Hydra: Brute Force WordPress Login

TL;DR

This guide shows you how to use Hydra to attempt a brute-force attack on a WordPress login page. Warning: Attempting this against systems you do not own or have explicit permission to test is illegal and unethical. This information is for educational purposes only.

Prerequisites

• A Linux machine (Kali Linux is recommended).
• Hydra installed. If not, install with:

  sudo apt update && sudo apt install hydra

• Basic understanding of the command line.
• Target WordPress login URL and a list of potential usernames/passwords.

Step-by-Step Guide

1. Gather Information: Identify the target WordPress login page URL. This is usually http://targetdomain.com/wp-login.php or similar.
2. Create a Username List (usernames.txt): Create a text file containing potential usernames, one per line. Common usernames include ‘admin’, ‘user’, ‘test’.

   echo -e "adminnuserntest" > usernames.txt

3. Create a Password List (passwords.txt): Create a text file containing potential passwords, one per line. This could be common passwords or a dictionary of words.

   echo -e "passwordn123456nadmin" > passwords.txt

4. Run Hydra: Use the following command to start the brute-force attack. Replace targetdomain.com with your target domain and adjust options as needed.

   hydra -l admin -P passwords.txt http://targetdomain.com/wp-login.php form-based login username password

   • -l admin: Specifies the default username to try (can be overridden by usernames list).
   • -P passwords.txt: Specifies the path to your password list file.
   • http://targetdomain.com/wp-login.php: The target login URL.
   • form-based login username password: Tells Hydra it’s a form-based login with ‘username’ and ‘password’ fields.
5. Monitor the Output: Hydra will display its progress in real-time, showing attempted usernames and passwords. If successful, it will output valid credentials.
6. Using a Username List: To use your username list instead of specifying a default username with -l, add the -U usernames.txt option:

   hydra -U usernames.txt -P passwords.txt http://targetdomain.com/wp-login.php form-based login username password

7. Limiting Attempts: To limit the number of attempts per second to avoid detection, use the -t option (number of threads):

   hydra -l admin -P passwords.txt http://targetdomain.com/wp-login.php form-based login username password -t 4

8. Stopping Hydra: Press Ctrl+C to stop the attack at any time.

Important Considerations

• Rate Limiting & Account Lockout: WordPress often implements rate limiting and account lockout mechanisms, which can quickly block your attempts.
• Two-Factor Authentication (2FA): If the target has 2FA enabled, brute-forcing will not work without also bypassing or cracking the 2FA code.
• Web Application Firewalls (WAFs): WAFs can detect and block Hydra’s requests.
• Ethical Hacking: Only perform these tests on systems you own or have explicit permission to test. Unauthorized access is illegal.