• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2017
  • November
  • 18
  • wpbf – WordPress Brute Force Tool

wpbf – WordPress Brute Force Tool

November 18, 2017July 27, 2019 Comments Off on wpbf – WordPress Brute Force Tool
how to brute force wordpress 2017 how to hack wordpress site 2017 how to use wpbf wordpress brute force script wordpress exploit scanner wpbf - WordPress Brute Force Tool

wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.

How It Works

The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog’s content. If a single username is given, the script will not search for additional usernames.
When a correct username/password is found, it will be logged and shown in the standard output.
For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in “config.py” and “logging.conf” files.
The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.
Note: It requires Python 2.6+.

Features:

  • Username enumeration and detection (TALSOFT-2011-0526, Author’s archive page, and content parsing)
  • Threads
  • Use keywords from blog’s content in the wordlist
  • HTTP Proxy Support
  • Basic WordPress fingerprint (version and full path)
  • Advance plugins fingerprint (bruteforce, discovery and version/documentation)
  • Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
  • Advanced logging using Python’s logging library and logging configuration file

Usage:

wpbf.py [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY] 
[-nk] [-eu] url

wpbf will audit and bruteforce your WordPress installation to test password
strength, server configuration, users and installed plugins. It Currently
supports threads and HTTP proxy and provides a very small default wordlist (a
dynamic wordlist is generated by default from the blog's content) and basic
username detection.

positional arguments:
  url                   base URL where WordPress is installed

optional arguments:
  -h, --help            show this help message and exit
  -w WORDLIST, --wordlist WORDLIST
                        worldlist file (default: wordlist.txt)
  -nk, --nokeywords     don't search keywords in content and add them to the
                        wordlist
  -u USERNAME, --username USERNAME
                        username (default: None)
  -s SCRIPTPATH, --scriptpath SCRIPTPATH
                        path to the login form (default: wp-login.php)
  -t THREADS, --threads THREADS
                        how many threads the script will spawn (default: 5)
  -p PROXY, --proxy PROXY
                        http proxy (ex: http://localhost:8008/)
  -nf, --nofingerprint  don't fingerprint WordPress
  -eu, --enumerateusers
                        only enumerate users (withouth bruteforcing)
  -mu MAXUSERS, --maxusers MAXUSERS
                        maximum number of usernames to enumerate (default: no
                        limit)
  -eut ENUMERATETOLERANCE, --enumeratetolerance ENUMERATETOLERANCE
                        user ID gap tolerance to use in username enumeration
                        (default: 3)
  -nps, --nopluginscan  skip plugin bruteforce, enumeration and fingerprint
  -ds, --dontstop       don't stop when password is found, continue with all
                        pending tasks
  --test                run python doctests (you can use a dummy URL here)

Examples:

  • Basic
It will use the default settings (you can change the default settings in config.py file):
$ ./wpbf.py http://www.mysite.com/blog/
  • Custom

Using username ‘john’, not using keywords in the wordlist and through a local proxy:

$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/
  • Aggressive

It will use default settings and spawn 23 threads:

$ ./wpbf.py -t 23 http://www.mysite.com/blog/
  • Username enumeration

Only perform a user enumeration:

$ ./wpbf.py -eu http://www.mysite.com/blog/

Download wpbf

Post navigation

Bro – An Open-source Network Traffic Analyzer
P4wnP1 – Raspberry Pi USB Attack Platform

Related Articles

CVE-2023-28326: Critical Vulnerability in Apache OpenMeetings

CVE-2023-28326: Critical Vulnerability in Apache OpenMeetings

- Hack Tools
March 28, 2023
Decider - A Web Application That Assists Network Defenders, Analysts, And Researcher In The Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework

Decider – A Web Application That Assists Network Defenders, Analysts, And Researcher In The Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework

- Hack Tools
March 28, 2023
Android app from China exploited 0-day CVE-2023-20963 flaw

Android app from China exploited 0-day CVE-2023-20963 flaw

- Hack Tools
March 28, 2023
hacker gadgets
hacker phone covers

Recent Posts

CVE-2023-28326: Critical Vulnerability in Apache OpenMeetings

CVE-2023-28326: Critical Vulnerability in Apache OpenMeetings

March 28, 2023
Decider - A Web Application That Assists Network Defenders, Analysts, And Researcher In The Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework

Decider – A Web Application That Assists Network Defenders, Analysts, And Researcher In The Process Of Mapping Adversary Behaviors To The MITRE ATT&CK Framework

March 28, 2023
Android app from China exploited 0-day CVE-2023-20963 flaw

Android app from China exploited 0-day CVE-2023-20963 flaw

March 28, 2023
Geogramint: OSINT Geolocalization tool for Telegram

Geogramint: OSINT Geolocalization tool for Telegram

March 28, 2023
Polaris: open source policy engine for Kubernetes

Polaris: open source policy engine for Kubernetes

March 27, 2023
ThunderCloud - Cloud Exploit Framework

ThunderCloud – Cloud Exploit Framework

March 27, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW