Website Hacking

Multiple Ways to Crack WordPress login

In this article, you will be learning how to compromise a WordPress website’s credentials using different brute forcing techniques.

Table of Content

  • Pre-requisites
  • WPscan
  • Metasploit
  • Burp Suite
  • How to avoid a Brute Force Attack?


Target: WordPress 

Attacker: Kali Linux (WPscan)

Burp Suite (Intruder)


WPscan is a command-line tool which is used as a black box vulnerability scanner. It is commonly used by security professionals and bloggers to test the security of their website. WPscan comes pre-installed on the most security-based Linux distributions and it is also available as a plug-in.

Here, I am using a WordPress website hosted on localhost as you can see in the image given below

While brute-forcing you can either use your own common username and password lists or the ones provided with Kali Linux. I have used rockyou.txt password file which comes with kali standard installation and contains 14341564 unique passwords.

wpscan --url -U users.txt -P /usr/share/wordlists/rockyou.txt

 –URL  is URL parameter, followed by URL of the wordpress website to be scanned

-U will only bruteforce the supplied usernames, in our case it is users.txt

-P will bruteforce the passwords from the provided list rockyou.txt

The scan duration mainly depends on how large the password dictionary file is and as we are mapping a large number of users with even larger numbers of passwords it could also impact the performance of the website if left running for a long time.

The screen shows the attack as a success with the username as admin and password as flower.


As we know Metasploit comes preinstalled with Kali Linux, so our first step is to get to the Metasploit console and then run WordPress module used below.

This msf module will run a username and password audit. It will first validate usernames and then map passwords with them.  

msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts
msf auxiliary(wordpress_login_enum) > set targeturi /wordpress
msf auxiliary(wordpress_login_enum) > set user_file user.txt
msf auxiliary(wordpress_login_enum) > set pass_file pass.txt
msf auxiliary(wordpress_login_enum) > exploit

Yet again successful brute force login with credentials “Admin and flower” can be seen in the following screenshot.

Burp Suite

For this install Burp suite community edition or use the one you get pre-installed in Kali Linux. Fire up Burp Suite and open WordPress login page then turn on intercept tab in Burp Proxy, next supply any username and password of your choice to login into the wordpress website. This will intercept the response of the current request.

Look at the image below and notice the last line of the intercepted message, it shows the captured login credentials as raj:raj which I used to login as username and password respectively. Next, Send the captured message to the intruder by right-clicking the blank message space and choosing to Send to Intruder option or by just pressing ctrl + I. If you are not familiar with burp Intruder working go through this article first ( )

Now open the Intruder tab and you can see the base template request that we sent here. Select Positions tab, hereby default multiple positions are selected, these positions are marked using § characters. Anything between two § characters is replaced by a payload. But we don’t need them all right now so click on the clear button at right bottom corner of the editor window.

Next, select the positions as shown in the screenshot and click on add button to the right of the frame. This will configure these two selected positions as payload insertion points. Now to customize the attack select the attack type. As we are having 2 payload positions, I am choosing cluster bomb (This attack type is useful for a brute-force attack as It puts the first payload in the first position and the second payload in the second position. But when it loops through the payload sets, it tries all combinations. For example, if you have 1000 user names and 1000 passwords, this will perform 1000000 requests.)

Now hit up the start attack button.

In payloads tab, click on payload set drop-down, here you can see numbers 1 and 2. Select number 1 for the first payload position. Choose a simple list from payload type, this list lets you configure a simple list of strings that are used as payloads. you can manually add items to the list using the text box and the Add button, or you can paste a list from the clipboard, or load from file.

Similarly select number 2 for another payload position and select runtime file from payload type, this is useful when a very large list of payloads is needed, to avoid holding the entire list in memory. Add the path of any dictionary file having password only. Click on start attack.

It will match the combination of both payloads and would try to login in with username and password as you can see below. By paying attention to the status and length of the payloads you can see login credentials admin and flower are having status as 302 and length as 1203 which is different than all other combinations indicating these are the results we are looking for. Hence username and password are admin and flower respectively

How to avoid a Brute Force attack?

One can certainly avoid these attacks using some precautionary measures as following:

Password Length: An ideal length should be 8-16 characters long for passwords. It’s important to avoid the most common passwords and to change them frequently                          

Password Complexity: A password should consist of UPPERCASE and lowercase alphabets and should also include

numbers and special characters. Users should choose complex passphrases rather than single words; the complexity of the password delays the cracking process.

Limit Login Attempts: Limit the login attempts on your WordPress admin. For example, after three failed login attempts; it should block that particular IP for a certain period of time to stop it for making further login attempts.

Two Factor Authentication: The next way to be secure from brute-forcing is two-factor authentication or 2FA. This is a process that gives web services secondary access to the account owner in order to verify a login attempt. Generally, this involves a phone number and/or an email address.

Using Captcha: Installing captcha in your WordPress site is fairly easy and they help to prevent bots from executing automated scripts to login into your account.

Install a WordPress Firewall Plugin: Even the unsuccessful brute force attacks can slow down your website or completely crash the server. This is why it’s important to block them and to do that, you’ll need a website firewall solution. A firewall filters out bad traffic and blocks it from accessing your site.

Cloudflare: It is a renowned service to provide a protective shield against brute force attacks

Install and Setup a WordPress Backup Plugin: If everything fails, one must have a backup plan!

There are several great WordPress backup plugins, which allow you to schedule automatic backups.

Disabling Directory Browsing and Installing WordPress Updates regularly can also help to be safe from brute-forcing attacks against a WordPress website.

Thank you!!

Author: Nisha Yadav is trained in Certified Ethical hacking and Bug Bounty Hunter. She is currently working at Ignite Technologies as a Security Analyst. Connect with her here