WPForce, has a couple of advantages that we can make use of. Unlike WPScan, which performs brute force login attempts agains the login page of WordPress, WPForce uses authenticated API calls to test the validity of credentials. While most security plugins are wise to this method, it does provide slightly more stealth.
- Brute Force via API, not login form bypassing some forms of protection
- Can automatically upload an interactive shell
- Can be used to spawn a full featured reverse shell
- Dumps WordPress password hashes
- Can backdoor authentication fuction for plaintext password collection
- Inject BeEF hook into all pages
- Pivot to meterpreter if needed