WordPress attackers using hundreds of passwords in a single login attempt via XML-RPC
Sat 10 Oct 2015
Online security company Sucuri have posted a recent and rising cluster of brute force amplification security attacks against sites which use the WordPress content management system – 58.7% of all CMS-based websites, and 24% of all websites of any kind. BFA attacks put a new spin on traditional brute force attacks by wrapping multiple login attempts inside one dictionary-guessed login attempt using the XML-RPC protocol specification.
This means that if your website is set to lock or temporarily block an account after, for example, three unsuccessful login attempts, an attacker can still try out as many passwords within three tries as the parameters of the http request can handle – well over a thousand. If the lock-out is set to a higher number of attempts, or is not set at all, Brute Force Amplification can increase its chances of a successful incursion by several orders of magnitude.
XML-RPC was invented in 1998 as a founding component of the Simple Object Access Protocol (SOAP) specification for structuring information exchange calls over HTTP and SMTP (email). The protocol is supported by WordPress and ‘big three’ stablemates Drupal and Joomla, along with many other content management systems, and can be employed to make remote procedure calls on a variety of platforms including PHP, Java, Python, C and C++.
Sucuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sucuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site.
Brute force attacks are usually expensive in terms of resources for the attacker, an attack vector which is pursued when one is out of all other ideas, but the XML-RPC provides an unexpected currency to the approach.