14 Oct WordPress XML-RPC Brute Force Attacks
Last weekend (October, 10th 2015) we become inundated with emails from several of our websites and our clients websites with massive amounts of failed login attempts. These attempts were inspired by a security hole caused from having XML-RPC enabled (by default) on WordPress Websites.
What is XML-RPC? WordPress uses XML-RPC to allow users to perform website operations on their website remotely. An example is using a mobile app to access the dashboard or create blog posts on your website remotely. Also, popular apps like Jetpack use XML-RPC.
What are brute force attacks? Normal brute force attacks involve repeated attempts via the login/admin page. These brute force attacks make a lot of noise (emails and logs for each login attempt and failed user name) and are easily thwarted using security apps. So what’s the deal with brute force attacks and XML-RPC? XML-RPC presents more of a security concern because requests are authenticated, which means that attackers can throw an endless number of username/password attempts at your website with little notice until they gain access to your website. Limiting incorrect login attempts (most security apps) and implementing CAPTCHA are effective at blocking login attempts from the WordPress login page but they do not protect you against XML-PRC attacks. DDoS is another form of attack that can be accessed by exploiting the XML-RPC feature.
One way to protect your website is to disable XML-RPC. However, some apps use XML-RPC to function. Here’s a short list of some popular apps that use XML-RPC:
- WordPress Mobile App
- Various photo gallery apps