WordPress Brute Force Tool

Following on from my previous post Patching WordPress Username Disclosure I got bored over the weekend and decided to implement Veronica Valeros’s username disclosure technique into a WordPress password brute force tool.

It is nothing revolutionary or difficult to code, but it may come in handy one day on a pentest or web application assessment, mainly to automate the process.

Currently you can use the tool in 3 different ways.

Only the ‘–url’ option:
Enumerate wordpress usernames.

The ‘–wordlist’ option:
Enumerate wordpress usernames.
Start a dictionary attack on all usernames enumerated.

The ‘–username’ option:
Specify a single username to start the dictionary attack on.

I won’t be releasing the tool, not yet anyway, I may release it in future.

Here is a video of it in action:


The video of my tool seems to have raised lots of interest and questions.

Please understand that I think this this tool is quite trivial to code and I am very surprised that it got so much attention.

One question that was raised more than once, was, why did I not release the code?!

The reason I did not release it is because I was considering the ethicality of such a tool being released. I first wanted to guage the interest in such a tool and if interest was positive, expand the tool further.

I will go into further detail as the code base expands. I can confirm that I will be releasing the code as part of a bigger project called WPScan.

14 thoughts on “WordPress Brute Force Tool

  1. fak3r

    This looks very nice, I’ve pretty much standardized on WordPress for my sites, and like it quite a bit, but should hack its security a bit more. I think for version 2.8 or something they recommended not using the ‘admin’ handle, which is good advice anywhere :) shoot a ping out on twitter if you decide to release this tool, I need to get better with Ruby and this sounds like a good one to start with.


  2. Pingback: Want to Hack Wordpress? Check Out WPScan | RJH Solutions

  3. James R

    I think its best not to give out this code, you will end up with thousands of 13 year old
    little kids fucking with a lot of sites.

    Im now saying its better than some 30 year old but people that know how to make this kind of code dont use it often.

    More so people with the brains to put this together understand what it means to have built something and how hard it can be to build a full site.

    So at most they will rip off a few emails to blast or give there sites some links and call it good.

    KIDs on the other hand will try to mess up the site and could really hurt someones income.

    Just my $0.02

  4. Chrispy

    Probably a bad idea to release this code (as much as I’d enjoy using it).

    Too many people would fuck up too many site,
    and then how long before there’s a fix for it and your code is useless.

    Enjoy it for yourself.

  5. Pingback: Wpscan (WordPress Security Scanner) « hypnotiz3r

Comments are closed.