Brute Force Amplification Attacks Against WordPress XMLRPC

Found on Sucuri on Sunday, 11 October 2015

One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request.

Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.

Wordpress is the new Flash, a pile of code riddled with bugs. Actually this is not really a bug, but a decision. Before, xmlrpc.php was pretty much considered a security hole, but WP devs now decided that this security hole should be always enabled starting with version 3.5 (while at the same time they removed the option to turn it off from the backend). Better make sure that access to xmlrpc.php is blocked via .htaccess (don't rely on some random WP "protection" plugin) or just rename/delete that file. Or even better, delete that resource hogging Wordpress entirely.

Browse all articles« Previous « » Next »