The script will try to login into the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog's content. If a single username is given, the script will not search for additional usernames.





When a correct username/passwords matchs, it will be logged and show on the standard output.





For faster results you can spawn threads but BE CAREFULL not to flood/DoS the site. Default settings can be changed in "config.py" and "logging.conf" files.





The wordlist must have one entry per line, a small wordlist (wordlist.txt) and plugin list (plugins.txt) are provided for testing purposes.





Features

Username enumeration and detection (TALSOFT-2011-0526, Author's archive page and content parsing)

Threads

Use keywords from blog's content in the wordlist

HTTP Proxy Support

Basic WordPress fingerprint (version and full path)

Advance plugins fingerprint (bruteforce, discovery and version/documentation)

Detection of Login LockDown plugin (this plugin makes the bruteforce useless)

Advanced logging using Python's logging library and logging configuration file



