How to bruteforce CMSs and e-commerce apps with Hydra and the Password Auditor

This guide provides real-world testing methodologies for WordPress, Drupal, Joomla, PrestaShop, and Magento, helping you correctly identify weak login endpoints, analyze error messages, and work around security mechanisms for efficient pentests and security assessments.

You’ll find detailed Hydra commands for precise, high-efficiency bruteforcing, along with insights on using our Password Auditor to automate credential testing. This comparison makes it easier to choose which tool can help you brute-forcing faster and more effectively by capturing screenshots of logged-in sessions and generating detailed proof of valid credentials. 

Hydra vs password auditor hero image

How to check Wordpress for weak credentials

Deployment method: Vultr marketplace

1. Find the Wordpress web app login endpoint

The WordPress administrator login usually sits on the /wp-login.php endpoint.

Wordpress login interface

2. Discover the Wordpress login parameters

Use the Network tab in the browser’s Web Developer Tools to find the login parameters.

wordpress dev tools

3. Identify error messages and protection mechanisms

After one invalid attempt, the WordPress app returns the following message:

Wordpress error

After 10 invalid attempts, the Wordfence plugin (pre-installed in the deployed environment) gets triggered. Note that the block only works for active accounts.

Wordpress blocked

Hydra commands and output

For bruteforcing Wordpress with 1 valid and 1 invalid pairs of credentials, we used the following commands:

hydra -l wpauserAt32pBC2 -p bad-password wordpress.pentest-ground.com -V https-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:The username or password you entered is invalid.'
hydra -l wpauserAt32pBC2 -p D5nZ9UzELriBpENkATlgWR7jqeamvr7j wordpress.pentest-ground.com -V https-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:The username or password you entered is invalid.'
Wordpress hydra

As shown in the output, Hydra successfully distinguished between invalid and valid credentials.

For the second scenario that used multiple sets of credentials, we used the following Hydra command:

hydra -L users.txt -P pass.txt wordpress.pentest-ground.com -V https-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:The username or password you entered is invalid.'

Wordfence was activated after multiple failed attempts, and Hydra generated numerous incorrect credentials.

Wordpress hydra multiple creds

Password Auditor commands and results

For the first scenario, we adjusted the following parameters in the interface to run a more focused scan:

Since the pa-benchmark wordlist includes the valid credentials, the Password Auditor will make 4 attempts against the target - 3 with invalid credentials and one with valid credentials.

Wordpress password auditor scan resultsWordpress password auditor HTTPS weak password

The Pentest-Tools.com Password Auditor also includes a screenshot of the logged-in session to confirm the provided credentials are valid.

Password Auditor screenshot of the logged-in wordpress session

For the scenario with multiple credentials, we modified the wordlist to include 2 users (1 invalid and 1 valid) and 12 passwords (11 invalid and 1 valid). The Password Auditor reports the IP address was temporarily blocked. 


To automatically avoid IP blocking, you can use the “Delay between attempts” option in the Password Auditor to set a custom delay duration and ensure your attacks are effective and get you the results you need.

Wordpress password auditor access blockedWordpress password auditor IP blocking

Bruteforce commands and settings for Hydra and the Password Auditor

Since every CMS and e-commerce platform handles authentication differently, with varying levels of protection like rate limiting, CAPTCHAs, and account lockouts, you need a tool as flexible and capable as your workflows.

Whether you’re testing a single admin account or running large-scale credential audits, this guide gives you the practical techniques and automation strategies to improve your credential auditing workflow while avoiding unnecessary detection.