Wordpress Brute Force Attacks Using Multiple Passwords Per Login Via XML-RPC

An anonymous reader writes: Online security firm Sicuri note a vertical rise in brute force attacks against WordPress websites using Brute Force Amplification, where a thousand passwords can be submitted within the scope of a single login attempt. The company notes that disabling the protocol is likely to interfere with the functionality of many plugins which rely on it. The Stack reports: "Sicuri note that most of the BFA calls are targeting the WordPress category enumerating hook wp.getCategories, and are targeting the ‘admin’ username, along with predictable default usernames. Sicuri recommend blocking system.multicall requests via a Web Access Firewall if available, but note that so many WordPress plugins depend on the point of vulnerability xmlrpc.php that blocking access to that functionality may interfere with normal operation of the site. The iThemes security system offers functionality to specifically disable XML-RPC as well, but this also requires a check against normal functioning of the site."

Brain-dead security hole

[kervin]

Starting with Wordpress 3.5 XML-RPC was turned on by default, and the ability to turn off XML-RPC was removed. They didn't even leave the ability to filter the remote calls by IP address. E.g. allow localhost by default, have a button that 'allows current IP' or something like that.

I think this was one of the most brain-dead security decisions in a major piece of software in recent memory. And this decision simply has to be reversed to fix this.

Change Username From Admin

[Jason+Levine]

One of the first things you should do with any WordPress installation is make sure that the admin username isn't "admin", your site's name, "administrator", or simmering else that is easily guessable.

I have a login limiting plugin on my sites that keeps track of bad logins. Over 90% of bad login attempts use admin, the site name, or administrator. Making the admin username difficult to guess greatly decreases the chances that someone will brute force their way into your system.

Re:Why

[JustAnotherOldGuy]

Why are insane amounts of passwords permitted? Why are wrong attemp timers missing? Why are instant resubmissions permitted?

Dictionary attacks would not be feasable if the 1st incorrect attempt required a 60 second delay for a 2nd attempt, 120 seconds for the 2nd attempt, 240 for the 3rd attempt, etc. 64 attempts would be beyond my lifetime.

Wordfence lets you set this sort of gate. I have mine set to trigger on 3 wrong login attempts over the course of 3 hours, and then it locks the user out for 10 days.

No, that's not a typo. These are for sites where I'm usually the only person logging in, ever.

For sites with actual user I use 3 wrong login attempts (over the course of 3 hours), and then it locks the user out for 6 hours.

Sometimes I just add an "exit;" command after the opening PHP tag at the very top of wp-login.php. It just kills the file dead and so no login attempt using it will ever succeed, it doesn't even show the form, just a blank page. Drives the bots crazy, lol.