Skip to main content
CTF Wordlists for XML-RPC is a curated collection of usernames and passwords designed for security students and CTF participants practicing brute-force techniques against WordPress XML-RPC endpoints in controlled lab environments.

Introduction

Learn what these wordlists contain and how they are structured

Quick Start

Download the wordlists and run your first attack in minutes

WPScan Guide

Step-by-step WordPress brute-force using WPScan

Hydra Guide

HTTP POST form attacks against xmlrpc.php using Hydra

What’s included

The repository contains two wordlist files ready to use with your favourite pentesting tool:
FileEntriesContents
users.txt1,200Common usernames for servers, web apps, and corporate accounts
passwords.txt~1,500Common passwords, patterns, and typical weak credentials
These wordlists are exclusively for educational lab environments. Never use them against systems you do not own or have explicit written permission to test.

Get started

1

Download the wordlists

Clone the repository or download users.txt and passwords.txt directly from GitHub.
2

Set up your lab target

Deploy a local WordPress instance with XML-RPC enabled, or use your CTF challenge environment.
3

Choose your tool

Use WPScan for WordPress-native brute-forcing or Hydra for low-level HTTP POST attacks.
4

Run and analyse

Execute the attack, review found credentials, and document findings as part of your exercise.

Username wordlist

Explore the 1,200 username entries and their categories

Password wordlist

Explore the ~1,500 password entries and their patterns

Attack methodology

Understand the XML-RPC attack surface and best practices

Legal & ethics

Read the legal notice before using these tools

Build docs developers (and LLMs) love

Get started for freeTalk to us