WordPress Dictionary Attack

A lot of clients seem to be using WordPress in one form or another and this can sometimes provide usernames/passwords that are used on other systems. Here is a quick script to perform dictionary based penetration testing on WordPress.

I normally use this with my own modified rockyou password list as well as the 10-k password list.

If you see something like this:


Or if they are using some other “block IP after X failed logins”, you’ll want a script to pipe everything through Tor. Or perhaps have say x tor instances running and cycle through them, updating identities every y attempts. I’ve written a script for this which can be found on my Github page.

Leave a Reply