By Gary Nugent

Brute Force Amplification Attacks Against WordPress XML-RPC

Sucuri have reported that hackers are exploiting a hidden feature in WordPress’ XML-RPC component, using the system.multicall method to execute multiple Brute Force attacks inside a single post request.

Normally, hackers attempt to gain direct access to a site running WordPress through the wp-login.php page. That’s not the case here. Instead, attackers are circumventing the login area by targeting methods within the very popular XML-RPC.

The attack is amplifying the Brute Force attempts by very high orders of magnitude. The technique being used makes it difficult to identify and mitigate and the attacker is able to hide hundreds, if not thousands, of passwords within a single HTTP/HTTPS request.

If you don’t block XML-RPC, then use a Website Application Firewall (WAF) and verify that you can strip out requests targeting the system.multicall method.

The Number of Attacks Targeting XML-RPCThe Number of Attacks Targeting XML-RPC since Sept. 10th – click image for larger view

Have Your Sites Been Affected?

The only way to know is to check your sites and see if they have been compromised. It’s important to remain pro-active where site security is concerned. Hackers are always trying to find new ways of hijacking WordPress, so webmasters must remain vigilant.

Why This Attack Matters

Security plugins that stop Brute Force attacks assume those attacks will be coming through the site’s login page. That’s not how this new attack works, so none of those plugins are blocking this particular attack.

Nevertheless, you should ensure that anyone who can legitimately log into your site should always use a strong password. Regardless of this current new attack, old methods of Brute Force attack on login pages are still ongoing.

There’s a more detailed explanation of the attack here.

How To Protect Your Sites

If you do not use the XML-RPC component of WordPress, then the simplest solution is to disable it. XML-RPC is enabled by default in WordPress (and has been since WP 3.5).

Install the Disable XML-RPC plugin (by Philip Erb) on your site and activate it. That’s all you need to do; there’s no settings to fiddle with. WordPress will eventually come out with a fix for the current security hole, and at that stage you can re-enable XML-RPC again by deactivating the plugin.

Always make sure you’re also running the latest version of WordPress and plugins.

I realize the above is somewhat technical in nature and if that’s not a job you want to take on, I can do it for you.

Tagged with:

Filed under: WordPress Security