Sucuri Security released a public announcement on October 8th regarding a large scale attack which could leave your blog at risk of hackers gaining unauthorized access. To summarize, attackers are taking advantage of a vulnerability in WordPress’s XML-RPC system.multicall method which effectively allows them to issue hundreds of login attempts with a single request. To put it another way, this is an extreme case of brute forcing logins in an attempt to determine your administrative user credentials. Based on the sheer number of attempts an attacker can make for each call, they are 50-100 times more effective than normal brute force attempts.
The first attack was spotted on September 10th, so it’s been in the wild for nearly a month now. Where this becomes problematic is the sheer increase in the number of websites experiencing this attack in the past few days. So the question remains, what can you do about it as a WordPress blog owner?
How can I stop XML-RPC Brute Force Amplification Attacks?
Great question. We wanted to provide a crystal clear answer for users worried about their WordPress blog’s security. There’s three primary variations you can utilize to stop attacks. While this will help mitigate your risk of being hacked, it’s not foolproof. It merely decreases the attacker’s likelihood. You are still prone to a DDoS attack unless you sit behind a CDN or service with DDoS protection.
You’ll note that we removed the previously proposed fix for disabling the
system.multicall method via the filter
xmlrpc_methods as this did not properly remove the method from the list of available methods (as covered in the comments section below). If your site is using this method, you should use an alternative below.
Stop Attacks with Apache .htaccess
Add the following code to your WordPress base public directory (the one where the main
index.php file resides) if you want to disable all access to XML-RPC. This may not be the desired effect you wanted depending on if you have plugins installed.
<files xmlrpc*=""> order deny,allow deny from all </files>
Stop Attacks by Disabling XML-RPC in
You can chose to update your
wp-config.php configuration file and add the following line below the last ABSPATH statement:
Friends don’t let friends get hacked. Spread the word!
Caution: Some Popular Plugins use XML-RPC
By disabling XML-RPC, you may risk breaking some popular plugins. If you have any of the plugins listed below, you may want to do a bit more research:
- WordPress Mobile App
- LibSyn (for podcasts)
- Windows Live Writer
- Several photo gallery plugins
Got an idea or business and want an online presence while you’re here? Get started today! Whether you’re looking for a free domain, email, and webpage or want something more substantial, POP gets you connected to what you need simply and easily.