Sucuri Security released a public announcement on October 8th regarding a large scale attack which could leave your blog at risk of hackers gaining unauthorized access. NIKE KOBE 11

  • Nike Air Max 2017 Dames zwart
  • To summarize, attackers are taking advantage of a vulnerability in WordPress’s XML-RPC system.multicall method which effectively allows them to issue hundreds of login attempts with a single request. adidas chaussure femme

  • To put it another way, this is an extreme case of brute forcing logins in an attempt to determine your administrative user credentials.

  • Jordan Fusion
  • Based on the sheer number of attempts an attacker can make for each call, they are 50-100 times more effective than normal brute force attempts. Peyton Manning UT Jersey The first attack was spotted on September 10th, so it’s been in the wild for nearly a month now. Nike Air Max 2017 Pas Cher Where this becomes problematic is the sheer increase in the number of websites experiencing this attack in the past few days. asics gel damskie bieganie

  • NIKE FREE 5.0
  • So the question remains, what can you do about it as a WordPress blog owner?

    How can I stop XML-RPC Brute Force Amplification Attacks?

    Great question. Donne Scarpe Air Jordan 4 We wanted to provide a crystal clear answer for users worried about their WordPress blog’s security.

  • Roshe Run Donna Nere
  • There’s three primary variations you can utilize to stop attacks.

  • Air Max 2015 Homme
  • While this will help mitigate your risk of being hacked, it’s not foolproof. new balance 997 on sale

  • It merely decreases the attacker’s likelihood. You are still prone to a DDoS attack unless you sit behind a CDN or service with DDoS protection. You’ll note that we removed the previously proposed fix for disabling the system.multicall method via the filter xmlrpc_methods as this did not properly remove the method from the list of available methods (as covered in the comments section below). Adidas Zx 700 Homme Nike Air Max 2016 Dames wit If your site is using this method, you should use an alternative below.


    Stop Attacks with Apache .htaccess

    Add the following code to your WordPress base public directory (the one where the main index.php file resides) if you want to disable all access to XML-RPC. New Balance 1300 damskie This may not be the desired effect you wanted depending on if you have plugins installed.

  • NIKE AIR MAX 2017
  • <files xmlrpc*=""> order deny,allow deny from all </files>


    Stop Attacks by Disabling XML-RPC in wp-config.php

    You can chose to update your wp-config.php configuration file and add the following line below the last ABSPATH statement:

    add_filter('xmlrpc_enabled', '__return_false');


    Friends don’t let friends get hacked. Spread the word!


    Caution: Some Popular Plugins use XML-RPC

    By disabling XML-RPC, you may risk breaking some popular plugins.

    Share this post on Tweet about this on TwitterShare on FacebookShare on Google+Share on TumblrShare on LinkedInShare on RedditDigg thisBuffer this page

    5 Responses to “Protecting Your WordPress Blog From XML-RPC Brute Force Amplification Attacks”

    1. Leha

      Thank you so much for this. Will definitely share! 🙂

      Do you happen to know a way I can test the function/filter to make sure it’s working right? I want to make sure it’s working in functions.php, and if so, then try it in the Code Snippets plugin instead.

      Thanks again!


      • Corey Ballou

        Hey Leha,

        Based on analysis thanks to a comment from Sam, I recommend removing the functions.php code in favor of one of two other methods as it does not appear to solve the issue. You can check if XML-RPC is enabled on your site with this tool:

    2. Paul

      Hey Corey,

      I just wanted to follow up here on your code you posted about removing the multicall method. When I looked to add protection against this problem to our security plugin, I was going to do something similar, but I found that this didn’t seem to work since that method ‘system.multicall’ is not ever actually passed through the filter.

      Now, I may have missed something in my tests, but after reading this, I retried and tested it but I still meet the same problem. I’m happy to be wrong – can you confirm for me that this is a viable approach?

      Thanks! Please feel free to email me directly to the email I provided…

      • Corey Ballou

        Hey Paul,

        You’re definitely right on this one. The class wp_xmlrpc_server extends IXR_Server. When it serves a request via serve_request() and makes a call to $this->IXR_Server($methods), it first applies the filter $this->methods = apply_filters('xmlrpc_methods', $this->methods); before it merges the WordPress supplied XML-RPC methods with the defaults in IXR_Server (which includes system.multicall). This means there’s no matching method to remove as you indicated. We’ll remove this method as it won’t block the call!

    comments are closed