According to a recent report from the security firm Sucuri, WordPress’ XML-RPC system is once again putting WordPress users and sites at risk. A flaw in XML-RPC exposes WordPress sites to brute force attacks that are significantly more effective than those using the obvious brute force attack vector, the login page.
Brute force attacks are the least sophisticated strategy an attacker can use to gain authenticated access to a WordPress site. Attackers simply try many different username and password combinations until they hit on one that works. The only real sophistication is how the attacks are automated and the mechanism by which they attempt to verify credentials. Most brute force attacks are carried out by bots — programs that try combinations as quickly as possible on as many sites as possible.
There are two standard approaches to mitigating brute force attacks. Firstly, the use of hard-to-guess usernames and passwords. The harder they are to guess, the more attempts the attacker has to make. With long random passwords and uncommon usernames, it’s likely to take attackers longer to guess the right combination than is practical (thousands of years). Secondly, WordPress sites can limit the number of login attempts allowed — often by rate limiting every user or banning IPs that attempt too many incorrect logins.
The brute force attack reported by Sucuri exploits a feature in the XML-RPC system that, instead of making it difficult to try lots of combinations, makes it very easy indeed. The “system.multicall” method allows an attacker to pass multiple commands with one request. Every HTTP request made to the WordPress site can contain hundreds of different username-password combinations, and the WordPress site will respond if any single combination is correct. This is particularly pernicious because it bypasses many of the mechanisms used to defend against brute force attacks and is difficult to spot in server logs.
The XML-RPC system is an ancient method used to provide an API for WordPress. It allows other programs to control WordPress. That’s normally a good thing — it’s how most mobile and desktop clients communicate with WordPress sites. But XML-RPC has been around since the late 90s and has been superseded by more secure technologies. When it was first included in WordPress, it wasn’t activated by default, but all recent releases of WordPress have had XML-RPC turned on. The result of which has been a series of vulnerabilities.
Hopefully, XML-RPC will be retired once the WordPress Rest API reaches maturity, but until then, the best option for WordPress site owners is to deactivate XML-RPC altogether. It’s not an unproblematic approach, however, because some plugins and most WordPress clients depend on XML-RPC. If your site needs XML-RPC, an alternative is to install a Web Application Firewall like the one provided by Sucuri, which will prevent attackers from using this vector to compromise your site.