XML-RPC is a remote procedure call protocol, and it’s designed to encode its calls with XML (Extensible Markup Language) and transport them over HTTP transport mechanism. In other words, it allows you to post your WordPress blog posts using popular weblog clients (for example Windows Live Writer and similar). Supported by WordPress and the other most popular content management systems. You can use XML-RPC with many programming languages like Java, C, C++, Python, PHP, etc.
Brute Force attacks via XML-RPC service
Mostly brute force attacks targeted to WordPress login page and its login form. Now, these attacks are evolving, and attackers are changing their strategy. In the last few months, we can see an increase of attacks focused on XML-RPC system integrated into the WordPress. The main difference between password picking on the login page and same type attack on the XML-RPC system is that attacker can submit more than one password by one attempt. One of the most useful features of XML-PRC is a system.multicall method. It is very popular because it allows an application to pass multiple commands within a single request. For the attackers, this is the way to attempt to guess hundreds of passwords within just one HTTP request. So, they could try thousands of passwords with only 3 or 4 HTTP requests. XML-RPC is the weak point of WordPress. It makes brute force attacks more efficient and rapid. After the first massive attack in the 2015 year, this type of attack became quite popular.
How to avoid it?
There are few methods how to protect your WordPress website from password guessing attacks. One of them is to block access to xmlrpc.php completely. But it might not be a good idea if you are using JetPack or any of the other plugins that require XML-RPC. Blocking access to xmlrpc.php will break some plugin’s functionality, especially in a case of JetPack plugin. If you cannot prevent access, you can block system.multicall requests (if you use a WAF – “web application firewall”).
If you have a dedicated server, you can install OSSEC (open source) on it. OSSEC will automatically block the IP addresses that miss too many passwords. The Brute Force protection included on Website Firewall (CloudProxy), so if you are looking for a one-click solution, you can use it. Also, there are others application level tools like WordPress plugins. One of these plugins is called Disable XML-RPC, all you need to do is to activate it.
Another way to avoid these attacks is to disable all xmlrpc.php requests from the .htaccess file. All you have to do is just paste the specific code in your .htaccess file, but this requires access to .htaccess file and not every hosting provider allows you to do so.
Finally, you can minimize the risk of Brute Force attacks over XML-RPC by choosing strong passwords. It will make password picking harder even if the attacker is capable of trying hundreds of passwords with just a few HTTP requests.
To sum things up, we can suggest to use one of the mentioned XML-RPC protection or disabling methods and try to use only strong passwords.