Bruteforcing Hack Tools

wpbf – WordPress Brute Force Tool

wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site.

How It Works

The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog’s content. If a single username is given, the script will not search for additional usernames.
When a correct username/password is found, it will be logged and shown in the standard output.
For faster results, you can spawn threads but BE CAREFUL not to flood/DoS the site. Default settings can be changed in “” and “logging.conf” files.
The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.
Note: It requires Python 2.6+.


  • Username enumeration and detection (TALSOFT-2011-0526, Author’s archive page, and content parsing)
  • Threads
  • Use keywords from blog’s content in the wordlist
  • HTTP Proxy Support
  • Basic WordPress fingerprint (version and full path)
  • Advance plugins fingerprint (bruteforce, discovery and version/documentation)
  • Detection of Login LockDown plugin (this plugin makes the bruteforce useless)
  • Advanced logging using Python’s logging library and logging configuration file

Usage: [-h] [-w WORDLIST] [-u USERNAME] [-s SCRIPTPATH] [-t THREADS] [-p PROXY]
[-nk] [-eu] url
wpbf will audit and bruteforce your WordPress installation to test password
strength, server configuration, users and installed plugins. It Currently
supports threads and HTTP proxy and provides a very small default wordlist (a
dynamic wordlist is generated by default from the blog's content) and basic
username detection.
positional arguments:
  url                   base URL where WordPress is installed
optional arguments:
  -h, --help            show this help message and exit
  -w WORDLIST, --wordlist WORDLIST
                        worldlist file (default: wordlist.txt)
  -nk, --nokeywords     don't search keywords in content and add them to the
  -u USERNAME, --username USERNAME
                        username (default: None)
  -s SCRIPTPATH, --scriptpath SCRIPTPATH
                        path to the login form (default: wp-login.php)
  -t THREADS, --threads THREADS
                        how many threads the script will spawn (default: 5)
  -p PROXY, --proxy PROXY
                        http proxy (ex: http://localhost:8008/)
  -nf, --nofingerprint  don't fingerprint WordPress
  -eu, --enumerateusers
                        only enumerate users (withouth bruteforcing)
  -mu MAXUSERS, --maxusers MAXUSERS
                        maximum number of usernames to enumerate (default: no
                        user ID gap tolerance to use in username enumeration
                        (default: 3)
  -nps, --nopluginscan  skip plugin bruteforce, enumeration and fingerprint
  -ds, --dontstop       don't stop when password is found, continue with all
                        pending tasks
  --test                run python doctests (you can use a dummy URL here)


  • Basic
It will use the default settings (you can change the default settings in file):
$ ./
  • Custom

Using username ‘john’, not using keywords in the wordlist and through a local proxy:

$ ./ --nokeywords -u john -p http://localhost:8008/
  • Aggressive

It will use default settings and spawn 23 threads:

$ ./ -t 23
  • Username enumeration

Only perform a user enumeration:

$ ./ -eu