# Starter forced-browse wordlist (#21, from ZAP / DirBuster)
# 200 high-signal paths — a deliberate subset of common dirbuster lists
# focused on PHP / WordPress / cloud-misconfig finds.

# WP backup / config leaks
backup
backups
old
old-site
oldsite
prev
previous
test
dev
development
staging
stage
beta
prod
production
new
copy
demo
debug

# Common config files
.env
.env.local
.env.backup
.env.bak
.env.production
.env.dev
.env.staging
.htaccess
.htpasswd
.htdigest
.git/config
.git/HEAD
.svn/entries
.hg/store/00manifest.i
.bzr/branch/last-revision
.DS_Store

# CMS-specific
wp-config.php.bak
wp-config.php.old
wp-config.php.backup
wp-config-sample.php
wp-config.php~
wp-config.txt
wp-config.json
wp-admin/install.php
wp-admin/install-helper.php
wp-admin/upgrade.php
wp-admin/setup-config.php
wp-content/debug.log
wp-content/error_log
wp-content/uploads/
wp-content/plugins/
wp-content/themes/
wp-content/mu-plugins/
xmlrpc.php
readme.html
license.txt

# Sensitive PHP scripts
phpinfo.php
info.php
test.php
debug.php
test123.php
phpmyadmin
phpmyadmin/
pma
pma/
adminer
adminer.php
adminer-4.8.1.php
mysql
db.php

# Dev / build artifacts
node_modules
node_modules/
package.json
package-lock.json
yarn.lock
composer.json
composer.lock
composer.phar
Gemfile
Gemfile.lock
requirements.txt
Pipfile
Pipfile.lock
poetry.lock
yarn-error.log
npm-debug.log

# Backup / db dumps
db.sql
database.sql
dump.sql
backup.sql
sql/
sqldump.sql
*.sql.gz
mysql.sql

# Hidden admin
admin
administrator
admin.php
admin/index.php
adm
backend
console
panel
control
dashboard
manage
manager
secret
private
hidden

# API / debug endpoints
api
api/
api/v1
api/v2
api/v1/users
debug
debug.json
debug-output
status
status.php
health
healthcheck
ping
ping.php
metrics
prometheus

# Source-control + IDE
.idea
.idea/workspace.xml
.vscode
.vscode/settings.json
.project
.classpath

# OS / editor leftovers
Thumbs.db
.DS_Store
desktop.ini

# Common log files
log
logs
log/
logs/
error.log
errors.log
access.log
combined.log
debug.log
app.log
laravel.log
nginx.log
apache.log

# Misc
robots.txt.bak
sitemap.xml.bak
.well-known/security.txt
.well-known/openid-configuration
.well-known/oauth-authorization-server
crossdomain.xml
clientaccesspolicy.xml
sitemap_index.xml
post-sitemap.xml
page-sitemap.xml
author-sitemap.xml

# Mobile-app discovery
.well-known/apple-app-site-association
.well-known/assetlinks.json
apple-app-site-association

# Sensitive WP-specific
wp-content/uploads/wp-config.php
wp-content/uploads/.env
wp-content/uploads/database.sql
wp-content/cache/
wp-content/cache/wpfc-mobile-cache/
wp-content/cache/wp-rocket/
wp-content/cache/all/
wp-content/backups-dup-pro/
wp-content/ai1wm-backups/
wp-content/updraft/
