Researchers from security firm Sucuri have found a way to perform Brute Force amplification attacks against WordPress' built-in XML-RPC feature to crack down administrator credentials.
XML-RPC is one of the simplest protocols for securely exchanging data between computers across the Internet. It uses the system.multicall method that allows an application to execute multiple commands within one HTTP request.
A number of CMS including WordPress and Drupal support XML-RPC.
But…
The same method has been abused to amplify their Brute Force attacks many times over by attempting hundreds of passwords within just one HTTP request, without been detected.
Amplified Brute-Force Attacks
This means instead of trying thousands of usernames and password combinations via login page (which can be easily blocked by banning IPs), hackers can use the XML-RPC protocol in conjunction with the system.multicall method that allows them to:
- Go undetected by normal brute-force mitigation products
- Try hundreds of thousands of username and password combinations with few XML-RPC requests.
"With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts," Sucuri's researchers wrote in a blog post.
The company witnessed the first attack of this kind at the beginning of last month, which then sky-rocketed to around 60,000 per day by the start of this month.
How to Prevent Brute-Force Amplification Attack via XML-RPC
To protect yourself against such threat, simply block all access to XML-RPC.
If you are not using any plugin that uses the xmlrpc.php file, just head on to rename/delete it. But, if you are using plugins such as JetPack, blocking xmlrpc.php may result in some broken functionality on your website.
So, webmasters could block XML-RPC system.multicall requests using a WAF (web application firewall). This will protect you against the amplification methods.
