• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2017
  • November
  • 18
  • wpbf – WordPress Brute Force Tool

wpbf – WordPress Brute Force Tool

November 18, 2017July 27, 2019 Comments Off on wpbf – WordPress Brute Force Tool
how to brute force wordpress 2017 how to hack wordpress site 2017 how to use wpbf wordpress brute force script wordpress exploit scanner wpbf - WordPress Brute Force Tool

wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.

How It Works

The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog’s content. If a single username is given, the script will not search for additional usernames.
When a correct username/password is found, it will be logged and shown in the standard output.
For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in “config.py” and “logging.conf” files.
The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.
Note: It requires Python 2.6+.

Features:

  • Username enumeration and detection (TALSOFT-2011-0526, Author’s archive page, and content parsing)
  • Threads
  • Use keywords from blog’s content in the wordlist
  • HTTP Proxy Support
  • Basic WordPress fingerprint (version and full path)
  • Advance plugins fingerprint (bruteforce, discovery and version/documentation)
  • Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
  • Advanced logging using Python’s logging library and logging configuration file

Usage:

wpbf.py [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY] 
[-nk] [-eu] url

wpbf will audit and bruteforce your WordPress installation to test password
strength, server configuration, users and installed plugins. It Currently
supports threads and HTTP proxy and provides a very small default wordlist (a
dynamic wordlist is generated by default from the blog's content) and basic
username detection.

positional arguments:
  url                   base URL where WordPress is installed

optional arguments:
  -h, --help            show this help message and exit
  -w WORDLIST, --wordlist WORDLIST
                        worldlist file (default: wordlist.txt)
  -nk, --nokeywords     don't search keywords in content and add them to the
                        wordlist
  -u USERNAME, --username USERNAME
                        username (default: None)
  -s SCRIPTPATH, --scriptpath SCRIPTPATH
                        path to the login form (default: wp-login.php)
  -t THREADS, --threads THREADS
                        how many threads the script will spawn (default: 5)
  -p PROXY, --proxy PROXY
                        http proxy (ex: http://localhost:8008/)
  -nf, --nofingerprint  don't fingerprint WordPress
  -eu, --enumerateusers
                        only enumerate users (withouth bruteforcing)
  -mu MAXUSERS, --maxusers MAXUSERS
                        maximum number of usernames to enumerate (default: no
                        limit)
  -eut ENUMERATETOLERANCE, --enumeratetolerance ENUMERATETOLERANCE
                        user ID gap tolerance to use in username enumeration
                        (default: 3)
  -nps, --nopluginscan  skip plugin bruteforce, enumeration and fingerprint
  -ds, --dontstop       don't stop when password is found, continue with all
                        pending tasks
  --test                run python doctests (you can use a dummy URL here)

Examples:

  • Basic
It will use the default settings (you can change the default settings in config.py file):
$ ./wpbf.py http://www.mysite.com/blog/
  • Custom

Using username ‘john’, not using keywords in the wordlist and through a local proxy:

$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/
  • Aggressive

It will use default settings and spawn 23 threads:

$ ./wpbf.py -t 23 http://www.mysite.com/blog/
  • Username enumeration

Only perform a user enumeration:

$ ./wpbf.py -eu http://www.mysite.com/blog/

Download wpbf

Post navigation

Bro – An Open-source Network Traffic Analyzer
P4wnP1 – Raspberry Pi USB Attack Platform

Related Articles

Jwtear - Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

Jwtear – Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

- Hack Tools
June 29, 2022
Nimc2 - A C2 Fully Written In Nim

Nimc2 – A C2 Fully Written In Nim

- Hack Tools
June 29, 2022
CURL 7.84 released: tool to transfer data from or to a server

CURL 7.84 released: tool to transfer data from or to a server

- Hack Tools
June 29, 2022
hacker gadgets
hacker phone covers

Recent Posts

Jwtear - Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

Jwtear – Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

June 29, 2022
Nimc2 - A C2 Fully Written In Nim

Nimc2 – A C2 Fully Written In Nim

June 29, 2022
CURL 7.84 released: tool to transfer data from or to a server

CURL 7.84 released: tool to transfer data from or to a server

June 29, 2022
HintInject: embedding shellcode to Hint/Name Table

HintInject: embedding shellcode to Hint/Name Table

June 28, 2022
secureCodeBox (SCB) - Continuous Secure Delivery Out Of The Box

secureCodeBox (SCB) – Continuous Secure Delivery Out Of The Box

June 28, 2022
Nali: offline tool for querying IP geographic information and CDN provider

Nali: offline tool for querying IP geographic information and CDN provider

June 28, 2022

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs
ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW