# CTF Wordlists for XML-RPC

## Docs

- [Hydra guide](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/guides/hydra.md): Use THC-Hydra to brute-force WordPress credentials via XML-RPC HTTP POST in a lab environment.
- [Attack methodology](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/guides/methodology.md): A structured approach to WordPress XML-RPC brute-force exercises in authorized CTF and lab environments.
- [WPScan guide](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/guides/wpscan.md): Use WPScan to brute-force WordPress credentials via XML-RPC in a lab environment.
- [Introduction](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/introduction.md): Username and password wordlists for CTF competitions and pentesting exercises targeting WordPress XML-RPC.
- [Quick start](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/quickstart.md): Set up the wordlists and run your first XML-RPC credential test against a lab WordPress target.
- [FAQ](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/reference/faq.md): Frequently asked questions about CTF Wordlists for XML-RPC, covering setup, tool usage, wordlist structure, and responsible use.
- [Legal Notice](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/reference/legal.md): Authorized use policy, legal boundaries, and responsible disclosure guidelines for CTF Wordlists for XML-RPC.
- [Password wordlist](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/wordlists/passwords.md): ~1,500 password entries covering dictionary words, leet-speak variants, service-specific strings, CTF patterns, year suffixes, and systematic symbol patterns.
- [Username wordlist](https://mintlify.wiki/IzanLey2/wordlists-ctf-xmlrpc/wordlists/users.md): 1,200 usernames covering real names, system accounts, service accounts, security tools, DevOps tooling, job roles, and generated numeric accounts.