How to automatically block XML-RPC brute force amplification attacks against WordPress
XML-RPC is enabled by default in WordPress because it helps connecting your WordPress site with web and mobile apps.
However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.
What does "amplified brute-force attack" mean?
This means instead of trying thousands of usernames and password combinations via login page, hackers can use the XML-RPC protocol in conjunction with the system.multicall method that allows them to:
- Go undetected by normal brute-force mitigation products
- Try hundreds of thousands of username and password combinations with few XML-RPC requests.
Recommendation: If you don’t use XML-RPC at all, perhaps best thing you can do is to disable it.
How to block brute force login attacks over XML-RPC
You can have Shield to help you with this. Simply go to the Lockdown module => API & XML-RPC => and enable "Disable The XML-RPC System" option:
You’ll now be protected against any possible XML-RPC brute force login attacks.
Hint: If you want to check and confirm XML-RPC functionality is disabled, you can
- Go to: http://xmlrpc.eritreo.it/
- Enter your WordPress site URL in the ‘Address’ field
- Click the ‘Check’ button.
You should receive a response page detailing how your XML-RPC server isn’t available.
Note: The message "XML-RPC server accepts POST requests only." is output well before any XML-RPC processing actually occurs. If you perform a POST request (which is what this message says is supported), you'll find an entirely different response, one that indicates the XML-RPC system is disabled.
What are the implications of disabling the WordPress XML-RPC system?
You should be aware of what may be affected by disabling the XML-RPC system on your WordPress site:
- Certain JetPack plugin functionality will be impacted
- The mobile Android/IOS apps will be broken with your site since they run over the XML-RPC system
- Any other system or plugin that uses your site’s XML-RPC system to communicate and operate your site.
Note: There is an option to allow login through XML-RPC to by-pass accounts management rules. This is offered for users who want to be compatible with other services (as outlined above).
To learn more about WordPress XMP-RPC, why and how to block attacks, read this blog article here.