Slashdot Mirror
Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC (sucuri.net)
An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."
$ mv /var/www/wp/xmlrpc.php /var/www/wp/xmlrpc.php/OFF.xmlrpc.php
Least effort, maximum result.
It's not that hard to spell properly.
This is what happens when "web-wallies" as I call them attempt to "program" - massive fuckups. They're not coders.
Per a blog post from WordFence ( https://www.wordfence.com/blog... ), multiple logins via XMLRPC are seen individually, so any program that limits login attempts will work as usual.
--Steve
Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed. They didn't even leave the ability to filter the remote calls by IP address. E.g. allow localhost by default, have a button that 'allows current IP' or something like that.
I think this was one of the most brain-dead security decisions in a major piece of software in recent memory. And this decision simply has to be reversed to fix this.
Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?
Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime. Dictionalry attacks on my password would not be possible in my lifetime on my account, but a honest typo would be a minor delay for the legimitate user.
Multiple fails on multiple accounts should add an IP block against the hacking domain.
Carpet bomb attacks should be nearly impossible.
The truth shall set you free!
That was Microsoft's slogan throughout the '90s (MS was co-developer of XML-RPC, along with Dave Winer).
In fact, MS consistently made things MUCH easier... for hackers breaking into people's systems!
Just use blogger already and stop trying to be a sys admin.
One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator", or simmering else that is easily guessable.
I have a login limiting plugin on my sites that keeps track of bad logins. Over 90% of bad login attempts use admin, the site name, or administrator. Making the admin username difficult to guess greatly decreases the chances that someone will brute force their way into your system.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
a thousand passwords can be submitted within the scope of a single login attempt.
Can somebody explain to me how this could be the result of anything other than severe incompetence?
... that's worth anybody's time to brute force?
It little behooves the best of us to comment on the rest of us.
I highly recommend "WordFence", or if you don't want to use that, use Disable XML-RPC. Both of them work to stop this kind of attack.
Wordfence is worth its weight in gold and it's a standard plugin I install whenever I have to do a Wordpress site.
It has lots of useful options and I wouldn't run a Wordpress site without it, period.
Just cruising through this digital world at 33 1/3 rpm...
Empty useragent and useragent containing "googlebot" get a permission denied from nginx.
Makes a huge difference.
The most effective means against distributed brute force attacks is blocking the number of attempted logins on a particular user-name per a time period. (Query rate limited by user-name, regardless of source.)
Additionally, requiring a 1 second time limit between login queries for the same user-name should combat this and other means of increasing query.
Who or what is Sicuri? I only know of Sucuri.
I've seen a couple of infosec articles on SlashDot lately. Can we stop featuring The Stack articles? They're 220-words-long so they can pass over Google's SEO policy and have no info. Outside SecurityWeek, Wired, Softpedia, ThreatPost, and Graham Cluley most of the security articles here are just spam.
I stick to using wordpress as a journal that I'd want to share with the world and only use wordpress.com for that.
When it needs to be reliable and reduce DB risk there's a bunch of fun to use file and folder options. From impressPages to WonderCMS, or even YellowCMS and ExponentCMS.
Can't break into a DB if it doesn't exist.