Threat caution!

XML-RPC service can affect the WordPress security

XML-RPC is a remote procedure call protocol, and it’s designed to encode its calls with XML (Extensible Markup Language) and transport them over HTTP transport mechanism. In other words, it allows you to post your WordPress blog posts using popular weblog clients (for example Windows Live Writer and similar). Supported by WordPress and the other most popular content management systems. You can use XML-RPC with many programming languages like Java, C, C++, Python, PHP, etc.

Brute Force attacks via XML-RPC service

Mostly brute force attacks targeted to WordPress login page and its login form. Now, these attacks are evolving, and attackers are changing their strategy. In the last few months, we can see an increase of attacks focused on XML-RPC system integrated into the WordPress. The main difference between password picking on the login page and same type attack on the XML-RPC system is that attacker can submit more than one password by one attempt. One of the most useful features of XML-PRC is a system.multicall method. It is very popular because it allows an application to pass multiple commands within a single request. For the attackers, this is the way to attempt to guess hundreds of passwords within just one HTTP request. So, they could try thousands of passwords with only 3 or 4 HTTP requests. XML-RPC is the weak point of WordPress. It makes brute force attacks more efficient and rapid. After the first massive attack in the 2015 year, this type of attack became quite popular.

How to avoid it?

There are few methods how to protect your WordPress website from password guessing attacks. One of them is to block access to xmlrpc.php completely. But it might not be a good idea if you are using JetPack or any of the other plugins that require XML-RPC. Blocking access to xmlrpc.php will break some plugin’s functionality, especially in a case of JetPack plugin. If you cannot prevent access, you can block system.multicall requests (if you use a WAF – “web application firewall”).

If you have a dedicated server, you can install OSSEC (open source) on it. OSSEC will automatically block the IP addresses that miss too many passwords. The Brute Force protection included on Website Firewall (CloudProxy), so if you are looking for a one-click solution, you can use it. Also, there are others application level tools like WordPress plugins. One of these plugins is called Disable XML-RPC, all you need to do is to activate it.

Another way to avoid these attacks is to disable all xmlrpc.php requests from the .htaccess file. All you have to do is just paste the specific code in your .htaccess file, but this requires access to .htaccess file and not every hosting provider allows you to do so.

Finally, you can minimize the risk of Brute Force attacks over XML-RPC by choosing strong passwords. It will make password picking harder even if the attacker is capable of trying hundreds of passwords with just a few HTTP requests.

To sum things up, we can suggest to use one of the mentioned XML-RPC protection or disabling methods and try to use only strong passwords.

Darius S.

Similar Posts

ThreatPress API keys

Free WordPress Vulnerability Database API

Recently, we received a few queries related to our services, specifically for WordPress Vulnerability Database. So to make it clear we ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

Leave a Reply

Your email address will not be published. Required fields are marked *