Prerequisites
Before you begin, make sure you have:- A lab WordPress installation with XML-RPC enabled (the
xmlrpc.phpendpoint must respond to requests) - WPScan installed (
wpscan --version) or Hydra installed (hydra -h) wgetorgitavailable on your system
Steps
Download the wordlists
You can download the files individually with
wget, or clone the full repository with git.Verify the files
Confirm both files downloaded correctly and have the expected number of entries.You should see output similar to:If either count is significantly lower, the download may have been truncated. Re-download the affected file.
Run a credential test with WPScan
Replace WPScan will enumerate the target and then begin the credential attack using the
TARGET with the hostname or IP address of your lab WordPress installation.xmlrpc method. The --max-threads 50 flag controls concurrency — lower this value if the target becomes unresponsive.Interpret the results
When WPScan finds a valid credential pair, it prints a line like:If no credentials are found after exhausting both wordlists, WPScan will report zero valid combinations. In a CTF context this usually means one of the following:
- The target username is not in
users.txt— try enumerating usernames first with--enumerate u - The password is not in
passwords.txt— consider a larger password list - XML-RPC is not the correct attack vector for this challenge
WPScan also performs plugin and theme enumeration before the credential attack. The full output includes version disclosures and known vulnerabilities — useful context for a broader CTF exercise.
Next steps
WPScan guide
Detailed WPScan options including username enumeration, output formats, and API token usage.
Hydra guide
Use Hydra with the raw XML-RPC POST form for finer-grained control over the attack.