What this project is
CTF Wordlists for XML-RPC is a pair of curated wordlist files designed for use in capture-the-flag (CTF) competitions and educational pentesting labs. The wordlists target WordPress installations that expose the XML-RPC endpoint — a common attack surface in beginner and intermediate CTF scenarios. The repository contains two files:| File | Entries | Contents |
|---|---|---|
users.txt | 1,200 | Common usernames found in web servers, web applications, and corporate networks |
passwords.txt | ~1,500 | Common passwords, typical variations, and frequently used patterns |
What XML-RPC is and why it’s a target
WordPress ships with a remote procedure call interface atxmlrpc.php. This endpoint accepts XML-formatted HTTP POST requests and exposes methods that allow external clients to interact with the site — publishing posts, managing comments, and authenticating users.
The method wp.getUsersBlogs accepts a username and password and returns blog data if the credentials are valid. Because this method provides a direct credential-checking mechanism and XML-RPC does not enforce the same login throttling as the standard WordPress login form, it has become a well-known target in security exercises.
Tools like WPScan and Hydra can send hundreds of credential pairs per second against xmlrpc.php, making it an effective demonstration of brute-force techniques in a controlled lab setting.
Intended use cases
- CTF competitions that include a WordPress XML-RPC challenge
- Educational pentesting labs where you control the target
- Security awareness demonstrations showing why weak credentials are dangerous
- Learning to use tools like WPScan and Hydra in a safe environment
Next steps
Quick start
Get your environment set up and run your first credential test in minutes.
WPScan guide
Full walkthrough for using WPScan against WordPress XML-RPC.
Hydra guide
Full walkthrough for using Hydra with the XML-RPC POST form.
Methodology
Recommended workflow for a complete XML-RPC enumeration exercise.