Brute forcing WordPress installations

If you are targeting a popular application, remember to check whether there are any NSE scripts specialized on attacking them. For example, WordPress installations can be audited with the script http-wordpress-brute:

$ nmap -p80 --script http-wordpress-brute <target>  

To set the number of threads, use the script argument http-wordpress-brute.threads:

$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.threads=5 <target>  

If the server has virtual hosting, set the host field using the argument http-wordpress-brute.hostname:

$ nmap -p80 --script http-wordpress-brute --script-args http-wordpress-brute.hostname="" <target>  

To set a different login URI, use ...

Get Nmap: Network Exploration and Security Auditing Cookbook - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.