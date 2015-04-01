

wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site. wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.



How It Works

The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog's content. If a single username is given, the script will not search for additional usernames.





When a correct username/password is found, it will be logged and shown in the standard output.





For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in "config.py" and "logging.conf" files.





The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.





Note: It requires Python 2.6+.





Features:

Username enumeration and detection (TALSOFT-2011-0526, Author's archive page, and content parsing)

Threads

Use keywords from blog's content in the wordlist

HTTP Proxy Support

Basic WordPress fingerprint (version and full path)

Advance plugins fingerprint (bruteforce, discovery and version/documentation)

Detection of Login LockDown plugin (this plugin makes the bruteforce useless)

Advanced logging using Python's logging library and logging configuration file





Usage: