysis of your website to determine if there are any vulnerabilities in your WordPress site.

Step # 13 – Add a security plugin to your WordPress installation

It’s always a good idea to protect your WordPress sites from vulnerabilities is to install security plugin for wordpress, set up an automatic update feature for vulnerable plugins, and keep an eye on your site’s logs.

The scariest fact is that basically, anyone with minimal knowledge can do a lot of damage just by using Google Dorking.

Block Sensitive Information Leakage In WordPress

Disabling “Directory Listing” is a good thing, there’s no need to show your files to everyone. You can disable directory listing with an .htaccess or in your HTTP server configuration.

One of the other best ways to avoid Google dorks is by using a robots.txt file. Let’s look at some practical examples.

The following setting will deny all crawling from any directory within your website, which is quite useful for privately accessed websites that do not depend on publicly indexable Internet content.

User-agent: *

Disallow: /

You can also block specific directories to exclude them from web crawling. If you have an / admin area and need to protect it, just put this code inside:

User-agent: *

Disallow: / admin /

This will also protect all internal subdirectories.

Restrict access to specific files:

User-agent: *

Disallow: /privatearea/file.htm

Restrict access to dynamic URLs containing “?” symbol

User-agent: *

Disallow: / *?

To restrict access to specific file extensions, you can use:

User-agent: *

Disallow: /*.php$/

In this case, all access to the .php files will be denied.

Conclusion

In conclusion, Google is one of the largest search engines in the world. As we all know, it has the ability to index everything unless we explicitly deny it.

Today we learned that Google can also be used as a hacking tool, but you can stay one step ahead of the bad guys and use it regularly to find vulnerabilities on your own websites. You can even integrate this and run automated scans using custom third-party Google SERP APIs.

If you are a security researcher, it can be a practical tool for your cybersecurity duties when used responsibly. Because, having a secure website is as vital to someone’s online presence as having a website host. While, WordPress site hacking is on a rise and it has become very important to harden your WordPress site security using these wordpress security tips.

While Google Dorking can be used to reveal sensitive information about your website that is found and indexed via the HTTP protocol, you can also perform a full DNS audit using the SecurityTrails toolkit.

Additional Resources