wpbf - WordPress Brute Force Tool

wpbf -  WordPress Brute Force Tool

wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.

How It Works

The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog's content. If a single username is given, the script will not search for additional usernames.

When a correct username/password is found, it will be logged and shown in the standard output.

For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in "config.py" and "logging.conf" files.

The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.

Note: It requires Python 2.6+.


  • Username enumeration and detection (TALSOFT-2011-0526, Author's archive page, and content parsing)
  • Threads
  • Use keywords from blog's content in the wordlist
  • HTTP Proxy Support
  • Basic WordPress fingerprint (version and full path)
  • Advance plugins fingerprint (bruteforce, discovery and version/documentation)
  • Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
  • Advanced logging using Python's logging library and logging configuration file


wpbf.py [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY] 
[-nk] [-eu] url

wpbf will audit and bruteforce your WordPress installation to test password
strength, server configuration, users and installed plugins. It Currently
supports threads and HTTP proxy and provides a very small default wordlist (a
dynamic wordlist is generated by default from the blog's content) and basic
username detection.

positional arguments:
  url                   base URL where WordPress is installed

optional arguments:
  -h, --help            show this help message and exit
  -w WORDLIST, --wordlist WORDLIST
                        worldlist file (default: wordlist.txt)
  -nk, --nokeywords     don't search keywords in content and add them to the
  -u USERNAME, --username USERNAME
                        username (default: None)
  -s SCRIPTPATH, --scriptpath SCRIPTPATH
                        path to the login form (default: wp-login.php)
  -t THREADS, --threads THREADS
                        how many threads the script will spawn (default: 5)
  -p PROXY, --proxy PROXY
                        http proxy (ex: http://localhost:8008/)
  -nf, --nofingerprint  don't fingerprint WordPress
  -eu, --enumerateusers
                        only enumerate users (withouth bruteforcing)
  -mu MAXUSERS, --maxusers MAXUSERS
                        maximum number of usernames to enumerate (default: no
                        user ID gap tolerance to use in username enumeration
                        (default: 3)
  -nps, --nopluginscan  skip plugin bruteforce, enumeration and fingerprint
  -ds, --dontstop       don't stop when password is found, continue with all
                        pending tasks
  --test                run python doctests (you can use a dummy URL here)


  • Basic
It will use the default settings (you can change the default settings in config.py file):
$ ./wpbf.py http://www.mysite.com/blog/
  • Custom
Using username 'john', not using keywords in the wordlist and through a local proxy:
$ ./wpbf.py --nokeywords -u john -p http://localhost:8008/ http://www.mysite.com/blog/
  • Aggressive
It will use default settings and spawn 23 threads:
$ ./wpbf.py -t 23 http://www.mysite.com/blog/
  • Username enumeration
Only perform a user enumeration:
$ ./wpbf.py -eu http://www.mysite.com/blog/

No comments

Powered by Blogger.