ethicalhack3r
commented
9 years ago Hi @Viss!
Thanks for the feedback. We're currently in a situation where we're re-writing WPScan to make it more easily maintainable, extendable and support stuff like machine readable output.
In this re-written version, we are heavily considering dropping the brute force feature. Mainly due to issues like this and other 'advanced' brute forcing features that we lack. We think that maybe tools dedicated to remote password brute forcing would be better for our users to use.
That being said, it is easier for users to brute force WP within the same WP testing tool. We're not sure whether the effort of implementing the feature will be worth it as it will take some effort to make this feature fit into the new version.
Very happy to receive people's thoughts on this though!
Viss
lnxg33k
rafael1138
sometimes to evade mod_security, I use a bunch of different proxies and I've configured a load balancer to rotate them. Sometimes the proxies barf, or wpscan tries to hit a proxy during the rotation and gets an unexpected result back from the upstream connection. It would be pretty awesome to have a 'retries' functionality available so that it can validate whether the attempt actually succeeded or actually failed by trying for either a valid positive or valid negative response from the wordpress install, rather than a proxy error or a timeout.