Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC

An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."

Yeah, all the time... that's the web

[sstern]

Per a blog post from WordFence ( https://www.wordfence.com/blog... ), multiple logins via XMLRPC are seen individually, so any program that limits login attempts will work as usual.

Change Username From Admin

[Jason+Levine]

One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator", or simmering else that is easily guessable.

I have a login limiting plugin on my sites that keeps track of bad logins. Over 90% of bad login attempts use admin, the site name, or administrator. Making the admin username difficult to guess greatly decreases the chances that someone will brute force their way into your system.

Use wordfence or "Disable XML-RPC"

[JustAnotherOldGuy]

I highly recommend "WordFence", or if you don't want to use that, use Disable XML-RPC. Both of them work to stop this kind of attack.

Wordfence is worth its weight in gold and it's a standard plugin I install whenever I have to do a Wordpress site.

It has lots of useful options and I wouldn't run a Wordpress site without it, period.

Re:Why

[JustAnotherOldGuy]

Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?

Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime.

Wordfence lets you set this sort of gate. I have mine set to trigger on 3 wrong login attempts over the course of 3 hours, and then it locks the user out for 10 days.

No, that's not a typo. These are for sites where I'm usually the only person logging in, ever.

For sites with actual user I use 3 wrong login attempts (over the course of 3 hours), and then it locks the user out for 6 hours.

Sometimes I just add an "exit;" command after the opening PHP tag at the very top of wp-login.php. It just kills the file dead and so no login attempt using it will ever succeed, it doesn't even show the form, just a blank page. Drives the bots crazy, lol.

Re:What's Wordpress walling ...

[JustAnotherOldGuy]

What's Wordpress walling ... that's worth anybody's time to brute force?

Your answer ... isn't one.

As I said, you can modify the WP files to include your own code- PHP, javascript, whatever, and from there you can use the platform as part of an attack or DDOS network. You could use it to attack and infect any user visiting the site.

You could store files on the server (kiddie porn, malicious code, MP3s, movies, stolen credit card numbers, social security numbers, etc) and so on. You could use it to send emails to the White House and threaten the president's life. You could set up online pill stores, a XXX-video site, etc etc. You could steal the login names and passwords of anyone who logs in.

You can also run compiled code (C, C++, etc) and more than likely escalate your privileges until you're root, at which point the server is yours for all intents and purposes. You can steal user creds and any info you like that may be there (credit card data, PIN codes, passwords, personal info, etc etc).

You could alter the DNS and email records and potentially use that to steal domains on the server. You could also impersonate any user on the server to send and receive email as them. You could alter data at will (think medical info, dosage info, diagnostic info).

All that took me about 10 seconds to come up with, and I'm sure there's much more that I could think of given a little more time. The real question is not "what can you do", but what couldn't you do? And the answer is basically nothing, there's nothing you couldn't do.

The fact that you couldn't think of any of this does not speak well of you, although it does prove that your user name is entirely accurate, "Captain Dork".