When threads have exceptions (ex: Error 500) they usually stop working and the assigned job from the queue is not finished. If all threads experiment some exception the bruteforce become stalled.

When testing URL and Username, search for "Login LockDown" string in order to detect if the mentioned plugin is running.

Some blogs only expose the username in this string:

<link rel="alternate" type="application/rss+xml" title="Blog title &raquo; RSS entries of AUTHOR" href="http://blogurl.com/?feed=rss2&amp;author=3" />

Before adding a new word to the queue, check if already exists.

Support for multiple targets adding a new argument and passing a file name that must contain one URL per line. Another option can be a bundled shell script that launches wpbf from a file with one URL per line as a tool for masive, automated and regular testing.

Maybe a new argument to specify a log file where results are stored, or events to trigger when a password/plugin/vuln is found.

Add new parameter (-o output.json) to store results in a parseable file (json or csv):

$ ./wpbf.com -o output.json http://localhost/wordpress/
2013-03-09 18:03:20,462 - INFO - Target URL: http://vulsai.com/
2013-03-09 18:03:20,475 - INFO - Checking URL & username...
2013-03-09 18:03:20,475 - INFO - Enumerating users...
2013-03-09 18:05:53,331 - INFO - Usernames: admin, andres
2013-03-09 18:05:55,216 - INFO - 89 plugins will be tested
2013-03-09 18:05:55,216 - INFO - Writing results to output.json...

Results may be grouped and look like:

{
    "users": [ "admin", "andres" ],
    "plugins": {
        "contact-form-7": { "version": "1.2.3" },
        "akismet": { "version": "0.1.7" }
    },
    "passwords": {
        "admin": "admin",
        "andres": "1234"
    }
}

The code have some text matching with regexps and with "in", some re well writen, but some are a dirty thing. See how to do this matches in a more elegant way.

The simple dictionary based cache in Wp module only works for GET. All values passed via POST are ignored.

With the introduction of the Wp() class and URL basic filters, we don't need to take care about URL sanity in Wp() methods.

This line is removing a trailing slash and adding a new one, this can be avoided and it seem to be useless:

https://github.com/atarantini/wpbf/blob/master/wplib.py#L205

Remove that hack and re-check!

If url start with "https://", I keep getting this error:
ERROR - URL Error on: http://https://xxxxxxx.xxx/wp-login.php

Parameter name "eugt" is not an intuitive name, should be something like "eut".

Some tasks that perform network operations sometimes get 500 or timed-out; we can requeue ths tasks to try again later. If is implemented over WpbfWorker can act like a generic requeue method (only if the task is defined as requeueable).

Use one of the available methods (ex: request /wp-content/plugins/PLUGIN-NAME and check for 404) with a list of known plugins. The list can be a external plain-text file so the user can update the list manually without editing Python files.

Select key pages (home, one post, one page, one tag, one category, one author, all current links in the home, etc) from the blog and request them X times timing each request. Then show a stats of each page and the sum of the time and average.

The argument "-p / --proxy" is managed in a unusual way (regardin all the other arguments). Normalization of this parameter is needed to mantain the code flat and clear.

Sometimes a task fails and can must be requeued or a taks need to issue new tasks.

For example, when trying a login and get a request error we must requeue that task and do login again in order to assure that all words from the list get tested.

Other future implementation can be a tasks launching new tasks, like exploits tasks on specific plugins or additional data about certain type of discovery.

The "params" parameter of the Wplib method "request" can be optional (defaulted to an empty list).

Check that all imported modules are being used for something inside the script

Basic URL fix, add "http://" if not added, add "/" at the end of the URL, etc.

Usually the header of the templates have this tag:

<meta name="generator" content="WordPress 3.1.4" />

We can fech the version for there!

There is a common error in the way that coders of plugins and themes call some funcions (and don't check is the function is available). Calling certain files of plugins/errors we can know the full path where wordpress is installed.

This function should be part of "fingerprint".

Add to the username enumeration a "tolerance" value to bypass gaps in user ID sequence.

Generate possible passwords with this year and last year, ex:

• admin
• admin2012
• admin2012
• domain
• domain2012
• domain2013
• user
• user2012
• user2015

Move the filter_domain() funcion from the main script to an more adequate place

Limit for the user enumeration

WpWorker should be in a wpworker.py file along with WpTasks and all specific tasks.

Rewrite README file in rst format

Keywords that contain characters listed in "config.ignore_with" must be removed.

Extend the logger application-wide, this will ensure easy debuging when using external libraries or whatver will be included in the future.

Enumerating users within the Author's archive page is done parsing the "title" tag, but sometimes the author's archive page is formated different. If the "title" tag is stored and them compared with other "title" pages the difference will be the username.

Wp class should can take additional arguments so WpTask can call specific class without setters.

There is a in the that can contain a username. Add as method of enumeration.

Factory of tasks, posibly using reflection to automate/simplify task factory calling.