WordPress XML-RPC brute force attacks
Recently, a new brute force attack method for WordPress was identified by Sucuri. This new technique allows attackers to try a very large number of WordPress username and password login combinations in a very short time.
According to security firm Sucuri, hackers are taking advantage of the fact that the XML-RPC protocol, which is supported by WordPress and several other popular content management systems, allows users to execute multiple methods within a single request by using the "system.multicall" method.
In simple terms this means that, instead of having to submit one password at a time until the correct one is found, hackers can now potentially submit 100s' of passwords in one go, increasing their chances of finding the correct one. This means that a weak username / password combination into your WordPress admin area can potentially be cracked in minutes instead of hours or days.
The best way to stop the attacks is to disable access to the xmlrpc.php file and this will be fine for most WordPress installation. Unfortunately, this can prevent some plugins, such as the popular Jetpack plugin, from working properly. It will also make it impossible for you to use a mobile app or remote connections to publish to your WordPress site.
So, what do we advise?
- Your username and password should be at least 10 characters long and made-up of a random mix of numbers, upper and lowercase letters with one or two special characters.
- Always make sure you are using the very latest version of WordPress.
- If you do not use the Jetpack plugin and do not publish to your site using a remote app, disable XML-RPC in your WordPress installation. This can be done by using the Disable XML-RPC plugin or by adding the following code to your .htacces file:
# BEGIN protect xmlrpc.php
Redirect 403 /xmlrpc.php
ErrorDocument 403 " "
- Consider using a plugin such as Wordfence which will add to the protection of your WordPress installation. Wordfence doesn't stop this particular issue but can help to make your site more secure.
If you are interested in reading more about the XML-RPC vulnerability, you can have a look at the article published by Sucuri at https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html