With the use of this tool you will be able, given a username and a password dictionary, to bruteforce any given WordPress website through the use of its XML-RPC API.
Disclaimer: For educational purposes only. Not intended for illegal activities. The author is not responsible for any action performed by the software user.
- Accepts SOCKS 4/5 Proxies.
- Allows to set a Custom Delay to be used when Rate-Limited.
- Allows Custom URLs (to use when the XMLRCP.php file has been moved or renamed).
- Fast and Reliable (100% Java).
- Supports any password dictionary formatted with one password per line.
Example of a password dictionary:
Download the latest release from here.
Requires Java 17.
In a shell run the program with java -jar WordpressXMLBruteForce.jar and configure it with your preferred parameters.
When the program finds a correct match, that is both printed in the shell and saved in a file called LoginDetails; you will find it in the same directory as the jar file.
If you want to run the program in proxy mode you will first have to create a file called Proxies in the same directory as the jar file.
The proxies have to either be SOCKS 4 or 5 and the file has to be formatted with one proxy per line in the format:
IP:PORT.
