Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC

An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."

Brain-dead security hole

[kervin]

Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed. They didn't even leave the ability to filter the remote calls by IP address. E.g. allow localhost by default, have a button that 'allows current IP' or something like that.

I think this was one of the most brain-dead security decisions in a major piece of software in recent memory. And this decision simply has to be reversed to fix this.